1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 
19 // tcp_module.h author Russ Combs <rucombs@cisco.com>
20 
21 #ifndef TCP_MODULE_H
22 #define TCP_MODULE_H
23 
24 #include "flow/session.h"
25 #include "framework/module.h"
26 #include "stream/tcp/tcp_stream_config.h"
27 
28 #define GID_STREAM_TCP  129
29 
30 #define STREAM_TCP_SYN_ON_EST                      1
31 #define STREAM_TCP_DATA_ON_SYN                     2
32 #define STREAM_TCP_DATA_ON_CLOSED                  3
33 #define STREAM_TCP_BAD_TIMESTAMP                   4
34 #define STREAM_TCP_BAD_SEGMENT                     5
35 #define STREAM_TCP_WINDOW_TOO_LARGE                6
36 #define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS          7
37 #define STREAM_TCP_DATA_AFTER_RESET                8
38 #define STREAM_TCP_SESSION_HIJACKED_CLIENT         9
39 #define STREAM_TCP_SESSION_HIJACKED_SERVER        10
40 #define STREAM_TCP_DATA_WITHOUT_FLAGS             11
41 #define STREAM_TCP_SMALL_SEGMENT                  12
42 #define STREAM_TCP_4WAY_HANDSHAKE                 13
43 #define STREAM_TCP_NO_TIMESTAMP                   14
44 #define STREAM_TCP_BAD_RST                        15
45 #define STREAM_TCP_BAD_FIN                        16
46 #define STREAM_TCP_BAD_ACK                        17
47 #define STREAM_TCP_DATA_AFTER_RST_RCVD            18
48 #define STREAM_TCP_WINDOW_SLAM                    19
49 #define STREAM_TCP_NO_3WHS                        20
50 #define STREAM_TCP_MAX_EVENTS                     32
51 
52 extern const PegInfo tcp_pegs[];
53 
54 extern THREAD_LOCAL const snort::Trace* stream_tcp_trace;
55 extern THREAD_LOCAL snort::ProfileStats s5TcpPerfStats;
56 
57 struct TcpStats
58 {
59     SESSION_STATS;
60     PegCount instantiated;
61     PegCount setups;
62     PegCount restarts;
63     PegCount resyns;
64     PegCount discards;
65     PegCount discards_skipped;
66     PegCount invalid_seq_num;
67     PegCount invalid_ack;
68     PegCount no_flags_set;
69     PegCount events;
70     PegCount ignored;
71     PegCount no_pickups;
72     PegCount sessions_on_syn;
73     PegCount sessions_on_syn_ack;
74     PegCount sessions_on_3way;
75     PegCount sessions_on_data;
76     PegCount segs_queued;
77     PegCount segs_released;
78     PegCount segs_split;
79     PegCount segs_used;
80     PegCount rebuilt_packets;
81     PegCount rebuilt_buffers;
82     PegCount rebuilt_bytes;
83     PegCount overlaps;
84     PegCount gaps;
85     PegCount exceeded_max_segs;
86     PegCount exceeded_max_bytes;
87     PegCount payload_fully_trimmed;
88     PegCount internalEvents;
89     PegCount client_cleanups;
90     PegCount server_cleanups;
91     PegCount mem_in_use;
92     PegCount sessions_initializing;
93     PegCount sessions_established;
94     PegCount sessions_closing;
95     PegCount syns;
96     PegCount syn_acks;
97     PegCount resets;
98     PegCount fins;
99     PegCount meta_acks;
100     PegCount total_packets_held;
101     PegCount held_packet_rexmits;
102     PegCount held_packets_dropped;
103     PegCount held_packets_passed;
104     PegCount held_packet_timeouts;
105     PegCount held_packet_purges;
106     PegCount held_packet_retries;
107     PegCount current_packets_held;
108     PegCount max_packets_held;
109     PegCount partial_flushes;
110     PegCount partial_flush_bytes;
111     PegCount inspector_fallbacks;
112     PegCount partial_fallbacks;
113     PegCount max_segs;
114     PegCount max_bytes;
115     PegCount zero_len_tcp_opt;
116 };
117 
118 extern THREAD_LOCAL struct TcpStats tcpStats;
119 
120 //-------------------------------------------------------------------------
121 // stream_tcp module
122 //-------------------------------------------------------------------------
123 
124 #define STREAM_TCP_MOD_NAME "stream_tcp"
125 #define STREAM_TCP_MOD_HELP "stream inspector for TCP flow tracking and stream normalization and reassembly"
126 
127 class StreamTcpModule : public snort::Module
128 {
129 public:
130     StreamTcpModule();
131 
132     bool set(const char*, snort::Value&, snort::SnortConfig*) override;
133     bool begin(const char*, int, snort::SnortConfig*) override;
134     bool end(const char*, int, snort::SnortConfig*) override;
135 
136     const snort::RuleMap* get_rules() const override;
137 
138     void reset_stats() override;
139 
get_gid()140     unsigned get_gid() const override
141     { return GID_STREAM_TCP; }
142 
143     TcpStreamConfig* get_data();
144     snort::ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
145     const PegInfo* get_pegs() const override;
146     PegCount* get_counts() const override;
147 
get_usage()148     Usage get_usage() const override
149     { return INSPECT; }
150 
is_bindable()151     bool is_bindable() const override
152     { return true; }
153 
154     void set_trace(const snort::Trace*) const override;
155     const snort::TraceOption* get_trace_options() const override;
156 
157 private:
158     TcpStreamConfig* config;
159 };
160 
161 #endif
162 
163