1 /**************************************************************************** 2 * 3 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 4 * Copyright (C) 2005-2013 Sourcefire, Inc. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License Version 2 as 8 * published by the Free Software Foundation. You may not use, modify or 9 * distribute this program under any other version of the GNU General 10 * Public License. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 * 21 ****************************************************************************/ 22 23 #ifndef _PREPROC_IDS_H 24 #define _PREPROC_IDS_H 25 26 #include <stdint.h> 27 #ifdef DUMP_BUFFER 28 #include "sf_types.h" 29 #endif 30 /* 31 ** Preprocessor Communication Defines 32 ** ---------------------------------- 33 ** These defines allow preprocessors to be turned 34 ** on and off for each packet. Preprocessors can be 35 ** turned off and on before preprocessing occurs and 36 ** during preprocessing. 37 ** 38 ** Currently, the order in which the preprocessors are 39 ** placed in the snort.conf determine the order of 40 ** evaluation. So if one module wants to turn off 41 ** another module, it must come first in the order. 42 */ 43 44 // currently 64 bits (preprocessors) 45 // are available. 46 47 #define PP_BO 0 48 #define PP_APP_ID 1 49 #define PP_DNS 2 50 #define PP_FRAG3 3 51 #define PP_FTPTELNET 4 52 #define PP_HTTPINSPECT 5 53 #define PP_PERFMONITOR 6 54 #define PP_RPCDECODE 7 55 #define PP_SHARED_RULES 8 56 #define PP_SFPORTSCAN 9 57 #define PP_SMTP 10 58 #define PP_SSH 11 59 #define PP_SSL 12 60 #define PP_STREAM 13 61 #define PP_TELNET 14 62 #define PP_ARPSPOOF 15 63 #define PP_DCE2 16 64 #define PP_SDF 17 65 #define PP_NORMALIZE 18 66 #define PP_ISAKMP 19 // used externally 67 #define PP_SESSION 20 68 #define PP_SIP 21 69 #define PP_POP 22 70 #define PP_IMAP 23 71 #define PP_NETWORK_DISCOVERY 24 // used externally 72 #define PP_FW_RULE_ENGINE 25 // used externally 73 #define PP_REPUTATION 26 74 #define PP_GTP 27 75 #define PP_MODBUS 28 76 #define PP_DNP3 29 77 #define PP_FILE 30 78 #define PP_FILE_INSPECT 31 79 #define PP_NAP_RULE_ENGINE 32 80 #define PP_PREFILTER_RULE_ENGINE 33 // used externally 81 #define PP_HTTPMOD 34 82 #define PP_HTTP2 35 83 #define PP_CIP 36 84 #define PP_S7COMMPLUS 37 85 #define PP_MAX 38 86 #define PP_ALL 50 87 #define PP_ENABLE_ALL (~0) 88 #define PP_DISABLE_ALL 0x0 89 90 #ifdef WIN32 91 #ifndef UINT64_C 92 #define UINT64_C(v) (v) 93 #endif 94 #endif 95 96 // preprocessors that run before or as part of Network Analysis Policy processing... If enabled by 97 // configuration they are never disabled 98 #define PP_CLASS_NETWORK ( ( UINT64_C(1) << PP_FRAG3 ) | ( UINT64_C(1) << PP_PERFMONITOR ) | \ 99 ( UINT64_C(1) << PP_SFPORTSCAN ) | ( UINT64_C(1) << PP_STREAM ) | \ 100 ( UINT64_C(1) << PP_NORMALIZE ) | ( UINT64_C(1) << PP_SESSION ) | \ 101 ( UINT64_C(1) << PP_REPUTATION ) ) 102 103 // Firewall and Application ID & Netowrk Discovery preprocessors...also always run if enabled by configuration 104 #define PP_CLASS_NGFW ( ( UINT64_C(1) << PP_APP_ID ) | ( UINT64_C(1) << PP_FW_RULE_ENGINE ) | \ 105 ( UINT64_C(1) << PP_NETWORK_DISCOVERY ) | ( UINT64_C(1) << PP_PREFILTER_RULE_ENGINE ) | \ 106 ( UINT64_C(1) << PP_HTTPMOD) ) 107 108 // Application preprocessors...once the application or protocol for a stream is determined only preprocessors 109 // that analyze that type of stream are enabled (usually there is only 1...) 110 #define PP_CLASS_PROTO_APP ( ( UINT64_C(1) << PP_BO ) | ( UINT64_C(1) << PP_DNS ) | \ 111 ( UINT64_C(1) << PP_FTPTELNET ) | ( UINT64_C(1) << PP_HTTPINSPECT ) | \ 112 ( UINT64_C(1) << PP_RPCDECODE ) | ( UINT64_C(1) << PP_SHARED_RULES ) | \ 113 ( UINT64_C(1) << PP_SMTP ) | ( UINT64_C(1) << PP_SSH ) | \ 114 ( UINT64_C(1) << PP_SSL ) | ( UINT64_C(1) << PP_TELNET ) | \ 115 ( UINT64_C(1) << PP_ARPSPOOF ) | ( UINT64_C(1) << PP_DCE2 ) | \ 116 ( UINT64_C(1) << PP_SDF ) | ( UINT64_C(1) << PP_ISAKMP) | \ 117 ( UINT64_C(1) << PP_POP ) | ( UINT64_C(1) << PP_IMAP ) | \ 118 ( UINT64_C(1) << PP_GTP ) | ( UINT64_C(1) << PP_MODBUS ) | \ 119 ( UINT64_C(1) << PP_DNP3 ) | ( UINT64_C(1) << PP_FILE ) | \ 120 ( UINT64_C(1) << PP_FILE_INSPECT ) ) 121 122 #define PP_DEFINED_GLOBAL ( ( UINT64_C(1) << PP_APP_ID ) | ( UINT64_C(1) << PP_FW_RULE_ENGINE ) | \ 123 ( UINT64_C(1) << PP_NETWORK_DISCOVERY ) | ( UINT64_C(1) << PP_PERFMONITOR) | \ 124 ( UINT64_C(1) << PP_SESSION ) | ( UINT64_C(1) << PP_PREFILTER_RULE_ENGINE ) ) 125 126 #define PP_CORE_ORDER_SESSION 0 127 #define PP_CORE_ORDER_IPREP 1 128 #define PP_CORE_ORDER_NAP 2 129 #define PP_CORE_ORDER_NORML 3 130 #define PP_CORE_ORDER_FRAG3 4 131 #define PP_CORE_ORDER_PREFILTER 5 // used externally 132 #define PP_CORE_ORDER_STREAM 6 133 134 #define PRIORITY_CORE 0x0 135 #define PRIORITY_CORE_LAST 0x0f 136 #define PRIORITY_FIRST 0x10 137 #define PRIORITY_NETWORK 0x20 138 #define PRIORITY_TRANSPORT 0x100 139 #define PRIORITY_TUNNEL 0x105 140 #define PRIORITY_SCANNER 0x110 141 #define PRIORITY_APPLICATION 0x200 142 #define PRIORITY_LAST 0xffff 143 144 #ifdef DUMP_BUFFER 145 146 /* dump_alert_only makes sure that bufferdump happens only when a rule is 147 triggered. 148 149 dumped_state avoids repeatition of buffer dump for a packet that has an 150 alert, when --buffer-dump is given as command line option. 151 152 dump_enabled gets set when --buffer-dump or --buffer-dump-alert option 153 is given. 154 */ 155 156 extern bool dump_alert_only; 157 extern bool dumped_state; 158 extern bool dump_enabled; 159 160 #define MAX_BUFFER_DUMP_FUNC 13 161 #define MAX_HTTP_BUFFER_DUMP 16 162 #define MAX_SMTP_BUFFER_DUMP 7 163 #define MAX_SIP_BUFFER_DUMP 16 164 #define MAX_DNP3_BUFFER_DUMP 4 165 #define MAX_POP_BUFFER_DUMP 7 166 #define MAX_MODBUS_BUFFER_DUMP 3 167 #define MAX_SSH_BUFFER_DUMP 11 168 #define MAX_DNS_BUFFER_DUMP 10 169 #define MAX_DCERPC2_BUFFER_DUMP 7 170 #define MAX_FTPTELNET_BUFFER_DUMP 7 171 #define MAX_IMAP_BUFFER_DUMP 4 172 #define MAX_SSL_BUFFER_DUMP 4 173 #define MAX_GTP_BUFFER_DUMP 6 174 175 typedef enum { 176 HTTP_BUFFER_DUMP_FUNC, 177 SMTP_BUFFER_DUMP_FUNC, 178 SIP_BUFFER_DUMP_FUNC, 179 DNP3_BUFFER_DUMP_FUNC, 180 POP_BUFFER_DUMP_FUNC, 181 MODBUS_BUFFER_DUMP_FUNC, 182 SSH_BUFFER_DUMP_FUNC, 183 DNS_BUFFER_DUMP_FUNC, 184 DCERPC2_BUFFER_DUMP_FUNC, 185 FTPTELNET_BUFFER_DUMP_FUNC, 186 IMAP_BUFFER_DUMP_FUNC, 187 SSL_BUFFER_DUMP_FUNC, 188 GTP_BUFFER_DUMP_FUNC 189 } BUFFER_DUMP_FUNC; 190 191 typedef struct _TraceBuffer { 192 char *buf_name; 193 char *buf_content; 194 uint16_t length; 195 } TraceBuffer; 196 197 typedef uint64_t BufferDumpEnableMask; 198 extern TraceBuffer *(*getBuffers[MAX_BUFFER_DUMP_FUNC])(void); 199 extern BufferDumpEnableMask bdmask; 200 201 #endif 202 203 typedef uint64_t PreprocEnableMask; 204 205 #endif /* _PREPROC_IDS_H */ 206 207