snort_stream5_tcp.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

    u_int32_t overlap_count;      /* overlaps encountered */

    Stream5AlertInfo alerts[MAX_SESSION_ALERTS]; /* history of alerts */
    int alert_count;              /* number alerts stored */
#ifdef DEBUG
    int segment_ordinal;
#endif
} StreamTracker;

typedef struct _TcpSession
{
    Stream5LWSession *lwssn;
    StreamTracker client;
    StreamTracker server;

#ifdef DEBUG
    struct timeval ssn_time;
#endif

    //u_int8_t    c_ttl;
    //u_int8_t    s_ttl;
} TcpSession;

int default_ports[] =
{
    21, 23, 25, 42, 53, 80, 110, 111, 135, 136, 137, 139, 143, 445,
    513, 514, 1433, 1521, 2401, 3306
};
static FlushConfig ignore_flush_policy[MAX_PORTS];

/*  P R O T O T Y P E S  ********************************************/
static void Stream5ParseTcpArgs(char *, Stream5TcpPolicy *);
static void Stream5PrintTcpConfig(Stream5TcpPolicy *);

static void Stream5InitPacket();
static INLINE void SetupTcpDataBlock(TcpDataBlock *, Packet *);
static int ProcessTcp(Stream5LWSession *, Packet *, TcpDataBlock *,
        Stream5TcpPolicy *);
#if OLD_CODE_NOLONGER_USED_DEPENDS_ON_CURRENT_STATE
static INLINE void QueueState(u_int8_t, StreamTracker*, u_int8_t,
        u_int32_t, u_int8_t);
static INLINE int EvalStateQueue(StreamTracker *, u_int8_t, u_int32_t);
#endif
static int CheckFlushPolicy(TcpSession *, StreamTracker *, StreamTracker *,
                TcpDataBlock *, Packet *);
static void Stream5SeglistAddNode(StreamTracker *, StreamSegment *,
                StreamSegment *);
static int Stream5SeglistDeleteNode(StreamTracker *, StreamSegment *);
static int AddStreamNode(StreamTracker *st, Packet *p,
                  u_int32_t ts,
                  TcpSession *tcpssn,
                  int16_t len,
                  u_int32_t slide,
                  u_int32_t trunc,
                  u_int32_t seq,
                  StreamSegment *left,
                  StreamSegment **retSeg);

static u_int32_t Stream5GetWscale(Packet *, u_int16_t *);
static u_int32_t Stream5PacketHasWscale(Packet *);
static u_int32_t Stream5GetMss(Packet *, u_int16_t *);
static u_int32_t Stream5GetTcpTimestamp(Packet *, u_int32_t *);
static int FlushStream(StreamTracker *st, /* Packet *p, */ u_int8_t *flushbuf, 
        int size);
void TcpSessionCleanup(Stream5LWSession *ssn);

int s5TcpStreamSizeInit(char *name, char *parameters, void **dataPtr);
int s5TcpStreamSizeEval(void *p, const u_int8_t **cursor, void *dataPtr);
void s5TcpStreamSizeCleanup(void *dataPtr);
static INLINE void ResetFlushMgrs(void);
/*  G L O B A L S  **************************************************/
static Stream5SessionCache *tcp_lws_cache;
static MemPool tcp_session_mempool;
#ifdef SUP_IP6
static Packet *s5_pkt_6 = NULL;
#endif
static Packet *s5_pkt = NULL;
static Stream5TcpPolicy **tcpPolicyList = NULL; /* List of Policies configured */
static u_int8_t numTcpPolicies = 0;
static char midstream_allowed = 0;

/* enum for policy names */
static char *reassembly_policy_names[] = {
    "no policy!",
    "FIRST",
    "LINUX",
    "BSD",
    "OLD LINUX",
    "LAST",
    "WINDOWS",
    "SOLARIS",
    "HPUX11",
    "IRIX",
    "MACOS",
    "HPUX10",
    "WINDOWS VISTA",
    "WINDOWS 2003"
};

#ifdef DEBUG_STREAM5
static char *state_names[] = { 
    "NONE",
    "LISTEN",
    "SYN_RCVD",
    "SYN_SENT",
    "ESTABLISHED",
    "CLOSE_WAIT",
    "LAST_ACK",
    "FIN_WAIT_1",
    "CLOSING",
    "FIN_WAIT_2",
    "TIME_WAIT",
    "CLOSED"
};
#endif

static char *flush_policy_names[] = {
    "None",
    "Footprint",
    "Logical",
    "Response",
    "Sliding Window",
    "Consumed",
    "Ignore"};

static int s5_tcp_cleanup = 0;

/*  F U N C T I O N S  **********************************************/
static u_int32_t g_static_points[RAND_FLUSH_POINTS] =
                         { 128, 217, 189, 130, 240, 221, 134, 129,
                           250, 232, 141, 131, 144, 177, 201, 130,
                           230, 190, 177, 142, 130, 200, 173, 129,
                           250, 244, 174, 151, 201, 190, 180, 198,
                           220, 201, 142, 185, 219, 129, 194, 140,
                           145, 191, 197, 183, 199, 220, 231, 245,
                           233, 135, 143, 158, 174, 194, 200, 180,
                           201, 142, 153, 187, 173, 199, 143, 201 };

static INLINE u_int32_t GenerateFlushPoint(FlushPointList *flush_point_list)
{
    return (rand() % flush_point_list->flush_range) + flush_point_list->flush_base;
}

static INLINE void InitFlushPointList(FlushPointList *flush_point_list, u_int32_t value, u_int32_t range, char use_static)
{
    u_int32_t i;
    u_int32_t flush_range = range;
    u_int32_t flush_base = value - range/2;

    if (!flush_point_list)
        return;

    if (!flush_point_list->initialized)
    {
        flush_point_list->flush_range = flush_range;
        flush_point_list->flush_base = flush_base;
#ifndef DYNAMIC_RANDOM_FLUSH_POINTS
        flush_point_list->current = 0;

        flush_point_list->flush_points = SnortAlloc(sizeof(u_int32_t) * RAND_FLUSH_POINTS);
        for (i=0;i<RAND_FLUSH_POINTS;i++)
        {
            if (use_static)
            {
                flush_point_list->flush_points[i] = g_static_points[i];
            }
            else
            {
                flush_point_list->flush_points[i] = GenerateFlushPoint(flush_point_list);
            }
        }
#endif
        flush_point_list->initialized = 1;
    }
}

static INLINE void UpdateFlushMgr(FlushMgr *mgr, FlushPointList *flush_point_list)
{
    switch (mgr->flush_policy)
    {
        case STREAM_FLPOLICY_FOOTPRINT:
        case STREAM_FLPOLICY_LOGICAL:
            /* Ideally, we would call rand() each time, but that
             * is a performance headache waiting to happen. */
#ifdef DYNAMIC_RANDOM_FLUSH_POINTS
            mgr->flush_pt = GenerateFlushPoint();
#else
            if (flush_point_list)
            {
                /* Handle case where it wasn't initialized... */
                if (flush_point_list->initialized == 0)
                {
                    InitFlushPointList(flush_point_list, 192, 128, 0);
                }
                mgr->flush_pt = flush_point_list->flush_points[flush_point_list->current];
                flush_point_list->current = (flush_point_list->current+1) % RAND_FLUSH_POINTS;
            }
#endif
        default:
            break;
    }
}

static INLINE void InitFlushMgr(FlushMgr *mgr, FlushPointList *flush_point_list, u_int8_t policy)
{
    mgr->flush_policy = policy;
    if ((policy == STREAM_FLPOLICY_FOOTPRINT) ||
        (policy == STREAM_FLPOLICY_LOGICAL))
    {
        UpdateFlushMgr(mgr, flush_point_list);
    }
}

static INLINE void ResetFlushMgrs(void)
{
    int i, j;
    u_int8_t flush_policy;
    Stream5TcpPolicy *policy;
    FlushPointList *fpl;
    FlushMgr *client, *server;

    for (i = 0; i < numTcpPolicies; i++)
    {
        policy = tcpPolicyList[i];
        fpl = &policy->flush_point_list;
        fpl->current = 0;

        for (j = 0; j < MAX_PORTS; j++)
        {
            client = &policy->flush_config[j].client;
            flush_policy = policy->flush_config[j].client.flush_policy;
            InitFlushMgr(client, fpl, flush_policy);

            server = &policy->flush_config[j].server;
            flush_policy = policy->flush_config[j].server.flush_policy;
            InitFlushMgr(server, fpl, flush_policy);
        }
#ifdef TARGET_BASED
        for (j = 0; j < MAX_PROTOCOL_ORDINAL; j++)
        {
            client = &policy->flush_config_protocol[j].client;
            flush_policy = policy->flush_config_protocol[j].client.flush_policy;
            InitFlushMgr(client, fpl, flush_policy);

            server = &policy->flush_config_protocol[j].server;
            flush_policy = policy->flush_config_protocol[j].server.flush_policy;
            InitFlushMgr(server, fpl, flush_policy);
        }
#endif
    }
}

void Stream5UpdatePerfBaseState(SFBASE *sfBase,
                                Stream5LWSession *lwssn,
                                char newState)
{
    if (!lwssn)
    {
        return;
    }

    switch (newState)
    {
    case TCP_STATE_SYN_SENT:
        if (!(lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE))
        {
            sfBase->iSessionsInitializing++;
            lwssn->session_flags |= SSNFLAG_COUNTED_INITIALIZE;
        }
        break;
    case TCP_STATE_ESTABLISHED:
        if (!(lwssn->session_flags & SSNFLAG_COUNTED_ESTABLISH))
        {
            sfBase->iSessionsEstablished++;
            lwssn->session_flags |= SSNFLAG_COUNTED_ESTABLISH;
            if (lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE)
            {
                sfBase->iSessionsInitializing--;
            }
        }
        break;
    case TCP_STATE_CLOSING:
        if (!(lwssn->session_flags & SSNFLAG_COUNTED_CLOSING))
        {
            sfBase->iSessionsClosing++;
            lwssn->session_flags |= SSNFLAG_COUNTED_CLOSING;
            if (lwssn->session_flags & SSNFLAG_COUNTED_ESTABLISH)
            {
                sfBase->iSessionsEstablished--;
            }
            else if (lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE)
            {
                sfBase->iSessionsInitializing--;
            }
        }
        break;
    case TCP_STATE_CLOSED:
        if (lwssn->session_flags & SSNFLAG_COUNTED_CLOSING)
        {
            sfBase->iSessionsClosing--;
        }
        else if (lwssn->session_flags & SSNFLAG_COUNTED_ESTABLISH)
        {
            sfBase->iSessionsEstablished--;
        }
        else if (lwssn->session_flags & SSNFLAG_COUNTED_INITIALIZE)
        {
            sfBase->iSessionsInitializing--;
        }
        break;
    default:
        break;
    }
}

void Stream5InitTcp()
{
    int i;

    if((tcp_lws_cache == NULL) && s5_global_config.track_tcp_sessions)
    {
        tcp_lws_cache = InitLWSessionCache(s5_global_config.max_tcp_sessions,
                30, 5, 0, &TcpSessionCleanup);

        if(!tcp_lws_cache)
        {
            FatalError("Unable to init stream5 TCP session cache, no TCP "
                       "stream inspection!\n");
        }

        mempool_init(&tcp_session_mempool, s5_global_config.max_tcp_sessions, sizeof(TcpSession));
    }

    /* Default is to ignore, for all ports */
    for(i=0;i<MAX_PORTS;i++)
    {
        ignore_flush_policy[i].client.flush_policy = STREAM_FLPOLICY_IGNORE;
        ignore_flush_policy[i].server.flush_policy = STREAM_FLPOLICY_IGNORE;
    }

    /* Seed the flushpoint random generator */
    srand( (unsigned int) sizeof(default_ports) + (unsigned int) time(NULL) );

#ifdef PERF_PROFILING
    RegisterPreprocessorProfile("s5TcpNewSess", &s5TcpNewSessPerfStats, 2, &s5TcpPerfStats);
    RegisterPreprocessorProfile("s5TcpState", &s5TcpStatePerfStats, 2, &s5TcpPerfStats);
    RegisterPreprocessorProfile("s5TcpData", &s5TcpDataPerfStats, 3, &s5TcpStatePerfStats);
    RegisterPreprocessorProfile("s5TcpPktInsert", &s5TcpInsertPerfStats, 4, &s5TcpDataPerfStats);
    RegisterPreprocessorProfile("s5TcpFlush", &s5TcpFlushPerfStats, 3, &s5TcpStatePerfStats);
    RegisterPreprocessorProfile("s5TcpBuildPacket", &s5TcpBuildPacketPerfStats, 4, &s5TcpFlushPerfStats);
    RegisterPreprocessorProfile("s5TcpProcessRebuilt", &s5TcpProcessRebuiltPerfStats, 4, &s5TcpFlushPerfStats);
#endif

#ifdef DYNAMIC_PLUGIN
    /* Register the 'stream_size' rule option */
    RegisterPreprocessorRuleOption("stream_size", &s5TcpStreamSizeInit, &s5TcpStreamSizeEval, &s5TcpStreamSizeCleanup);
#endif
       
    return;
}

void Stream5TcpPolicyInit(char *args)
{
    Stream5TcpPolicy *s5TcpPolicy;
    s5TcpPolicy = (Stream5TcpPolicy *) SnortAlloc(sizeof(Stream5TcpPolicy));
    //s5TcpPolicy->bound_addrs = (IpAddrSet *) SnortAlloc(sizeof(IpAddrSet));

    /* Initialize flush policy to Ignore */
    memcpy(&s5TcpPolicy->flush_config, ignore_flush_policy,
            sizeof(FlushConfig) * MAX_PORTS);

    Stream5ParseTcpArgs(args, s5TcpPolicy);

    /* Now add this context to the internal list */