spp_ssl.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

        counts.sapp++;

    if (new_flags & SSL_CAPP_FLAG)
        counts.capp++;
}

/* Parsing for the ssl_state rule option */
static int SSLPP_state_init(char *name, char *params, void **data) 
{
    int flags = 0;
    char *end;
    char *tok;

    tok = strtok_r(params, ",", &end);

    if(!tok)
        DynamicPreprocessorFatalMessage("%s(%d) => missing argument to"
            "ssl_state keyword\n", *(_dpd.config_file), *(_dpd.config_line));

    do
    {
        if(!strcasecmp("client_hello", tok))
            flags |= SSL_CUR_CLIENT_HELLO_FLAG;
        else if(!strcasecmp("server_hello", tok))
            flags |= SSL_CUR_SERVER_HELLO_FLAG;
        else if(!strcasecmp("client_keyx", tok))
            flags |= SSL_CUR_CLIENT_KEYX_FLAG;
        else if(!strcasecmp("server_keyx", tok))
            flags |= SSL_CUR_SERVER_KEYX_FLAG;
        else if(!strcasecmp("unknown", tok))
            flags |= SSL_UNKNOWN_FLAG;
        else 
            DynamicPreprocessorFatalMessage(
                "%s(%d) => %s is not a recognized argument to %s.\n", 
                *(_dpd.config_file), _dpd.config_file, tok, name);

    } while( (tok = strtok_r(NULL, ",", &end)) != NULL );

    *data = (void *)flags;

    return 0;
}

/* Parsing for the ssl_version rule option */
static int SSLPP_ver_init(char *name, char *params, void **data) 
{
    int flags = 0;
    char *end;
    char *tok;

    tok = strtok_r(params, ",", &end);

    if(!tok)
        DynamicPreprocessorFatalMessage("%s(%d) => missing argument to"
            "ssl_state keyword\n", *(_dpd.config_file), *(_dpd.config_line));

    do
    {
        if(!strcasecmp("sslv2", tok))
            flags |= SSL_VER_SSLV2_FLAG;
        else if(!strcasecmp("sslv3", tok))
            flags |= SSL_VER_SSLV3_FLAG;
        else if(!strcasecmp("tls1.0", tok))
            flags |= SSL_VER_TLS10_FLAG;
        else if(!strcasecmp("tls1.1", tok))
            flags |= SSL_VER_TLS11_FLAG;
        else if(!strcasecmp("tls1.2", tok))
            flags |= SSL_VER_TLS12_FLAG;
        else 
            DynamicPreprocessorFatalMessage(
                "%s(%d) => %s is not a recognized argument to %s.\n", 
                *(_dpd.config_file), _dpd.config_file, tok, name);

    } while( (tok = strtok_r(NULL, ",", &end)) != NULL );

    *data = (void *)flags;

    return 0;
}

/* Rule option evaluation (for both rule options) */
static int SSLPP_rule_eval(void *raw_packet, const u_int8_t **cursor, void *data)
{
    int ssn_data; 
    SFSnortPacket *p = (SFSnortPacket*)raw_packet; 

    if (!p || !p->tcp_header || !p->stream_session_ptr)
        return 0; 

    ssn_data = (int)(uintptr_t)_dpd.streamAPI->get_application_data( 
                p->stream_session_ptr, PP_SSL); 

    if((int)(uintptr_t)data & ssn_data)
        return 1;

    return 0;
}

/* SSL Preprocessor configuration parsing */
static void SSLPP_config(char *conf)
{
    char *saveptr;
    char *space_tok;
    char *comma_tok;
    char *portptr;
    char *search;
    SFP_errstr_t err;

    if(!conf) 
        return;
    
    search = conf;

    while( (comma_tok = strtok_r(search, ",", &saveptr)) != NULL ) 
    {
        search = NULL;

        space_tok = strtok_r(comma_tok, " ", &portptr);

        if(!space_tok)
            return;
        
        if(!strcasecmp(space_tok, "ports"))
        {
            memset(config.ports, 0, sizeof(config.ports));

            if(SFP_ports(config.ports, portptr, err) != SFP_SUCCESS)
                DynamicPreprocessorFatalMessage(
                    "%s(%d) => Failed to parse: %s\n",
                   *(_dpd.config_file), *(_dpd.config_line), SFP_GET_ERR(err));

        }
        else if(!strcasecmp(space_tok, "noinspect_encrypted")) 
        {
            char *tmpChar;
            tmpChar = strtok_r(NULL, " \t\n", &portptr);
            if(tmpChar)
            {
        	    DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the"
        	                    " SSL preprocessor: '%s' in %s\n", 
        	                    *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar);
            }
            config.flags |= SSLPP_DISABLE_FLAG;
        }
        else if(!strcasecmp(space_tok, "trustservers"))
        {
            char *tmpChar;
            tmpChar = strtok_r(NULL, " \t\n", &portptr);
            if(tmpChar)
            {
                DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the"
                    " SSL preprocessor: '%s' in %s\n", 
                    *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar);
            }
            config.flags |= SSLPP_TRUSTSERVER_FLAG;
        }
        else
        {
            DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the"
                " SSL preprocessor: '%s' in %s\n", 
                *(_dpd.config_file), *(_dpd.config_line), comma_tok, conf);
        }
    } 

    /* Verify configured options make sense */
    if ((config.flags & SSLPP_TRUSTSERVER_FLAG) &&
        !(config.flags & SSLPP_DISABLE_FLAG))
    {
        DynamicPreprocessorFatalMessage("%s(%d) => SSL preprocessor: 'trustservers' "
            "requires 'noinspect_encrypted' to be useful.\n",
            *(_dpd.config_file), *(_dpd.config_line));
    }

}

static void SSLPP_print_config(void) 
{
    char buf[1024];    /* For syslog printing */
    int i;
    int newline;

    memset(buf, 0, sizeof(buf));

    _dpd.logMsg("SSLPP config:\n");
    _dpd.logMsg("    Encrypted packets: %s\n",
           config.flags & SSLPP_DISABLE_FLAG ? "not inspected" : "inspected");

    _dpd.logMsg("    Ports:\n");

    for(newline = 0, i = 0; i < MAXPORTS; i++) 
    {
        if( config.ports[ PORT_INDEX(i) ] & CONV_PORT(i) )
        {
            SFP_snprintfa(buf, sizeof(buf), "    %5d", i);
            if( !((++newline) % 5) ) 
            {
                SFP_snprintfa(buf, sizeof(buf), "\n");
                _dpd.logMsg(buf);
                memset(buf, 0, sizeof(buf));
            }
        }
    }

    if(newline % 5)
        SFP_snprintfa(buf, sizeof(buf), "\n");

    _dpd.logMsg(buf);
    
    if ( config.flags & SSLPP_TRUSTSERVER_FLAG )
    {
        _dpd.logMsg("    Server side data is trusted");
    }
}

static void SSLPP_init_config(void) {
    memset(&config, 0, sizeof(config));
    memset(&counts, 0, sizeof(counts));

#define SET_PORT(x) config.ports[ PORT_INDEX(x) ] |= CONV_PORT(x);  

    /* Setup default ports */
    SET_PORT(443); /* HTTPS */
    SET_PORT(465); /* SMTPS */
    SET_PORT(563); /* NNTPS */
    SET_PORT(636); /* LDAPS */
    SET_PORT(989); /* FTPS */
    SET_PORT(992); /* TelnetS */
    SET_PORT(993); /* IMAPS */
    SET_PORT(994); /* IRCS */
    SET_PORT(995); /* POPS */
}

static void SSLPP_drop_stats(int exiting) 
{
    if(!counts.decoded)
        return;

    _dpd.logMsg("SSL Preprocessor:\n");
    _dpd.logMsg("   SSL packets decoded: " FMTu64("-10") "\n", counts.decoded);
    _dpd.logMsg("          Client Hello: " FMTu64("-10") "\n", counts.hs_chello);
    _dpd.logMsg("          Server Hello: " FMTu64("-10") "\n", counts.hs_shello);
    _dpd.logMsg("           Certificate: " FMTu64("-10") "\n", counts.hs_cert);
    _dpd.logMsg("           Server Done: " FMTu64("-10") "\n", counts.hs_sdone);
    _dpd.logMsg("   Client Key Exchange: " FMTu64("-10") "\n", counts.hs_ckey);
    _dpd.logMsg("   Server Key Exchange: " FMTu64("-10") "\n", counts.hs_skey);
    _dpd.logMsg("         Change Cipher: " FMTu64("-10") "\n", counts.cipher_change);
    _dpd.logMsg("              Finished: " FMTu64("-10") "\n", counts.hs_finished);
    _dpd.logMsg("    Client Application: " FMTu64("-10") "\n", counts.capp);
    _dpd.logMsg("    Server Application: " FMTu64("-10") "\n", counts.sapp);
    _dpd.logMsg("                 Alert: " FMTu64("-10") "\n", counts.alerts);
    _dpd.logMsg("  Unrecognized records: " FMTu64("-10") "\n", counts.unrecognized);
    _dpd.logMsg("  Completed handshakes: " FMTu64("-10") "\n", counts.completed_hs);
    _dpd.logMsg("        Bad handshakes: " FMTu64("-10") "\n", counts.bad_handshakes);
    _dpd.logMsg("      Sessions ignored: " FMTu64("-10") "\n", counts.stopped);
    _dpd.logMsg("    Detection disabled: " FMTu64("-10") "\n", counts.disabled);
}

static void SSLPP_init(char *conf) 
{
    if(!_dpd.streamAPI) 
    {
        DynamicPreprocessorFatalMessage(
            "SSLPP_init(): The Stream preprocessor must be enabled.\n");
    }

    SSLPP_init_config();
	SSLPP_config(conf);
    SSLPP_print_config();

	_dpd.addPreproc( SSLPP_process, PRIORITY_TUNNEL, PP_SSL );

    _dpd.preprocOptRegister("ssl_state", SSLPP_state_init, SSLPP_rule_eval, NULL);
    _dpd.preprocOptRegister("ssl_version", SSLPP_ver_init, SSLPP_rule_eval, NULL);
    _dpd.registerPreprocStats("ssl", SSLPP_drop_stats);

#ifdef PERF_PROFILING
    _dpd.addPreprocProfileFunc("ssl", (void *)&sslpp_perf_stats, 0, _dpd.totalPerfStats);
#endif
}

void SetupSSLPP(void)
{
	_dpd.registerPreproc( "ssl", SSLPP_init);
}

#if DEBUG
static void SSL_PrintFlags(uint32_t flags)
{
    if (flags & SSL_CHANGE_CIPHER_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CHANGE_CIPHER_FLAG\n"););
    }

    if (flags & SSL_ALERT_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_ALERT_FLAG\n"););
    }

    if (flags & SSL_POSSIBLE_HS_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_POSSIBLE_HS_FLAG\n"););
    }

    if (flags & SSL_CLIENT_HELLO_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CLIENT_HELLO_FLAG\n"););
    }

    if (flags & SSL_SERVER_HELLO_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_SERVER_HELLO_FLAG\n"););
    }

    if (flags & SSL_CERTIFICATE_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CERTIFICATE_FLAG\n"););
    }

    if (flags & SSL_SERVER_KEYX_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_SERVER_KEYX_FLAG\n"););
    }

    if (flags & SSL_CLIENT_KEYX_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CLIENT_KEYX_FLAG\n"););
    }

    if (flags & SSL_CIPHER_SPEC_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CIPHER_SPEC_FLAG\n"););
    }

    if (flags & SSL_SFINISHED_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_SFINISHED_FLAG\n"););
    }

    if (flags & SSL_SAPP_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_SAPP_FLAG\n"););
    }

    if (flags & SSL_CAPP_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CAPP_FLAG\n"););
    }

    if (flags & SSL_HS_SDONE_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_HS_SDONE_FLAG\n"););
    }

    if (flags & SSL_POSSIBLY_ENC_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_POSSIBLY_ENC_FLAG\n"););
    }

    if (flags & SSL_VER_SSLV2_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_VER_SSLV2_FLAG\n"););
    }

    if (flags & SSL_VER_SSLV3_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_VER_SSLV3_FLAG\n"););
    }

    if (flags & SSL_VER_TLS10_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_VER_TLS10_FLAG\n"););
    }

    if (flags & SSL_VER_TLS11_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_VER_TLS11_FLAG\n"););
    }

    if (flags & SSL_VER_TLS12_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_VER_TLS12_FLAG\n"););
    }

#if 0
SSL_VERFLAGS (SSL_VER_SSLV2_FLAG | SSL_VER_SSLV3_FLAG | \
              SSL_VER_TLS10_FLAG | SSL_VER_TLS11_FLAG | \
              SSL_VER_TLS12_FLAG)
#endif

    if (flags & SSL_CUR_CLIENT_HELLO_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CUR_CLIENT_HELLO_FLAG\n"););
    }

    if (flags & SSL_CUR_SERVER_HELLO_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CUR_SERVER_HELLO_FLAG\n"););
    }

    if (flags & SSL_CUR_SERVER_KEYX_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CUR_SERVER_KEYX_FLAG\n"););
    }

    if (flags & SSL_CUR_CLIENT_KEYX_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_CUR_CLIENT_KEYX_FLAG\n"););
    }

    if (flags & SSL_ENCRYPTED_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_ENCRYPTED_FLAG\n"););
    }

    if (flags & SSL_UNKNOWN_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_UNKNOWN_FLAG\n"););
    }

#if 0
SSL_STATEFLAGS (SSL_CUR_CLIENT_HELLO_FLAG | SSL_CUR_SERVER_HELLO_FLAG | \
                SSL_CUR_SERVER_KEYX_FLAG | SSL_CUR_CLIENT_KEYX_FLAG | \
                SSL_UNKNOWN_FLAG)
#endif

    if (flags & SSL_BOGUS_HS_DIR_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_BOGUS_HS_DIR_FLAG\n"););
    }

    if (flags & SSL_TRAILING_GARB_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_TRAILING_GARB_FLAG\n"););
    }

    if (flags & SSL_BAD_TYPE_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_BAD_TYPE_FLAG\n"););
    }

    if (flags & SSL_BAD_VER_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_BAD_VER_FLAG\n"););
    }

    if (flags & SSL_TRUNCATED_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_TRUNCATED_FLAG\n"););
    }

    if (flags & SSL_ARG_ERROR_FLAG)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SSL, "SSL_ARG_ERROR_FLAG\n"););
    }
}
#endif