1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 // Copyright (C) 2013-2013 Sourcefire, Inc. 4 // 5 // This program is free software; you can redistribute it and/or modify it 6 // under the terms of the GNU General Public License Version 2 as published 7 // by the Free Software Foundation. You may not use, modify or distribute 8 // this program under any other version of the GNU General Public License. 9 // 10 // This program is distributed in the hope that it will be useful, but 11 // WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 // General Public License for more details. 14 // 15 // You should have received a copy of the GNU General Public License along 16 // with this program; if not, write to the Free Software Foundation, Inc., 17 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 18 //-------------------------------------------------------------------------- 19 20 #ifndef SNORT_POLICY_H 21 #define SNORT_POLICY_H 22 23 // the following policy types are defined: 24 // 25 // -- network - for packet handling 26 // -- inspection - for flow handling 27 // -- ips - for rule handling 28 29 #ifdef HAVE_UUID 30 #include <uuid.h> 31 #else 32 typedef unsigned char uuid_t[16]; 33 #endif 34 35 #include <algorithm> 36 #include <map> 37 #include <memory> 38 #include <unordered_map> 39 #include <vector> 40 41 #include "framework/data_bus.h" 42 43 namespace snort 44 { 45 class GHash; 46 class IpsAction; 47 struct SnortConfig; 48 } 49 50 struct _daq_pkt_hdr; 51 struct PortTable; 52 struct vartable_t; 53 struct sfip_var_t; 54 55 typedef unsigned int PolicyId; 56 typedef snort::GHash PortVarTable; 57 58 enum PolicyMode 59 { 60 POLICY_MODE__PASSIVE, 61 POLICY_MODE__INLINE, 62 POLICY_MODE__INLINE_TEST, 63 POLICY_MODE__MAX 64 }; 65 66 // FIXIT-L split into separate headers 67 68 //------------------------------------------------------------------------- 69 // traffic stuff 70 //------------------------------------------------------------------------- 71 72 enum ChecksumFlag 73 { 74 CHECKSUM_FLAG__IP = 0x00000001, 75 CHECKSUM_FLAG__TCP = 0x00000002, 76 CHECKSUM_FLAG__UDP = 0x00000004, 77 CHECKSUM_FLAG__ICMP = 0x00000008, 78 CHECKSUM_FLAG__ALL = 0x0000000f, 79 CHECKSUM_FLAG__DEF = 0x80000000 80 }; 81 82 enum DecodeEventFlag 83 { 84 DECODE_EVENT_FLAG__DEFAULT = 0x00000001 85 }; 86 87 // Snort ac-split creates the nap (network analysis policy) 88 // Snort++ breaks the nap into network and inspection 89 90 struct NetworkPolicy 91 { 92 public: 93 NetworkPolicy(PolicyId = 0, PolicyId default_inspection_id = 0); 94 NetworkPolicy(NetworkPolicy*, const char*); 95 ~NetworkPolicy(); 96 checksum_dropsNetworkPolicy97 bool checksum_drops(uint16_t codec_cksum_err_flag) 98 { return (checksum_drop & codec_cksum_err_flag) != 0; } 99 ip_checksumsNetworkPolicy100 bool ip_checksums() 101 { return (checksum_eval & CHECKSUM_FLAG__IP) != 0; } 102 udp_checksumsNetworkPolicy103 bool udp_checksums() 104 { return (checksum_eval & CHECKSUM_FLAG__UDP) != 0; } 105 tcp_checksumsNetworkPolicy106 bool tcp_checksums() 107 { return (checksum_eval & CHECKSUM_FLAG__TCP) != 0; } 108 icmp_checksumsNetworkPolicy109 bool icmp_checksums() 110 { return (checksum_eval & CHECKSUM_FLAG__ICMP) != 0; } 111 112 public: 113 struct TrafficPolicy* traffic_policy; 114 snort::DataBus dbus; 115 116 PolicyId policy_id = 0; 117 uint32_t user_policy_id = 0; 118 PolicyId default_inspection_policy_id = 0; 119 120 // minimum possible (allows all but errors to pass by default) 121 uint8_t min_ttl = 1; 122 uint8_t new_ttl = 5; 123 124 uint32_t checksum_eval = CHECKSUM_FLAG__ALL | CHECKSUM_FLAG__DEF; 125 uint32_t checksum_drop = CHECKSUM_FLAG__DEF; 126 uint32_t normal_mask = 0; 127 bool cloned = false; 128 129 private: 130 void init(NetworkPolicy*, const char*); 131 }; 132 133 //------------------------------------------------------------------------- 134 // inspection stuff 135 //------------------------------------------------------------------------- 136 137 struct InspectionPolicy 138 { 139 public: 140 InspectionPolicy(PolicyId = 0); 141 InspectionPolicy(InspectionPolicy* old_inspection_policy); 142 ~InspectionPolicy(); 143 144 void configure(); 145 146 public: 147 PolicyId policy_id = 0; 148 PolicyMode policy_mode = POLICY_MODE__MAX; 149 uint32_t user_policy_id = 0; 150 uuid_t uuid{}; 151 152 struct FrameworkPolicy* framework_policy; 153 snort::DataBus dbus; 154 bool cloned; 155 156 private: 157 void init(InspectionPolicy* old_inspection_policy); 158 }; 159 160 //------------------------------------------------------------------------- 161 // detection stuff 162 //------------------------------------------------------------------------- 163 164 struct IpsPolicy 165 { 166 public: 167 enum Enable : uint8_t { DISABLED, ENABLED, INHERIT_ENABLE }; 168 169 IpsPolicy(PolicyId = 0); 170 ~IpsPolicy(); 171 172 public: 173 PolicyId policy_id; 174 uint32_t user_policy_id = 0; 175 uuid_t uuid{}; 176 177 PolicyMode policy_mode = POLICY_MODE__MAX; 178 bool enable_builtin_rules; 179 int rules_loaded = 0; 180 int rules_shared = 0; 181 182 std::string includer; 183 std::string include; 184 185 std::string rules; 186 std::string states; 187 188 uint32_t var_id; 189 190 struct VarEntry* var_table; 191 vartable_t* ip_vartable; 192 193 /* The portobjects in these are attached to rtns and used during runtime */ 194 PortVarTable* portVarTable; /* named entries, uses a hash table */ 195 PortTable* nonamePortVarTable; /* un-named entries */ 196 197 Enable default_rule_state = INHERIT_ENABLE; 198 199 bool obfuscate_pii; 200 201 std::string action_override; 202 std::map<std::string, std::string> action_map; 203 204 // Holds all plugin actions associated with this policy 205 std::vector<snort::IpsAction*> action; 206 }; 207 208 //------------------------------------------------------------------------- 209 // binding stuff 210 //------------------------------------------------------------------------- 211 212 class Shell; 213 214 struct PolicyTuple 215 { 216 InspectionPolicy* inspection = nullptr; 217 IpsPolicy* ips = nullptr; 218 NetworkPolicy* network = nullptr; 219 PolicyTuplePolicyTuple220 PolicyTuple(InspectionPolicy* ins_pol, IpsPolicy* ips_pol, NetworkPolicy* net_pol) : 221 inspection(ins_pol), ips(ips_pol), network(net_pol) { } 222 }; 223 224 class PolicyMap 225 { 226 public: 227 PolicyMap(PolicyMap* old_map = nullptr, const char* exclude_name = nullptr); 228 ~PolicyMap(); 229 230 InspectionPolicy* add_inspection_shell(Shell*); 231 IpsPolicy* add_ips_shell(Shell*); 232 std::shared_ptr<PolicyTuple> add_shell(Shell*, bool include_network); 233 std::shared_ptr<PolicyTuple> get_policies(Shell* sh); 234 void clone(PolicyMap *old_map, const char* exclude_name); 235 236 Shell* get_shell(unsigned i = 0) 237 { return i < shells.size() ? shells[i] : nullptr; } 238 set_user_network(NetworkPolicy * p)239 void set_user_network(NetworkPolicy* p) 240 { user_network[p->user_policy_id] = p; } 241 set_user_inspection(InspectionPolicy * p)242 void set_user_inspection(InspectionPolicy* p) 243 { user_inspection[p->user_policy_id] = p; } 244 set_user_ips(IpsPolicy * p)245 void set_user_ips(IpsPolicy* p) 246 { user_ips[p->user_policy_id] = p; } 247 get_user_network(unsigned user_id)248 NetworkPolicy* get_user_network(unsigned user_id) 249 { 250 auto it = user_network.find(user_id); 251 return it == user_network.end() ? nullptr : it->second; 252 } 253 get_user_inspection(unsigned user_id)254 InspectionPolicy* get_user_inspection(unsigned user_id) 255 { 256 auto it = user_inspection.find(user_id); 257 return it == user_inspection.end() ? nullptr : it->second; 258 } 259 get_user_ips(unsigned user_id)260 IpsPolicy* get_user_ips(unsigned user_id) 261 { 262 auto it = user_ips.find(user_id); 263 return it == user_ips.end() ? nullptr : it->second; 264 } 265 266 NetworkPolicy* get_network_policy(unsigned i = 0) 267 { return i < network_policy.size() ? network_policy[i] : nullptr; } 268 269 InspectionPolicy* get_inspection_policy(unsigned i = 0) 270 { return i < inspection_policy.size() ? inspection_policy[i] : nullptr; } 271 272 IpsPolicy* get_ips_policy(unsigned i = 0) 273 { return i < ips_policy.size() ? ips_policy[i] : nullptr; } 274 get_empty_ips()275 IpsPolicy* get_empty_ips() 276 { return empty_ips_policy; } 277 network_policy_count()278 unsigned network_policy_count() 279 { return network_policy.size(); } 280 inspection_policy_count()281 unsigned inspection_policy_count() 282 { return inspection_policy.size(); } 283 ips_policy_count()284 unsigned ips_policy_count() 285 { return ips_policy.size(); } 286 shells_count()287 unsigned shells_count() 288 { return shells.size(); } 289 set_cloned(bool state)290 void set_cloned(bool state) 291 { cloned = state; } 292 get_shell_by_policy(unsigned id)293 const Shell* get_shell_by_policy(unsigned id) const 294 { 295 auto it = std::find_if(std::begin(shell_map), std::end(shell_map), 296 [=](auto&& p) { return p.second->ips and p.second->ips->policy_id == id; }); 297 298 return (it == std::end(shell_map)) ? nullptr : it->first; 299 } 300 301 private: 302 std::vector<Shell*> shells; 303 std::vector<InspectionPolicy*> inspection_policy; 304 std::vector<IpsPolicy*> ips_policy; 305 std::vector<NetworkPolicy*> network_policy; 306 307 IpsPolicy* empty_ips_policy; 308 309 std::unordered_map<Shell*, std::shared_ptr<PolicyTuple>> shell_map; 310 std::unordered_map<unsigned, NetworkPolicy*> user_network; 311 std::unordered_map<unsigned, InspectionPolicy*> user_inspection; 312 std::unordered_map<unsigned, IpsPolicy*> user_ips; 313 314 bool cloned = false; 315 }; 316 317 //------------------------------------------------------------------------- 318 // navigator stuff 319 //------------------------------------------------------------------------- 320 321 // FIXIT-L may be inlined at some point; on lockdown for now 322 // FIXIT-L SO_PUBLIC required because SnortConfig::inline_mode(), etc. uses the function 323 namespace snort 324 { 325 SO_PUBLIC NetworkPolicy* get_network_policy(); 326 SO_PUBLIC InspectionPolicy* get_inspection_policy(); 327 SO_PUBLIC IpsPolicy* get_ips_policy(); 328 329 SO_PUBLIC void set_network_policy(NetworkPolicy*); 330 SO_PUBLIC void set_inspection_policy(InspectionPolicy*); 331 SO_PUBLIC void set_ips_policy(IpsPolicy*); 332 333 SO_PUBLIC NetworkPolicy* get_default_network_policy(const snort::SnortConfig*); 334 SO_PUBLIC InspectionPolicy* get_user_inspection_policy(const snort::SnortConfig*, unsigned policy_id); 335 SO_PUBLIC InspectionPolicy* get_default_inspection_policy(const snort::SnortConfig*); 336 337 SO_PUBLIC IpsPolicy* get_ips_policy(const snort::SnortConfig*, unsigned i = 0); 338 SO_PUBLIC IpsPolicy* get_user_ips_policy(const snort::SnortConfig*, unsigned policy_id); 339 SO_PUBLIC IpsPolicy* get_empty_ips_policy(const snort::SnortConfig*); 340 } 341 342 void set_network_policy(const snort::SnortConfig*, unsigned = 0); 343 void set_inspection_policy(const snort::SnortConfig*, unsigned = 0); 344 void set_ips_policy(const snort::SnortConfig*, unsigned = 0); 345 346 void set_policies(const snort::SnortConfig*, Shell*); 347 void set_default_policy(const snort::SnortConfig*); 348 void select_default_policy(const _daq_pkt_hdr*, const snort::SnortConfig*); 349 350 bool only_inspection_policy(); 351 bool only_ips_policy(); 352 353 #endif 354 355