1 /* 2 * ftpp_si.h 3 * 4 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 5 * Copyright (C) 2004-2013 Sourcefire, Inc. 6 * Steven A. Sturges <ssturges@sourcefire.com> 7 * Daniel J. Roelker <droelker@sourcefire.com> 8 * Marc A. Norton <mnorton@sourcefire.com> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License Version 2 as 12 * published by the Free Software Foundation. You may not use, modify or 13 * distribute this program under any other version of the GNU General 14 * Public License. 15 * 16 * This program is distributed in the hope that it will be useful, 17 * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 * GNU General Public License for more details. 20 * 21 * You should have received a copy of the GNU General Public License 22 * along with this program; if not, write to the Free Software 23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 24 * 25 * Description: 26 * 27 * This file contains structures and functions for the 28 * Session Inspection Module. 29 * 30 * The Session Inspection Module has several data structures that are 31 * very important to the functionality of the module. The two major 32 * structures are the FTPP_SESSION and the FTPP_SI_INPUT. 33 * 34 * NOTES: 35 * - 20.09.04: Initial Development. SAS 36 * 37 */ 38 #ifndef __FTPP_SI_H__ 39 #define __FTPP_SI_H__ 40 41 #include <stdint.h> 42 43 #include "ftpp_include.h" 44 #include "ftpp_ui_config.h" 45 #include "ftp_client.h" 46 #include "ftp_server.h" 47 48 #include "sf_snort_packet.h" 49 #include "ftpp_eo.h" 50 #include "sfPolicy.h" 51 #include "sfPolicyUserData.h" 52 #include "session_api.h" 53 54 /* 55 * These are the defines for the different types of 56 * inspection modes. We have a server mode and a client mode. 57 */ 58 #define FTPP_SI_NO_MODE 0 59 #define FTPP_SI_CLIENT_MODE 1 60 #define FTPP_SI_SERVER_MODE 2 61 62 #define FTPP_SI_PROTO_UNKNOWN 0 63 #define FTPP_SI_PROTO_TELNET 1 64 #define FTPP_SI_PROTO_FTP 2 65 #define FTPP_SI_PROTO_FTP_DATA 3 66 67 #define FTPP_FILE_IGNORE -1 68 #define FTPP_FILE_UNKNOWN 0 69 70 /* Macros for testing the type of FTP_TELNET_SESSION */ 71 #define FTPP_SI_IS_PROTO(Ssn, Pro) ((Ssn) && ((Ssn)->ft_ssn.proto == (Pro))) 72 #define PROTO_IS_FTP(ssn) FTPP_SI_IS_PROTO(ssn, FTPP_SI_PROTO_FTP) 73 #define PROTO_IS_FTP_DATA(ssn) FTPP_SI_IS_PROTO(ssn, FTPP_SI_PROTO_FTP_DATA) 74 #define PROTO_IS_TELNET(ssn) FTPP_SI_IS_PROTO(ssn, FTPP_SI_PROTO_TELNET) 75 76 typedef struct s_FTP_TELNET_SESSION 77 { 78 int proto; 79 80 } FTP_TELNET_SESSION; 81 82 /* 83 * The TELNET_SESSION structure contains the complete TELNET session. 84 * This structure is the structure that is saved per session in the 85 * Stream Interface Module. This structure gets sent through the 86 * detection engine process (Normalization, Detection). 87 */ 88 typedef struct s_TELNET_SESSION 89 { 90 FTP_TELNET_SESSION ft_ssn; 91 92 /* The global configuration for this session */ 93 tSfPolicyId policy_id; 94 tSfPolicyUserContextId global_conf; 95 96 /* The client configuration for this session if its FTP */ 97 TELNET_PROTO_CONF *telnet_conf; 98 99 /* Number of consecutive are-you-there commands seen. */ 100 int consec_ayt; 101 102 int encr_state; 103 104 TELNET_EVENTS event_list; 105 106 } TELNET_SESSION; 107 108 /* 109 * These are the state values for determining the FTP data channel. 110 */ 111 #define NO_STATE 0x00 112 #define LOST_STATE 0xFFFFFFFF 113 114 #define DATA_CHAN_PORT_CMD_ISSUED 0x01 115 #define DATA_CHAN_PORT_CMD_ACCEPT 0x02 116 #define DATA_CHAN_PASV_CMD_ISSUED 0x04 117 #define DATA_CHAN_PASV_CMD_ACCEPT 0x08 118 #define DATA_CHAN_XFER_CMD_ISSUED 0x10 119 #define DATA_CHAN_XFER_STARTED 0x20 120 #define DATA_CHAN_CLIENT_HELLO_SEEN 0x40 121 #define DATA_CHAN_REST_CMD_ISSUED 0x80 122 123 #define AUTH_TLS_CMD_ISSUED 0x01 124 #define AUTH_SSL_CMD_ISSUED 0x02 125 #define AUTH_UNKNOWN_CMD_ISSUED 0x04 126 #define AUTH_TLS_ENCRYPTED 0x08 127 #define AUTH_SSL_ENCRYPTED 0x10 128 #define AUTH_UNKNOWN_ENCRYPTED 0x20 129 130 /* 131 * The FTP_SESSION structure contains the complete FTP session, both the 132 * client and the server constructs. This structure is the structure that 133 * is saved per session in the Stream Interface Module. This structure 134 * gets sent through the detection engine process (Normalization, 135 * Detection). 136 */ 137 typedef struct s_FTP_SESSION 138 { 139 FTP_TELNET_SESSION ft_ssn; 140 tSfPolicyId policy_id; 141 142 /* The client construct contains all the info associated with a 143 * client request. */ 144 FTP_CLIENT client; 145 146 /* The server construct contains all the info associated with a 147 * server response. */ 148 FTP_SERVER server; 149 150 /* The client configuration for this session if its FTP */ 151 FTP_CLIENT_PROTO_CONF *client_conf; 152 153 /* The server configuration for this session if its FTP */ 154 FTP_SERVER_PROTO_CONF *server_conf; 155 156 /* The global configuration for this session */ 157 tSfPolicyUserContextId global_conf; 158 159 /* The data channel info */ 160 int data_chan_state; 161 uint32_t data_chan_index; 162 uint32_t data_xfer_index; 163 sfaddr_t clientIP; 164 uint16_t clientPort; 165 sfaddr_t serverIP; 166 uint16_t serverPort; 167 uint32_t ftp_cmd_pipe_index; 168 uint32_t rest_cmd_offset; 169 uint16_t control_clientPort; 170 uint16_t control_serverPort; 171 172 /* A file is being transfered on ftp-data channel */ 173 char *filename; 174 int file_xfer_info; /* -1: ignore, 0: unknown, >0: filename length */ 175 bool data_xfer_dir; 176 177 /* Command/data channel encryption */ 178 bool encr_state_chello; 179 unsigned char flags; 180 int encr_state; 181 uint32_t flow_id; 182 183 /* Alertable event list */ 184 FTP_EVENTS event_list; 185 void *datassn; 186 sfaddr_t control_clientIP; 187 sfaddr_t control_serverIP; 188 189 } FTP_SESSION; 190 191 #define FTP_FLG_MALWARE_ENABLED (1<<1) 192 193 #ifdef TARGET_BASED 194 195 /* FTP-Data Transfer Modes */ 196 enum { 197 FTPP_XFER_PASSIVE = 0, 198 FTPP_XFER_ACTIVE = 1 199 }; 200 201 typedef struct s_FTP_DATA_SESSION 202 { 203 FTP_TELNET_SESSION ft_ssn; 204 StreamSessionKey * ftp_key; 205 void* ftpssn; 206 char *filename; 207 int data_chan; 208 int file_xfer_info; 209 FilePosition position; 210 bool direction; 211 unsigned char mode; 212 unsigned char flags; 213 uint32_t flow_id; 214 uint32_t path_hash; 215 } FTP_DATA_SESSION; 216 217 #define FTPDATA_FLG_REASSEMBLY_SET (1<<0) 218 #define FTPDATA_FLG_FILENAME_SET (1<<1) 219 #define FTPDATA_FLG_STOP (1<<2) 220 #define FTPDATA_FLG_REST (1<<3) 221 #define FTPDATA_FLG_FLUSH (1<<4) 222 223 #endif 224 225 /* 226 * The FTPP_SI_INPUT structure holds the information that the Session 227 * Inspection Module needs to determine the type of inspection mode 228 * (client, server, neither) and to retrieve the appropriate server 229 * configuration. 230 * 231 * The input is the source and destination IP addresses, and the 232 * source and destination ports (since this should always be a 233 * TCP packet). 234 */ 235 typedef struct s_FTPP_SI_INPUT 236 { 237 sfaddr_t sip; 238 sfaddr_t dip; 239 unsigned short sport; 240 unsigned short dport; 241 unsigned char pdir; 242 unsigned char pproto; 243 244 } FTPP_SI_INPUT; 245 246 int ftpp_si_determine_proto(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf, 247 FTP_TELNET_SESSION **, FTPP_SI_INPUT *SiInput, int *piInspectMode); 248 int FTPGetPacketDir(SFSnortPacket *); 249 250 #ifdef TARGET_BASED 251 /* FTP-Data file processing */ 252 FTP_DATA_SESSION * FTPDataSessionNew(SFSnortPacket *p); 253 void FTPDataSessionFree(void *p_ssn); 254 bool FTPDataDirection(SFSnortPacket *p, FTP_DATA_SESSION *ftpdata); 255 #endif 256 257 #endif /* ! __FTPP_SI_H__ */ 258 259