snort_ftptelnet.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

/*
 * snort_ftptelnet.c
 *
 * Copyright (C) 2004-2008 Sourcefire, Inc.
 * Steven A. Sturges <ssturges@sourcefire.com>
 * Daniel J. Roelker <droelker@sourcefire.com>
 * Marc A. Norton <mnorton@sourcefire.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License Version 2 as
 * published by the Free Software Foundation.  You may not use, modify or
 * distribute this program under any other version of the GNU General
 * Public License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Description:
 *
 * This file wraps the FTPTelnet functionality for Snort
 * and starts the Normalization & Protocol checks.
 *
 * The file takes a Packet structure from the Snort IDS to start the
 * FTP/Telnet Normalization & Protocol checks.  It also uses the Stream
 * Interface Module which is also Snort-centric.  Mainly, just a wrapper
 * to FTP/Telnet functionality, but a key part to starting the basic flow.
 *
 * The main bulk of this file is taken up with user configuration and
 * parsing.  The reason this is so large is because FTPTelnet takes
 * very detailed configuration parameters for each specified FTP client,
 * to provide detailed control over an internal network and robust control
 * of the external network.
 * 
 * The main functions of note are:
 *   - FTPTelnetSnortConf()    the configuration portion
 *   - SnortFTPTelnet()        the actual normalization & inspection
 *   - LogEvents()             where we log the FTPTelnet events
 *
 * NOTES:
 * - 16.09.04:  Initial Development.  SAS
 *
 */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include "sf_ip.h"
#ifndef WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <ctype.h>
#endif

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

//#include "snort.h"
//#include "detect.h"
//#include "decode.h"
//#include "log.h"
//#include "event.h"
//#include "generators.h"
#include "debug.h"
//#include "plugbase.h"
//#include "util.h"
//#include "event_queue.h"
//#include "mstring.h"
#define BUF_SIZE 1024

#include "ftpp_return_codes.h"
#include "ftpp_ui_config.h"
#include "ftpp_ui_client_lookup.h"
#include "ftpp_ui_server_lookup.h"
#include "ftp_cmd_lookup.h"
#include "ftp_bounce_lookup.h"
#include "ftpp_si.h"
#include "ftpp_eo_log.h"
#include "pp_telnet.h"
#include "pp_ftp.h"

#include "stream_api.h"

#include "profiler.h"
#ifdef PERF_PROFILING
extern PreprocStats ftpPerfStats;
extern PreprocStats telnetPerfStats;
PreprocStats ftppDetectPerfStats;
int ftppDetectCalled = 0;
#endif

extern FTPTELNET_GLOBAL_CONF FTPTelnetGlobalConf;

//extern u_int8_t DecodeBuffer[DECODE_BLEN]; /* decode.c */

/*
 * The definition of the configuration separators in the snort.conf
 * configure line.
 */
#define CONF_SEPARATORS " \t\n\r"

/*
 * These are the definitions of the parser section delimiting 
 * keywords to configure FtpTelnet.  When one of these keywords
 * are seen, we begin a new section.
 */
#define GLOBAL        "global"
#define TELNET        "telnet"
#define FTP           "ftp"
//#define GLOBAL_CLIENT "global_client"
#define CLIENT        "client"
#define SERVER        "server"

/*
 * GLOBAL subkeyword values
 */
#define ENCRYPTED_TRAFFIC "encrypted_traffic"
#define CHECK_ENCRYPTED   "check_encrypted"
#define INSPECT_TYPE      "inspection_type"
#define INSPECT_TYPE_STATELESS "stateless"
#define INSPECT_TYPE_STATEFUL  "stateful"

/*
 * Protocol subkeywords.
 */
#define PORTS             "ports"

/*
 * Telnet subkeywords.
 */
#define AYT_THRESHOLD     "ayt_attack_thresh"
#define NORMALIZE         "normalize"
#define DETECT_ANOMALIES  "detect_anomalies"

/*
 * FTP SERVER subkeywords.
 */
#define FTP_CMDS          "ftp_cmds"
#define PRINT_CMDS        "print_cmds"
#define MAX_PARAM_LEN     "def_max_param_len"
#define ALT_PARAM_LEN     "alt_max_param_len"
#define CMD_VALIDITY      "cmd_validity"
#define STRING_FORMAT     "chk_str_fmt"
#define TELNET_CMDS       "telnet_cmds"
#define DATA_CHAN_CMD     "data_chan_cmds"
#define DATA_XFER_CMD     "data_xfer_cmds"
#define DATA_CHAN         "data_chan"
#define LOGIN_CMD         "login_cmds"
#define ENCR_CMD          "encr_cmds"
#define DIR_CMD           "dir_cmds"

/*
 * FTP CLIENT subkeywords
 */
#define BOUNCE            "bounce"
#define ALLOW_BOUNCE      "bounce_to"
#define MAX_RESP_LEN      "max_resp_len"

/*
 * Data type keywords
 */
#define START_CMD_FORMAT    "<"
#define END_CMD_FORMAT      ">"
#define F_INT               "int"
#define F_NUMBER            "number"
#define F_CHAR              "char"
#define F_DATE              "date"
#define F_STRING            "string"
#define F_STRING_FMT        "formated_string"
#define F_HOST_PORT         "host_port"

/*
 * Optional parameter delimiters
 */
#define START_OPT_FMT       "["
#define END_OPT_FMT         "]"
#define START_CHOICE_FMT    "{"
#define END_CHOICE_FMT      "}"
#define OR_FMT              "|"


/*
 * The cmd_validity keyword can be used with the format keyword to
 * restrict data types.  The interpretation is specific to the data
 * type.  'format' is only supported with date & char data types.
 *
 * A few examples:
 *
 * 1. Will perform validity checking of an FTP Mode command to
 * check for one of the characters A, S, B, or C.
 *
 * cmd_validity MODE char ASBC
 *
 *
 * 2. Will perform validity checking of an FTP MDTM command to
 * check for an optional date argument following the format
 * specified.  The date would uses the YYYYMMDDHHmmss+TZ format.
 *
 * cmd_validity MDTM [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string
 *
 *
 * 3. Will perform validity checking of an FTP ALLO command to
 * check for an integer, then optionally, the letter R and another
 * integer.
 *
 * cmd_validity ALLO int [ char R int ]
 */

/*
 * The def_max_param_len & alt_max_param_len keywords can be used to
 * restrict parameter length for one or more commands.  The space
 * separated list of commands is enclosed in {}s.
 *
 * A few examples:
 *
 * 1. Restricts all command parameters to 100 characters
 *
 * def_max_param_len 100
 *
 * 2. Overrides CWD pathname to 256 characters
 *
 * alt_max_param_len 256 { CWD } 
 *
 * 3. Overrides PWD & SYST to no parameters
 *
 * alt_max_param_len 0 { PWD SYST } 
 *
 */

/*
 * Alert subkeywords
 */
#define BOOL_YES     "yes"
#define BOOL_NO      "no"

/*
 * Port list delimiters
 */
#define START_PORT_LIST "{"
#define END_PORT_LIST   "}"

/*
 * Keyword for the default client/server configuration
 */
#define DEFAULT "default"

/*
 * The default FTP server configuration for FTP command validation.
 * Most of this comes from RFC 959, with additional commands being
 * drawn from other RFCs/Internet Drafts that are in use.
 * 
 * Any of the below can be overridden in snort.conf.
 * 
 * This is here to eliminate most of it from snort.conf to
 * avoid an ugly configuration file.  The default_max_param_len
 * is somewhat arbitrary, but is taken from the majority of
 * the snort FTP rules that limit parameter size to 100
 * characters, as of 18 Sep 2004.
 * 
 * The data_chan_cmds, data_xfer_cmds are used to track open
 * data channel connections.
 * 
 * The login_cmds and dir_cmds are used to track state of username
 * and current directory.
 */
/* DEFAULT_FTP_CONF_* deliberately break the default conf into
 * chunks with lengths < 509 to keep ISO C89 compilers happy
 */
static const char* DEFAULT_FTP_CONF_1 =
    "hardcoded_config "
    "def_max_param_len 100 "
    "ftp_cmds { USER PASS ACCT CWD CDUP SMNT "
      "QUIT REIN PORT PASV TYPE STRU MODE RETR STOR STOU APPE ALLO REST "
      "RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } "
    "ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } "
    "ftp_cmds { FEAT OPTS } "
    "ftp_cmds { MDTM REST SIZE MLST MLSD } "
    "alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } ";

static const char* DEFAULT_FTP_CONF_2 =
    "cmd_validity MODE < char SBC > "
    "cmd_validity STRU < char FRPO [ string ] > "
    "cmd_validity ALLO < int [ char R int ] > "
    "cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > "
    "cmd_validity PORT < host_port > "
    "data_chan_cmds { PASV PORT } "
    "data_xfer_cmds { RETR STOR STOU APPE LIST NLST } "
    "login_cmds { USER PASS } "
    "dir_cmds { CWD 250 CDUP 250 PWD 257 } ";

static int printedFTPHeader = 0;
static int gDefaultServerConfig = 0;
static int gDefaultClientConfig = 0;
static char *maxToken = NULL;

char *NextToken(char *delimiters)
{
    char *retTok = strtok(NULL, delimiters);
    if (retTok > maxToken)
        return NULL;

    return retTok;
}

/*
 * Function: ProcessConfOpt(FTPTELNET_CONF_OPT *ConfOpt,
 *                          char *Option,
 *                          char *ErrorString, int ErrStrLen)
 *
 * Purpose: Set the CONF_OPT on and alert fields.
 *
 *          We check to make sure of valid parameters and then set
 *          the appropriate fields.
 *
 * Arguments: ConfOpt       => pointer to the configuration option
 *            Option        => character pointer to the option being configured
 *            ErrorString   => error string buffer
 *            ErrStrLen     => the length of the error string buffer
 *
 * Returns: int     => an error code integer (0 = success,
 *                     >0 = non-fatal error, <0 = fatal error)
 *
 */
static int ProcessConfOpt(FTPTELNET_CONF_OPT *ConfOpt, char *Option,
                          char *ErrorString, int ErrStrLen)
{
    char *pcToken;

    pcToken = NextToken(CONF_SEPARATORS);
    if(pcToken == NULL)
    {
        snprintf(ErrorString, ErrStrLen,
                "No argument to token '%s'.", Option);

        return FTPP_FATAL_ERR;
    }

    /*
     * Check for the alert value
      */
    if(!strcmp(BOOL_YES, pcToken))
    {
        ConfOpt->alert = 1;
    }
    else if(!strcmp(BOOL_NO, pcToken))
    {
        ConfOpt->alert = 0;
    }
    else
    {
        snprintf(ErrorString, ErrStrLen,
                "Invalid argument to token '%s'.", Option);

        return FTPP_FATAL_ERR;
    }

    ConfOpt->on = 1;

    return FTPP_SUCCESS;
}

/*
 * Function: PrintConfOpt(FTPTELNET_CONF_OPT *ConfOpt,
 *                          char *Option)
 *
 * Purpose: Prints the CONF_OPT and alert fields.
 *
 * Arguments: ConfOpt       => pointer to the configuration option
 *            Option        => character pointer to the option being configured
 *
 * Returns: int     => an error code integer (0 = success,
 *                     >0 = non-fatal error, <0 = fatal error)
 *
 */
static int PrintConfOpt(FTPTELNET_CONF_OPT *ConfOpt, char *Option)
{
    if(!ConfOpt || !Option)
    {
        return FTPP_INVALID_ARG;
    }

    if(ConfOpt->on)
    {
        _dpd.logMsg("      %s: YES alert: %s\n", Option,
               ConfOpt->alert ? "YES" : "NO");
    }
    else
    {
        _dpd.logMsg("      %s: OFF\n", Option);
    }

    return FTPP_SUCCESS;
}

/* 
 * Function: ProcessInspectType(FTPTELNET_CONF_OPT *ConfOpt,
 *                          char *ErrorString, int ErrStrLen)
 *
 * Purpose: Process the type of inspection.
 *          This sets the type of inspection for FTPTelnet to do.
 *
 * Arguments: GlobalConf    => pointer to the global configuration
 *            ErrorString   => error string buffer
 *            ErrStrLen     => the length of the error string buffer
 *
 * Returns: int     => an error code integer (0 = success,
 *                     >0 = non-fatal error, <0 = fatal error)
 *
 */
static int ProcessInspectType(FTPTELNET_GLOBAL_CONF *GlobalConf,
                              char *ErrorString, int ErrStrLen)
{
    char *pcToken;

    pcToken = NextToken(CONF_SEPARATORS);
    if(pcToken == NULL)
    {
        snprintf(ErrorString, ErrStrLen,
                "No argument to token '%s'.", INSPECT_TYPE);

        return FTPP_FATAL_ERR;
    }

    if(!strcmp(INSPECT_TYPE_STATEFUL, pcToken))
    {
        GlobalConf->inspection_type = FTPP_UI_CONFIG_STATEFUL;
    }
    else if(!strcmp(INSPECT_TYPE_STATELESS, pcToken))
    {