1 /****************************************************************************
2 *
3 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
4 * Copyright (C) 2005-2013 Sourcefire, Inc.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License Version 2 as
8 * published by the Free Software Foundation. You may not use, modify or
9 * distribute this program under any other version of the GNU General
10 * Public License.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 *
21 ****************************************************************************/
22
23 #ifndef STREAM_COMMON_H_
24 #define STREAM_COMMON_H_
25
26 #include <sys/types.h>
27 #ifndef WIN32
28 #include <netinet/in.h>
29 #endif
30
31 #include "sfutil/bitop_funcs.h"
32 #include "sfutil/sfActionQueue.h"
33 #include "parser/IpAddrSet.h"
34
35 #include "session_common.h"
36 #include "stream_api.h"
37 #include "mempool.h"
38 #include "sf_types.h"
39
40 #ifdef TARGET_BASED
41 #include "target-based/sftarget_hostentry.h"
42 #endif
43
44 #include "sfPolicy.h"
45 #include "sfPolicyUserData.h"
46
47 //#define STREAM_DEBUG_ENABLED DEBUG
48
49
50 /* defaults and limits */
51 #define STREAM_MAX_MAX_WINDOW 0x3FFFc000 /* max window allowed by TCP */
52 /* 65535 << 14 (max wscale) */
53 #define STREAM_MIN_MAX_WINDOW 0
54 #define MAX_PORTS_TO_PRINT 20
55
56 #define STREAM_DEFAULT_MAX_QUEUED_BYTES 1048576 /* 1 MB */
57 #define STREAM_MIN_MAX_QUEUED_BYTES 1024 /* Don't let this go below 1024 */
58 #define STREAM_MAX_MAX_QUEUED_BYTES 0x40000000 /* 1 GB, most we could reach within
59 * largest window scale */
60 #define AVG_PKT_SIZE 400
61 #define STREAM_DEFAULT_MAX_QUEUED_SEGS (STREAM_DEFAULT_MAX_QUEUED_BYTES/AVG_PKT_SIZE)
62 #define STREAM_MIN_MAX_QUEUED_SEGS 2 /* Don't let this go below 2 */
63 #define STREAM_MAX_MAX_QUEUED_SEGS 0x40000000 /* 1 GB worth of one-byte segments */
64
65 #define STREAM_DEFAULT_MAX_SMALL_SEG_SIZE 0 /* disabled */
66 #define STREAM_MAX_MAX_SMALL_SEG_SIZE 2048 /* 2048 bytes in single packet, uh, not small */
67 #define STREAM_MIN_MAX_SMALL_SEG_SIZE 0 /* 0 means disabled */
68
69 #define STREAM_DEFAULT_CONSEC_SMALL_SEGS 0 /* disabled */
70 #define STREAM_MAX_CONSEC_SMALL_SEGS 2048 /* 2048 single byte packets without acks is alot */
71 #define STREAM_MIN_CONSEC_SMALL_SEGS 0 /* 0 means disabled */
72
73 #if defined(FEAT_OPEN_APPID)
74 #define MAX_APP_PROTOCOL_ID 4
75 #endif /* defined(FEAT_OPEN_APPID) */
76
77 /* target-based policy types */
78 #define STREAM_POLICY_FIRST 1
79 #define STREAM_POLICY_LINUX 2
80 #define STREAM_POLICY_BSD 3
81 #define STREAM_POLICY_OLD_LINUX 4
82 #define STREAM_POLICY_LAST 5
83 #define STREAM_POLICY_WINDOWS 6
84 #define STREAM_POLICY_SOLARIS 7
85 #define STREAM_POLICY_HPUX11 8
86 #define STREAM_POLICY_IRIX 9
87 #define STREAM_POLICY_MACOS 10
88 #define STREAM_POLICY_HPUX10 11
89 #define STREAM_POLICY_VISTA 12
90 #define STREAM_POLICY_WINDOWS2K3 13
91 #define STREAM_POLICY_IPS 14
92 #define STREAM_POLICY_NOACK 15
93 #define STREAM_POLICY_DEFAULT STREAM_POLICY_BSD
94
95 #define STREAM_CONFIG_STATEFUL_INSPECTION 0x00000001
96 #define STREAM_CONFIG_ENABLE_ALERTS 0x00000002
97 #define STREAM_CONFIG_LOG_STREAMS 0x00000004
98 #define STREAM_CONFIG_REASS_CLIENT 0x00000008
99 #define STREAM_CONFIG_REASS_SERVER 0x00000010
100 #define STREAM_CONFIG_ASYNC 0x00000020
101 #define STREAM_CONFIG_SHOW_PACKETS 0x00000040
102 #define STREAM_CONFIG_FLUSH_ON_ALERT 0x00000080
103 #define STREAM_CONFIG_REQUIRE_3WHS 0x00000100
104 #define STREAM_CONFIG_MIDSTREAM_DROP_NOALERT 0x00000200
105 #define STREAM_CONFIG_IGNORE_ANY 0x00000400
106 #define STREAM_CONFIG_PERFORMANCE 0x00000800
107 #define STREAM_CONFIG_STATIC_FLUSHPOINTS 0x00001000
108 #define STREAM_CONFIG_IPS 0x00002000
109 #define STREAM_CONFIG_CHECK_SESSION_HIJACKING 0x00004000
110 #define STREAM_CONFIG_NO_ASYNC_REASSEMBLY 0x00008000
111
112 /* traffic direction identification */
113 #define FROM_SERVER 0
114 #define FROM_RESPONDER 0
115 #define FROM_CLIENT 1
116 #define FROM_SENDER 1
117
118 #define STREAM_STATE_NONE 0x0000
119 #define STREAM_STATE_SYN 0x0001
120 #define STREAM_STATE_SYN_ACK 0x0002
121 #define STREAM_STATE_ACK 0x0004
122 #define STREAM_STATE_ESTABLISHED 0x0008
123 #define STREAM_STATE_DROP_CLIENT 0x0010
124 #define STREAM_STATE_DROP_SERVER 0x0020
125 #define STREAM_STATE_MIDSTREAM 0x0040
126 #define STREAM_STATE_TIMEDOUT 0x0080
127 #define STREAM_STATE_UNREACH 0x0100
128 #define STREAM_STATE_PORT_INSPECT 0x0200
129 #define STREAM_STATE_CLOSED 0x0800
130
131 /* D A T A S T R U C T U R E S **********************************/
132 typedef struct _FlushMgr
133 {
134 uint32_t flush_pt;
135 uint16_t last_count;
136 uint16_t last_size;
137 uint8_t flush_policy;
138 uint8_t flush_type;
139 uint8_t auto_disable;
140 bool flush;
141 //uint8_t spare;
142
143 } FlushMgr;
144
145 typedef struct _FlushConfig
146 {
147 FlushMgr client;
148 FlushMgr server;
149 //SF_LIST *dynamic_policy;
150 #ifdef TARGET_BASED
151 uint8_t configured;
152 #endif
153 } FlushConfig;
154
155 #ifndef DYNAMIC_RANDOM_FLUSH_POINTS
156 typedef struct _FlushPointList
157 {
158 uint8_t current;
159 uint8_t initialized;
160
161 uint32_t flush_range;
162 uint32_t flush_base; /* Set as value - range/2 */
163 /* flush_pt is split evently on either side of flush_value, within
164 * the flush_range. flush_pt can be from:
165 * (flush_value - flush_range/2) to (flush_value + flush_range/2)
166 *
167 * For example:
168 * flush_value = 192
169 * flush_range = 128
170 * flush_pt will vary from 128 to 256
171 */
172 uint32_t *flush_points;
173
174 } FlushPointList;
175 #endif
176
177 /**list of ignored rules.
178 */
179 typedef struct _IgnoredRuleList
180 {
181 OptTreeNode *otn;
182 struct _IgnoredRuleList *next;
183 } IgnoredRuleList;
184
185 typedef struct _StreamTcpPolicy
186 {
187 uint16_t policy;
188 uint16_t reassembly_policy;
189 uint16_t flags;
190 uint16_t flush_factor;
191 uint32_t session_timeout;
192 uint32_t max_window;
193 uint32_t overlap_limit;
194 uint32_t hs_timeout;
195 IpAddrSet *bound_addrs;
196 FlushConfig flush_config[MAX_PORTS];
197 #ifdef TARGET_BASED
198 FlushConfig flush_config_protocol[MAX_PROTOCOL_ORDINAL];
199 #endif
200 #ifndef DYNAMIC_RANDOM_FLUSH_POINTS
201 FlushPointList flush_point_list;
202 #endif
203 uint32_t max_queued_bytes;
204 uint32_t max_queued_segs;
205
206 uint32_t max_consec_small_segs;
207 uint32_t max_consec_small_seg_size;
208 char small_seg_ignore[MAX_PORTS/8];
209 bool log_asymmetric_traffic;
210
211 } StreamTcpPolicy;
212
213 typedef struct _StreamTcpConfig
214 {
215 StreamTcpPolicy *default_policy;
216 StreamTcpPolicy **policy_list;
217
218 void* paf_config;
219
220 uint8_t num_policies;
221 uint16_t session_on_syn;
222 uint16_t port_filter[MAX_PORTS + 1];
223
224 } StreamTcpConfig;
225
226 typedef struct _StreamUdpPolicy
227 {
228 uint32_t session_timeout;
229 uint16_t flags;
230 IpAddrSet *bound_addrs;
231
232 } StreamUdpPolicy;
233
234 typedef struct _StreamUdpConfig
235 {
236 StreamUdpPolicy *default_policy;
237 StreamUdpPolicy **policy_list;
238 uint8_t num_policies;
239 uint8_t dummy; /* For alignment */
240 uint16_t port_filter[MAX_PORTS + 1];
241
242 } StreamUdpConfig;
243
244 typedef struct _StreamIcmpPolicy
245 {
246 uint32_t session_timeout;
247 //uint16_t flags;
248
249 } StreamIcmpPolicy;
250
251 typedef struct _StreamIcmpConfig
252 {
253 StreamIcmpPolicy default_policy;
254 uint8_t num_policies;
255
256 } StreamIcmpConfig;
257
258 typedef struct _StreamIpPolicy
259 {
260 uint32_t session_timeout;
261
262 } StreamIpPolicy;
263
264 typedef struct _StreamIpConfig
265 {
266 StreamIpPolicy default_policy;
267
268 } StreamIpConfig;
269
270 typedef struct _StreamConfig
271 {
272 SessionConfiguration *session_config;
273 StreamTcpConfig *tcp_config;
274 StreamUdpConfig *udp_config;
275 StreamIcmpConfig *icmp_config;
276 StreamIpConfig *ip_config;
277
278 #ifdef TARGET_BASED
279 uint8_t service_filter[MAX_PROTOCOL_ORDINAL];
280 #endif
281
282 bool verified;
283 bool swapped;
284 bool reload_config;
285
286 } StreamConfig;
287
288 typedef struct _StreamStats
289 {
290 uint32_t total_tcp_sessions;
291 uint32_t total_udp_sessions;
292 uint32_t total_icmp_sessions;
293 uint32_t total_ip_sessions;
294 uint32_t tcp_prunes;
295 uint32_t udp_prunes;
296 uint32_t icmp_prunes;
297 uint32_t ip_prunes;
298 uint32_t tcp_timeouts;
299 uint32_t tcp_streamtrackers_created;
300 uint32_t tcp_streamtrackers_released;
301 uint32_t tcp_streamsegs_created;
302 uint32_t tcp_streamsegs_released;
303 uint32_t tcp_rebuilt_packets;
304 uint32_t tcp_rebuilt_seqs_used;
305 uint32_t tcp_overlaps;
306 uint32_t tcp_discards;
307 uint32_t tcp_gaps;
308 uint32_t udp_timeouts;
309 uint32_t udp_sessions_created;
310 uint32_t udp_sessions_released;
311 uint32_t udp_discards;
312 uint32_t icmp_timeouts;
313 uint32_t icmp_sessions_created;
314 uint32_t icmp_sessions_released;
315 uint32_t ip_timeouts;
316 uint32_t events;
317 uint32_t internalEvents;
318 uint32_t active_tcp_sessions;
319 uint64_t active_tcp_memory;
320 uint32_t active_udp_sessions;
321 uint32_t active_icmp_sessions;
322 uint32_t active_ip_sessions;
323 uint32_t icmp_unreachable;
324 uint32_t icmp_unreachable_code4;
325 tPortFilterStats tcp_port_filter;
326 tPortFilterStats udp_port_filter;
327 } StreamStats;
328
329 /**Whether incoming packets should be ignored or processed.
330 */
331 typedef enum {
332 /**Ignore the packet. */
333 PORT_MONITOR_PACKET_PROCESS = 0,
334
335 /**Process the packet. */
336 PORT_MONITOR_PACKET_DISCARD
337
338 } PortMonitorPacketStates;
339
340 void StreamDisableInspection(SessionControlBlock *scb, Packet *p);
341
342 int StreamExpireSession(SessionControlBlock *scb);
343 int StreamExpire(Packet *p, SessionControlBlock *scb);
344
345 #ifdef ACTIVE_RESPONSE
346 void StreamActiveResponse(Packet*, SessionControlBlock*);
347 void SetTTL (SessionControlBlock*, Packet*, int client);
348 #endif
349
350 void MarkupPacketFlags(Packet *p, SessionControlBlock *ssn);
351
352 #ifdef TARGET_BASED
353 void setAppProtocolIdFromHostEntry(SessionControlBlock *scb,
354 HostAttributeEntry *host_entry,
355 int direction);
356 #endif
357 StreamConfig *getStreamPolicyConfig( tSfPolicyId policy_id, bool parsing );
358 void StreamFreeConfig(StreamConfig *);
359 void StreamFreeConfigs(tSfPolicyUserContextId);
360 void StreamCallHandler(Packet*, unsigned id);
361 void CallFTPFlushProcessor(Packet *);
362
StreamResetFlowBits(SessionControlBlock * scb)363 static inline void StreamResetFlowBits( SessionControlBlock *scb )
364 {
365 StreamFlowData *flowdata;
366
367 if( ( scb == NULL ) || ( scb->flowdata == NULL ) )
368 return;
369
370 flowdata = ( StreamFlowData * ) scb->flowdata->data;
371 boResetBITOP( &( flowdata->boFlowbits ) );
372 }
373
374
375 void setPortFilterList( struct _SnortConfig *sc, uint16_t *portList, IpProto protocol,
376 int ignoreAnyAnyRules, tSfPolicyId policyId );
377 int StreamAnyAnyFlow( uint16_t *portList, OptTreeNode *otn, RuleTreeNode *rtn, int any_any_flow,
378 IgnoredRuleList **ppIgnoredRuleList, int ignoreAnyAnyRules );
379 void s5PrintPortFilter( uint16_t portList[] );
380 int StreamSetRuntimeConfiguration( SessionControlBlock *scb, uint8_t protocol );
381 bool getStreamIgnoreAnyConfig (struct _SnortConfig *sc, IpProto protocol);
382
383 // shared stream state
384 extern StreamStats s5stats;
385 extern uint32_t firstPacketTime;
386 extern MemPool s5FlowMempool;
387
388 extern uint32_t session_mem_in_use;
389 extern SessionConfiguration *stream_session_config;
390 extern tSfPolicyUserContextId stream_online_config;
391 extern tSfPolicyUserContextId stream_parsing_config;
392 extern tSfActionQueueId decoderActionQ;
393
394 void StreamDeleteSession(SessionControlBlock *scb);
395
396 #endif /* STREAM_COMMON_H_ */
397