smtp_normalize.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

/*
 * smtp_normalize.c
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License Version 2 as
 * published by the Free Software Foundation.  You may not use, modify or
 * distribute this program under any other version of the GNU General
 * Public License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Copyright (C) 2005-2008 Sourcefire Inc.
 *
 * Author: Andy  Mullican
 *
 * Description:
 *
 * This file handles normalizing SMTP traffic into the alternate buffer.
 *
 * Entry point functions:
 *
 *    SMTP_NeedNormalize()
 *    SMTP_Normalize()
 *
 *
 */

#include <string.h>

#include "snort_smtp.h"
#include "smtp_util.h"
#include "bounds.h"
#include "sf_dynamic_preprocessor.h"
#include "sf_snort_packet.h"

extern SMTP *_smtp;
extern DynamicPreprocessorData _dpd;
extern char _smtp_normalizing;


/*
 * SMTP_NormalizeCmd
 * 
 * If command doesn't need normalizing it will do nothing, except in
 * the case where we are already normalizing in which case the line
 * will get copied to the alt buffer.
 * If the command needs normalizing the normalized data will be copied 
 * to the alt buffer.  If we are not already normalizing, all of the 
 * data up to this point will be copied into the alt buffer first.
 *
 * XXX This may copy unwanted data if we are ignoring the data in the
 *     message and there was data that came before the command in the
 *     packet, for example if there are multiple transactions on the
 *     session or if we're normalizing QUIT.
 *
 * @param   p      pointer to packet structure
 * @param   ptr    pointer to beginning of command line
 * @param   eolm   start of end of line marker
 * @param   eol    end of end of line marker
 *
 * @return  response
 * @retval   0          function succeded without error
 * @retval  -1          there were errors
 */
int SMTP_NormalizeCmd(SFSnortPacket *p, const u_int8_t *ptr, const u_int8_t *eolm, const u_int8_t *eol)
{
    const u_int8_t *tmp;
    const u_int8_t *cmd_start;
    const u_int8_t *cmd_end;
    const u_int8_t *args_start;
    const u_int8_t *args_end;
    const u_int8_t *space = (u_int8_t *)" ";
    int need_normalize = 0;
    int ret;


    tmp = ptr;

    /* move past initial whitespace */
    while ((tmp < eolm) && isspace((int)*tmp))
        tmp++;

    /* we got whitespace before command */
    if (tmp > ptr)
        need_normalize = 1;

    /* move past the command */
    cmd_start = cmd_end = tmp;
    while ((cmd_end < eolm) && !isspace((int)*cmd_end))
        cmd_end++;

    args_start = cmd_end;
    while ((args_start < eolm) && isspace((int)*args_start))
        args_start++;

    if (args_start == eolm)
    {
        /* nothing but space after command - normalize if we got any
         * spaces since there is not an argument */
        if (args_start > cmd_end)
            need_normalize = 1;

        args_end = args_start;
    }
    else
    {
        /* more than one space between command and argument or
         * whitespace between command and argument is not a regular space character */
        if ((args_start > (cmd_end + 1)) || (*cmd_end != ' '))
            need_normalize = 1;

        /* see if there is any dangling space at end of argument */
        args_end = eolm;
        while (isspace((int)*(args_end - 1)))
            args_end--;

        if (args_end != eolm)
            need_normalize = 1;
    }


    if (need_normalize)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_SMTP, "Command needs normalizing\n"););

        /* if we're not yet normalizing copy everything in the payload up to this
         * line into the alt buffer */
        if (!_smtp_normalizing)
        {
            ret = SMTP_CopyToAltBuffer(p, p->payload, ptr - p->payload);
            if (ret == -1)
                return -1;
        }

        /* copy the command into the alt buffer */
        ret = SMTP_CopyToAltBuffer(p, cmd_start, cmd_end - cmd_start);
        if (ret == -1)
            return -1;

        /* if we actually have an argument, copy it into the alt buffer */
        if (args_start != args_end)
        {
            /* copy a 'pure' space */
            ret = SMTP_CopyToAltBuffer(p, space, 1);
            if (ret == -1)
                return -1;

            ret = SMTP_CopyToAltBuffer(p, args_start, args_end - args_start);
            if (ret == -1)
                return -1;
        }

        /* copy the end of line marker into the alt buffer */
        ret = SMTP_CopyToAltBuffer(p, eolm, eol - eolm);
        if (ret == -1)
            return -1;

    }
    else if (_smtp_normalizing)
    {
        /* if we're already normalizing and didn't need to normalize this line, just
         * copy it into the alt buffer */
        ret = SMTP_CopyToAltBuffer(p, ptr, eol - ptr);
        if (ret == -1)
            return -1;
    }

    return 0;
}