1 /**************************************************************************** 2 * 3 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 4 * Copyright (C) 2003-2013 Sourcefire, Inc. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License Version 2 as 8 * published by the Free Software Foundation. You may not use, modify or 9 * distribute this program under any other version of the GNU General 10 * Public License. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 * 21 ****************************************************************************/ 22 23 /** 24 ** @file hi_ui_config.h 25 ** 26 ** @author Daniel Roelker <droelker@sourcefire.com> 27 ** 28 ** @brief This file contains the internal configuration structures 29 ** for HttpInspect. 30 ** 31 ** This file holds the configuration constructs for the HttpInspect global 32 ** configuration and the server configurations. It also contains the function 33 ** prototypes for accessing server configurations. 34 */ 35 36 #ifndef __HI_UI_CONFIG_H__ 37 #define __HI_UI_CONFIG_H__ 38 39 #include "hi_include.h" 40 #include "snort_bounds.h" 41 #include "sfrt.h" 42 #include "ipv6_port.h" 43 #include "sf_ip.h" 44 #include "sfPolicy.h" 45 #include "hi_util_kmap.h" 46 #include "file_mail_common.h" 47 #include "file_api.h" 48 #include "file_decomp.h" 49 #include "session_api.h" 50 51 /* 52 ** Defines 53 */ 54 55 #define HI_UI_CONFIG_MAX_HDR_DEFAULT 0 56 #define HI_UI_CONFIG_MAX_HEADERS_DEFAULT 0 57 #define HI_UI_CONFIG_MAX_SPACES_DEFAULT 200 58 59 /* 60 ** Special characters treated as whitespace before or after URI 61 */ 62 63 #define HI_UI_CONFIG_WS_BEFORE_URI 0x01 64 #define HI_UI_CONFIG_WS_AFTER_URI 0x02 65 66 /**Maximum number of entries in server_lookup table. 67 */ 68 #define HI_UI_CONFIG_MAX_SERVERS 1025 69 70 /** 71 ** Defines a search type for the server configurations in the 72 ** global configuration. We want this generic so we can change 73 ** it easily if we change the search type. 74 */ 75 typedef table_t SERVER_LOOKUP; 76 77 /** 78 ** This structure simply holds a value for on/off and whether 79 ** alert is on/off. Should be used for many configure options. 80 */ 81 typedef struct s_HTTPINSPECT_CONF_OPT 82 { 83 84 int on; /**< if true, configuration option is on */ 85 int alert; /**< if true, alert if option is found */ 86 87 } HTTPINSPECT_CONF_OPT; 88 89 /* The following are used to delineate server profiles for user output 90 * and debugging information. */ 91 typedef enum e_PROFILES 92 { 93 HI_ALL, 94 HI_APACHE, 95 HI_IIS, 96 HI_IIS4, 97 HI_IIS5 98 } PROFILES; 99 100 typedef KMAP CMD_LOOKUP; 101 102 typedef struct s_HTTP_CMD_CONF 103 { 104 char cmd_name[1]; // variable length array 105 106 } HTTP_CMD_CONF; 107 108 typedef struct _HISmallChunkLength 109 { 110 uint8_t size; 111 uint8_t num; 112 113 } HISmallChunkLength; 114 115 /** 116 ** This is the configuration construct that holds the specific 117 ** options for a server. Each unique server has it's own structure 118 ** and there is a global structure for servers that don't have 119 ** a unique configuration. 120 */ 121 typedef struct s_HTTPINSPECT_CONF 122 { 123 int port_count; 124 uint8_t ports[MAXPORTS_STORAGE]; 125 int server_flow_depth; 126 int client_flow_depth; 127 int post_depth; 128 129 int64_t server_extract_size; 130 int64_t post_extract_size; 131 /* 132 ** Unicode mapping for IIS servers 133 */ 134 uint8_t *iis_unicode_map; 135 char *iis_unicode_map_filename; 136 int iis_unicode_codepage; 137 138 int long_dir; 139 140 /* 141 ** Chunk encoding anomaly detection 142 */ 143 unsigned int chunk_length; 144 HISmallChunkLength small_chunk_length; 145 146 char uri_only; 147 char no_alerts; 148 char enable_cookie; 149 char inspect_response; 150 char enable_xff; 151 uint8_t *xff_headers[HTTP_MAX_XFF_FIELDS]; 152 uint8_t xff_header_lengths[HTTP_MAX_XFF_FIELDS]; 153 char log_uri; 154 char log_hostname; 155 156 char unlimited_decompress; 157 char extract_gzip; 158 unsigned long file_decomp_modes; 159 160 /* Support Extended ascii codes in the URI */ 161 char extended_ascii_uri; 162 /* 163 ** pipeline requests 164 */ 165 char no_pipeline; 166 167 /* 168 ** Enable non-strict (apache) URI handling. This allows us to catch the 169 ** non-standard URI parsing that apache does. 170 */ 171 char non_strict; 172 173 /* 174 ** Allow proxy use for this server. 175 */ 176 char allow_proxy; 177 178 /* 179 ** Handle tab char (0x09) as a URI delimiter. Apache honors this, IIS does not. 180 */ 181 char tab_uri_delimiter; 182 183 /* 184 ** Normalize HTTP Headers if they exist. 185 XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization. 186 */ 187 char normalize_headers; 188 189 /* 190 ** Normalize HTTP Headers if they exist. 191 XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization. 192 */ 193 char normalize_cookies; 194 195 /* 196 ** Normalize multi-byte UTF charsets in HTTP server responses. 197 */ 198 char normalize_utf; 199 200 /* 201 * Normalize Javascripts in HTTP server responses 202 */ 203 char normalize_javascript; 204 205 /* 206 ** Characters to be treated as whitespace bracketing a URI. 207 */ 208 char whitespace[256]; 209 210 /* 211 ** These are the URI encoding configurations 212 */ 213 HTTPINSPECT_CONF_OPT ascii; 214 HTTPINSPECT_CONF_OPT double_decoding; 215 HTTPINSPECT_CONF_OPT u_encoding; 216 HTTPINSPECT_CONF_OPT bare_byte; 217 HTTPINSPECT_CONF_OPT utf_8; 218 HTTPINSPECT_CONF_OPT iis_unicode; 219 char non_rfc_chars[256]; 220 221 /* 222 ** These are the URI normalization configurations 223 */ 224 HTTPINSPECT_CONF_OPT multiple_slash; 225 HTTPINSPECT_CONF_OPT iis_backslash; 226 HTTPINSPECT_CONF_OPT directory; 227 HTTPINSPECT_CONF_OPT webroot; 228 HTTPINSPECT_CONF_OPT apache_whitespace; 229 HTTPINSPECT_CONF_OPT iis_delimiter; 230 int max_hdr_len; 231 int max_headers; 232 int max_spaces; 233 int max_js_ws; 234 235 PROFILES profile; 236 CMD_LOOKUP *cmd_lookup; 237 238 /**Used to track references to this allocated data structure. Each additional 239 * reference should increment referenceCount. Each attempted free should 240 * decrement it. When free is attempted and reference count is 0, then 241 * this HTTPINSPECT_CONF should be actually freed. 242 */ 243 int referenceCount; 244 #if defined(FEAT_OPEN_APPID) 245 char appid_enabled; 246 #endif /* defined(FEAT_OPEN_APPID) */ 247 uint8_t file_policy; 248 bool h2_mode; 249 250 } HTTPINSPECT_CONF; 251 252 /** 253 ** This is the configuration for the global HttpInspect 254 ** configuration. It contains the global aspects of the 255 ** configuration, a standard global default configuration, 256 ** and server configurations. 257 */ 258 typedef struct s_HTTPINSPECT_GLOBAL_CONF 259 { 260 int disabled; 261 int anomalous_servers; 262 int proxy_alert; 263 264 /* 265 ** These variables are for tracking the IIS 266 ** Unicode Map configuration. 267 */ 268 uint8_t *iis_unicode_map; 269 char *iis_unicode_map_filename; 270 int iis_unicode_codepage; 271 272 HTTPINSPECT_CONF *global_server; 273 SERVER_LOOKUP *server_lookup; 274 275 276 int max_gzip_sessions; 277 unsigned int max_gzip_mem; 278 int compr_depth; 279 int decompr_depth; 280 int memcap; 281 uint32_t xtra_trueip_id; 282 uint32_t xtra_uri_id; 283 uint32_t xtra_hname_id; 284 uint32_t xtra_gzip_id; 285 uint32_t xtra_jsnorm_id; 286 DecodeConfig decode_conf; 287 MAIL_LogConfig mime_conf; 288 bool normalize_nulls; 289 bool fast_blocking; 290 } HTTPINSPECT_GLOBAL_CONF; 291 292 #define INVALID_HEX_VAL -1 293 #define HEX_VAL 1 294 295 /* 296 ** Functions 297 */ 298 int hi_ui_config_init_global_conf(HTTPINSPECT_GLOBAL_CONF *GlobalConf); 299 int hi_ui_config_default(HTTPINSPECT_CONF *GlobalConf); 300 int hi_ui_config_reset_global(HTTPINSPECT_GLOBAL_CONF *GlobalConf); 301 int hi_ui_config_reset_server(HTTPINSPECT_CONF *ServerConf); 302 void hi_ui_config_reset_http_methods(HTTPINSPECT_CONF *ServerConf); 303 304 int hi_ui_config_add_server(HTTPINSPECT_GLOBAL_CONF *GlobalConf, 305 sfcidr_t *ServerIP, 306 HTTPINSPECT_CONF *ServerConf); 307 308 int hi_ui_config_set_profile_apache(HTTPINSPECT_CONF *GlobalConf); 309 int hi_ui_config_set_profile_iis(HTTPINSPECT_CONF *GlobalConf, uint8_t *); 310 int hi_ui_config_set_profile_iis_4or5(HTTPINSPECT_CONF *GlobalConf, uint8_t *); 311 int hi_ui_config_set_profile_all(HTTPINSPECT_CONF *GlobalConf, uint8_t *); 312 void HttpInspectCleanupHttpMethodsConf(void *); 313 314 extern int hex_lookup[256]; 315 extern int valid_lookup[256]; 316 #endif 317