1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 // Copyright (C) 2013-2013 Sourcefire, Inc.
4 //
5 // This program is free software; you can redistribute it and/or modify it
6 // under the terms of the GNU General Public License Version 2 as published
7 // by the Free Software Foundation.  You may not use, modify or distribute
8 // this program under any other version of the GNU General Public License.
9 //
10 // This program is distributed in the hope that it will be useful, but
11 // WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
13 // General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License along
16 // with this program; if not, write to the Free Software Foundation, Inc.,
17 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
18 //--------------------------------------------------------------------------
19 
20 #ifndef SNORT_POLICY_H
21 #define SNORT_POLICY_H
22 
23 // the following policy types are defined:
24 //
25 // -- network - for packet handling
26 // -- inspection - for flow handling
27 // -- ips - for rule handling
28 
29 #ifdef HAVE_UUID
30 #include <uuid.h>
31 #else
32 typedef unsigned char uuid_t[16];
33 #endif
34 
35 #include <algorithm>
36 #include <map>
37 #include <memory>
38 #include <unordered_map>
39 #include <vector>
40 
41 #include "framework/data_bus.h"
42 
43 namespace snort
44 {
45 class GHash;
46 class IpsAction;
47 struct SnortConfig;
48 }
49 
50 struct _daq_pkt_hdr;
51 struct PortTable;
52 struct vartable_t;
53 struct sfip_var_t;
54 
55 typedef unsigned int PolicyId;
56 typedef snort::GHash PortVarTable;
57 
58 enum PolicyMode
59 {
60     POLICY_MODE__PASSIVE,
61     POLICY_MODE__INLINE,
62     POLICY_MODE__INLINE_TEST,
63     POLICY_MODE__MAX
64 };
65 
66 // FIXIT-L split into separate headers
67 
68 //-------------------------------------------------------------------------
69 // traffic stuff
70 //-------------------------------------------------------------------------
71 
72 enum ChecksumFlag
73 {
74     CHECKSUM_FLAG__IP   = 0x00000001,
75     CHECKSUM_FLAG__TCP  = 0x00000002,
76     CHECKSUM_FLAG__UDP  = 0x00000004,
77     CHECKSUM_FLAG__ICMP = 0x00000008,
78     CHECKSUM_FLAG__ALL  = 0x0000000f,
79     CHECKSUM_FLAG__DEF  = 0x80000000
80 };
81 
82 enum DecodeEventFlag
83 {
84     DECODE_EVENT_FLAG__DEFAULT = 0x00000001
85 };
86 
87 // Snort ac-split creates the nap (network analysis policy)
88 // Snort++ breaks the nap into network and inspection
89 
90 struct NetworkPolicy
91 {
92 public:
93     NetworkPolicy(PolicyId = 0, PolicyId default_inspection_id = 0);
94     NetworkPolicy(NetworkPolicy*, const char*);
95     ~NetworkPolicy();
96 
checksum_dropsNetworkPolicy97     bool checksum_drops(uint16_t codec_cksum_err_flag)
98     { return (checksum_drop & codec_cksum_err_flag) != 0; }
99 
ip_checksumsNetworkPolicy100     bool ip_checksums()
101     { return (checksum_eval & CHECKSUM_FLAG__IP) != 0; }
102 
udp_checksumsNetworkPolicy103     bool udp_checksums()
104     { return (checksum_eval & CHECKSUM_FLAG__UDP) != 0; }
105 
tcp_checksumsNetworkPolicy106     bool tcp_checksums()
107     { return (checksum_eval & CHECKSUM_FLAG__TCP) != 0; }
108 
icmp_checksumsNetworkPolicy109     bool icmp_checksums()
110     { return (checksum_eval & CHECKSUM_FLAG__ICMP) != 0; }
111 
112 public:
113     struct TrafficPolicy* traffic_policy;
114     snort::DataBus dbus;
115 
116     PolicyId policy_id = 0;
117     uint32_t user_policy_id = 0;
118     PolicyId default_inspection_policy_id = 0;
119 
120     // minimum possible (allows all but errors to pass by default)
121     uint8_t min_ttl = 1;
122     uint8_t new_ttl = 5;
123 
124     uint32_t checksum_eval = CHECKSUM_FLAG__ALL | CHECKSUM_FLAG__DEF;
125     uint32_t checksum_drop = CHECKSUM_FLAG__DEF;
126     uint32_t normal_mask = 0;
127     bool cloned = false;
128 
129 private:
130     void init(NetworkPolicy*, const char*);
131 };
132 
133 //-------------------------------------------------------------------------
134 // inspection stuff
135 //-------------------------------------------------------------------------
136 
137 struct InspectionPolicy
138 {
139 public:
140     InspectionPolicy(PolicyId = 0);
141     InspectionPolicy(InspectionPolicy* old_inspection_policy);
142     ~InspectionPolicy();
143 
144     void configure();
145 
146 public:
147     PolicyId policy_id = 0;
148     PolicyMode policy_mode = POLICY_MODE__MAX;
149     uint32_t user_policy_id = 0;
150     uuid_t uuid{};
151 
152     struct FrameworkPolicy* framework_policy;
153     snort::DataBus dbus;
154     bool cloned;
155 
156 private:
157     void init(InspectionPolicy* old_inspection_policy);
158 };
159 
160 //-------------------------------------------------------------------------
161 // detection stuff
162 //-------------------------------------------------------------------------
163 
164 struct IpsPolicy
165 {
166 public:
167     enum Enable : uint8_t { DISABLED, ENABLED, INHERIT_ENABLE };
168 
169     IpsPolicy(PolicyId = 0);
170     ~IpsPolicy();
171 
172 public:
173     PolicyId policy_id;
174     uint32_t user_policy_id = 0;
175     uuid_t uuid{};
176 
177     PolicyMode policy_mode = POLICY_MODE__MAX;
178     bool enable_builtin_rules;
179     int rules_loaded = 0;
180     int rules_shared = 0;
181 
182     std::string includer;
183     std::string include;
184 
185     std::string rules;
186     std::string states;
187 
188     uint32_t var_id;
189 
190     struct VarEntry* var_table;
191     vartable_t* ip_vartable;
192 
193     /* The portobjects in these are attached to rtns and used during runtime */
194     PortVarTable* portVarTable;     /* named entries, uses a hash table */
195     PortTable* nonamePortVarTable;  /* un-named entries */
196 
197     Enable default_rule_state = INHERIT_ENABLE;
198 
199     bool obfuscate_pii;
200 
201     std::string action_override;
202     std::map<std::string, std::string> action_map;
203 
204     // Holds all plugin actions associated with this policy
205     std::vector<snort::IpsAction*> action;
206 };
207 
208 //-------------------------------------------------------------------------
209 // binding stuff
210 //-------------------------------------------------------------------------
211 
212 class Shell;
213 
214 struct PolicyTuple
215 {
216     InspectionPolicy* inspection = nullptr;
217     IpsPolicy* ips = nullptr;
218     NetworkPolicy* network = nullptr;
219 
PolicyTuplePolicyTuple220     PolicyTuple(InspectionPolicy* ins_pol, IpsPolicy* ips_pol, NetworkPolicy* net_pol) :
221         inspection(ins_pol), ips(ips_pol), network(net_pol) { }
222 };
223 
224 class PolicyMap
225 {
226 public:
227     PolicyMap(PolicyMap* old_map = nullptr, const char* exclude_name = nullptr);
228     ~PolicyMap();
229 
230     InspectionPolicy* add_inspection_shell(Shell*);
231     IpsPolicy* add_ips_shell(Shell*);
232     std::shared_ptr<PolicyTuple> add_shell(Shell*, bool include_network);
233     std::shared_ptr<PolicyTuple> get_policies(Shell* sh);
234     void clone(PolicyMap *old_map, const char* exclude_name);
235 
236     Shell* get_shell(unsigned i = 0)
237     { return i < shells.size() ? shells[i] : nullptr; }
238 
set_user_network(NetworkPolicy * p)239     void set_user_network(NetworkPolicy* p)
240     { user_network[p->user_policy_id] = p; }
241 
set_user_inspection(InspectionPolicy * p)242     void set_user_inspection(InspectionPolicy* p)
243     { user_inspection[p->user_policy_id] = p; }
244 
set_user_ips(IpsPolicy * p)245     void set_user_ips(IpsPolicy* p)
246     { user_ips[p->user_policy_id] = p; }
247 
get_user_network(unsigned user_id)248     NetworkPolicy* get_user_network(unsigned user_id)
249     {
250         auto it = user_network.find(user_id);
251         return it == user_network.end() ? nullptr : it->second;
252     }
253 
get_user_inspection(unsigned user_id)254     InspectionPolicy* get_user_inspection(unsigned user_id)
255     {
256         auto it = user_inspection.find(user_id);
257         return it == user_inspection.end() ? nullptr : it->second;
258     }
259 
get_user_ips(unsigned user_id)260     IpsPolicy* get_user_ips(unsigned user_id)
261     {
262         auto it = user_ips.find(user_id);
263         return it == user_ips.end() ? nullptr : it->second;
264     }
265 
266     NetworkPolicy* get_network_policy(unsigned i = 0)
267     { return i < network_policy.size() ? network_policy[i] : nullptr; }
268 
269     InspectionPolicy* get_inspection_policy(unsigned i = 0)
270     { return i < inspection_policy.size() ? inspection_policy[i] : nullptr; }
271 
272     IpsPolicy* get_ips_policy(unsigned i = 0)
273     { return i < ips_policy.size() ? ips_policy[i] : nullptr; }
274 
get_empty_ips()275     IpsPolicy* get_empty_ips()
276     { return empty_ips_policy; }
277 
network_policy_count()278     unsigned network_policy_count()
279     { return network_policy.size(); }
280 
inspection_policy_count()281     unsigned inspection_policy_count()
282     { return inspection_policy.size(); }
283 
ips_policy_count()284     unsigned ips_policy_count()
285     { return ips_policy.size(); }
286 
shells_count()287     unsigned shells_count()
288     { return shells.size(); }
289 
set_cloned(bool state)290     void set_cloned(bool state)
291     { cloned = state; }
292 
get_shell_by_policy(unsigned id)293     const Shell* get_shell_by_policy(unsigned id) const
294     {
295         auto it = std::find_if(std::begin(shell_map), std::end(shell_map),
296             [=](auto&& p) { return p.second->ips and p.second->ips->policy_id == id; });
297 
298         return (it == std::end(shell_map)) ? nullptr : it->first;
299     }
300 
301 private:
302     std::vector<Shell*> shells;
303     std::vector<InspectionPolicy*> inspection_policy;
304     std::vector<IpsPolicy*> ips_policy;
305     std::vector<NetworkPolicy*> network_policy;
306 
307     IpsPolicy* empty_ips_policy;
308 
309     std::unordered_map<Shell*, std::shared_ptr<PolicyTuple>> shell_map;
310     std::unordered_map<unsigned, NetworkPolicy*> user_network;
311     std::unordered_map<unsigned, InspectionPolicy*> user_inspection;
312     std::unordered_map<unsigned, IpsPolicy*> user_ips;
313 
314     bool cloned = false;
315 };
316 
317 //-------------------------------------------------------------------------
318 // navigator stuff
319 //-------------------------------------------------------------------------
320 
321 // FIXIT-L may be inlined at some point; on lockdown for now
322 // FIXIT-L SO_PUBLIC required because SnortConfig::inline_mode(), etc. uses the function
323 namespace snort
324 {
325 SO_PUBLIC NetworkPolicy* get_network_policy();
326 SO_PUBLIC InspectionPolicy* get_inspection_policy();
327 SO_PUBLIC IpsPolicy* get_ips_policy();
328 
329 SO_PUBLIC void set_network_policy(NetworkPolicy*);
330 SO_PUBLIC void set_inspection_policy(InspectionPolicy*);
331 SO_PUBLIC void set_ips_policy(IpsPolicy*);
332 
333 SO_PUBLIC NetworkPolicy* get_default_network_policy(const snort::SnortConfig*);
334 SO_PUBLIC InspectionPolicy* get_user_inspection_policy(const snort::SnortConfig*, unsigned policy_id);
335 SO_PUBLIC InspectionPolicy* get_default_inspection_policy(const snort::SnortConfig*);
336 
337 SO_PUBLIC IpsPolicy* get_ips_policy(const snort::SnortConfig*, unsigned i = 0);
338 SO_PUBLIC IpsPolicy* get_user_ips_policy(const snort::SnortConfig*, unsigned policy_id);
339 SO_PUBLIC IpsPolicy* get_empty_ips_policy(const snort::SnortConfig*);
340 }
341 
342 void set_network_policy(const snort::SnortConfig*, unsigned = 0);
343 void set_inspection_policy(const snort::SnortConfig*, unsigned = 0);
344 void set_ips_policy(const snort::SnortConfig*, unsigned = 0);
345 
346 void set_policies(const snort::SnortConfig*, Shell*);
347 void set_default_policy(const snort::SnortConfig*);
348 void select_default_policy(const _daq_pkt_hdr*, const snort::SnortConfig*);
349 
350 bool only_inspection_policy();
351 bool only_ips_policy();
352 
353 #endif
354 
355