1 /*
2 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 ** Copyright (C) 2005-2013 Sourcefire, Inc.
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 */
20
21
22 #ifndef _APPID_SESSION_H
23 #define _APPID_SESSION_H
24
25 #include <stdint.h>
26 #include <time.h>
27 #include "sf_snort_packet.h"
28 #include "flow_error.h"
29 #include "appId.h"
30 #include "appIdApi.h"
31 #include "service_state.h"
32 #include "lengthAppCache.h"
33 #include "thirdparty_appid_api.h"
34 #include "thirdparty_appid_types.h"
35 #include "sflsq.h"
36 #include "sfghash.h"
37
38 #define SF_DEBUG_FILE stdout
39 #define NUMBER_OF_PTYPES 9
40
41 #define APPID_SESSION_DATA_NONE 0
42
43 #define APPID_SESSION_DATA_DHCP_FP_DATA 2
44 #define APPID_SESSION_DATA_SMB_DATA 4
45 #define APPID_SESSION_DATA_DHCP_INFO 5
46
47 #define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT 0x20000000
48 #define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT 0x40000000
49 #define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000
50
51 #define APPID_SESSION_BIDIRECTIONAL_CHECKED (APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED)
52 #define APPID_SESSION_DO_RNA (APPID_SESSION_RESPONDER_MONITORED | APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | APPID_SESSION_SPECIAL_MONITORED)
53 struct RNAServiceElement;
54
55 typedef enum
56 {
57 RNA_STATE_NONE = 0,
58 RNA_STATE_DIRECT,
59 RNA_STATE_STATEFUL,
60 RNA_STATE_FINISHED
61 } RNA_INSPECTION_STATE;
62 typedef void (*AppIdFreeFCN)(void *);
63
64 #define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800
65 #define FINGERPRINT_UDP_FLAGS_NT 0x00001000
66 #define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT)
67
68
69 typedef struct _AppIdFlowData
70 {
71 struct _AppIdFlowData *next;
72 unsigned fd_id;
73 void *fd_data;
74 AppIdFreeFCN fd_free;
75 } AppIdFlowData;
76
77 #define APPID_SESSION_TYPE_IGNORE APPID_FLOW_TYPE_IGNORE
78 #define APPID_SESSION_TYPE_NORMAL APPID_FLOW_TYPE_NORMAL
79 #define APPID_SESSION_TYPE_TMP APPID_FLOW_TYPE_TMP
80
81 typedef struct _APPID_SESSION_STRUCT_FLAG
82 {
83 APPID_FLOW_TYPE flow_type;
84 } APPID_SESSION_STRUCT_FLAG;
85
86 typedef struct _tCommonAppIdData
87 {
88 APPID_SESSION_STRUCT_FLAG fsf_type; /* This must be first. */
89 unsigned policyId;
90 //flags shared with other preprocessor via session attributes.
91 uint64_t flags;
92 struct in6_addr initiator_ip;
93 uint16_t initiator_port;
94 } tCommonAppIdData;
95
96 typedef struct _tTmpAppIdData
97 {
98 tCommonAppIdData common;
99
100 struct _tTmpAppIdData *next;
101 } tTmpAppIdData;
102
103 #define SCAN_HTTP_VIA_FLAG (1<<0)
104 #define SCAN_HTTP_USER_AGENT_FLAG (1<<1)
105 #define SCAN_HTTP_HOST_URL_FLAG (1<<2)
106 #define SCAN_SSL_CERTIFICATE_FLAG (1<<3)
107 #define SCAN_SSL_HOST_FLAG (1<<4)
108 #define SCAN_HOST_PORT_FLAG (1<<5)
109 #define SCAN_HTTP_VENDOR_FLAG (1<<6)
110 #define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7)
111 #define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8)
112 #define SCAN_HTTP_URI_FLAG (1<<9)
113 #define SCAN_CERTVIZ_ENABLED_FLAG (1<<10)
114 #define SCAN_SPOOFED_SNI_FLAG (1<<11)
115
116 typedef struct _fflow_info
117 {
118 uint32_t sip;
119 uint32_t dip;
120 uint16_t sport;
121 uint16_t dport;
122 uint8_t protocol;
123 tAppId appId;
124 int flow_prepared;
125 } fflow_info;
126
127 typedef struct _httpFields
128 {
129 char *str;
130 } HttpRewriteableFields;
131
132 typedef struct _tunnelDest
133 {
134 sfaddr_t ip;
135 uint16_t port;
136 } tunnelDest;
137
138 typedef struct _httpSession
139 {
140 char *host;
141 char *url;
142 char *uri;
143 uint16_t host_buflen;
144 uint16_t uri_buflen;
145 uint16_t useragent_buflen;
146 uint16_t response_code_buflen;
147 char *via;
148 char *useragent;
149 char *response_code;
150 char *referer;
151 uint16_t referer_buflen;
152 uint16_t cookie_buflen;
153 uint16_t content_type_buflen;
154 uint16_t location_buflen;
155 char *cookie;
156 char *content_type;
157 char *location;
158 char *body;
159 uint16_t body_buflen;
160 uint16_t req_body_buflen;
161 int total_found;
162 char *req_body;
163 char *server;
164 char *x_working_with;
165 char *new_field[HTTP_FIELD_MAX+1];
166
167 uint16_t new_field_len[HTTP_FIELD_MAX+1];
168 uint16_t fieldOffset[HTTP_FIELD_MAX+1];
169 uint16_t fieldEndOffset[HTTP_FIELD_MAX+1];
170
171 bool new_field_contents;
172 bool skip_simple_detect; // Flag to indicate if simple detection of client ID, payload ID, etc
173 // should be skipped
174 fflow_info *fflow;
175
176 int chp_finished;
177 tAppId chp_candidate;
178 tAppId chp_alt_candidate;
179 int chp_hold_flow;
180 int ptype_req_counts[NUMBER_OF_PTYPES];
181 unsigned app_type_flags;
182 int get_offsets_from_rebuilt;
183 int num_matches;
184 int num_scans;
185 int numXffFields;
186 sfaddr_t* xffAddr;
187 char** xffPrecedence;
188 tunnelDest *tunDest;
189 bool is_tunnel;
190
191 #if RESPONSE_CODE_PACKET_THRESHHOLD
192 unsigned response_code_packets;
193 #endif
194
195 } httpSession;
196
197 // For dnsSession.state:
198 #define DNS_GOT_QUERY 0x01
199 #define DNS_GOT_RESPONSE 0x02
200
201 typedef struct _dnsSession
202 {
203 uint8_t state; // state
204 uint8_t host_len; // for host
205 uint8_t response_type; // response: RCODE
206 uint16_t id; // DNS msg ID
207 uint16_t host_offset; // for host
208 uint16_t record_type; // query: QTYPE
209 uint16_t options_offset; // offset at which DNS options such as EDNS begin in DNS query
210 uint32_t ttl; // response: TTL
211 char *host; // host (usually query, but could be response for reverse lookup)
212 } dnsSession;
213
214 struct _RNAServiceSubtype;
215
216 typedef enum
217 {
218 MATCHED_TLS_NONE = 0,
219 MATCHED_TLS_HOST,
220 MATCHED_TLS_FIRST_SAN,
221 MATCHED_TLS_CNAME,
222 MATCHED_TLS_ORG_UNIT
223 } MATCHED_TLS_TYPE;
224
225 typedef struct _tlsSession
226 {
227 char *tls_host;
228 int tls_host_strlen;
229 int tls_cname_strlen;
230 char *tls_cname;
231 char *tls_orgUnit;
232 int tls_orgUnit_strlen;
233 int tls_first_san_strlen;
234 char *tls_first_san;
235 MATCHED_TLS_TYPE matched_tls_type;
236 bool tls_handshake_done;
237 } tlsSession;
238
239 typedef struct AppIdData
240 {
241 tCommonAppIdData common;
242
243 struct AppIdData *next;
244
245 void *ssn;
246 sfaddr_t service_ip;
247 uint16_t service_port;
248 uint8_t proto;
249 uint8_t previous_tcp_flags;
250 bool tried_reverse_service;
251 uint8_t tpReinspectByInitiator;
252
253 AppIdFlowData *flowData;
254
255 /**AppId matching service side */
256 tAppId serviceAppId;
257 tAppId portServiceAppId;
258 /**RNAServiceElement for identifying detector*/
259 const struct RNAServiceElement *serviceData;
260 RNA_INSPECTION_STATE rnaServiceState;
261 FLOW_SERVICE_ID_STATE search_state;
262 char *serviceVendor;
263 char *serviceVersion;
264 struct _RNAServiceSubtype *subtype;
265 char *netbios_name;
266 SF_LIST * candidate_service_list;
267 int got_incompatible_services;
268
269 /**AppId matching client side */
270 tAppId clientAppId;
271 tAppId clientServiceAppId;
272 RNA_INSPECTION_STATE rnaClientState;
273 char *clientVersion;
274 /**RNAClientAppModule for identifying client detector*/
275 const struct RNAClientAppModule *clientData;
276 SF_LIST * candidate_client_list;
277 unsigned int num_candidate_clients_tried;
278
279 /**AppId matching payload*/
280 tAppId payloadAppId;
281 tAppId referredPayloadAppId;
282 tAppId miscAppId;
283
284 //appId determined by 3rd party library
285 tAppId tpAppId;
286 tAppId tpPayloadAppId;
287
288 char *username;
289 tAppId usernameService;
290
291 uint32_t flowId;
292 char *netbiosDomain;
293
294
295 httpSession *hsession;
296 tlsSession *tsession;
297
298 unsigned scan_flags;
299 #if RESPONSE_CODE_PACKET_THRESHHOLD
300 unsigned response_code_packets;
301 #endif
302
303 SFGHASH *multiPayloadList;
304
305 tAppId referredAppId;
306
307 tAppId tmpAppId;
308 void *tpsession;
309 uint16_t init_tpPackets;
310 uint16_t resp_tpPackets;
311
312 uint16_t session_packet_count;
313 uint16_t initiatorPcketCountWithoutReply;
314 char *payloadVersion;
315 uint64_t initiatorBytesWithoutServerReply;
316 int16_t snortId;
317
318 /* Length-based detectors. */
319 tLengthKey length_sequence;
320 bool is_http2;
321 //appIds picked from encrypted session.
322 struct {
323 tAppId serviceAppId;
324 tAppId clientAppId;
325 tAppId payloadAppId;
326 tAppId miscAppId;
327 tAppId referredAppId;
328 } encrypted;
329 // New fields introduced for DNS Blacklisting
330
331 struct
332 {
333 uint32_t firstPktsecond;
334 uint32_t lastPktsecond;
335 uint64_t initiatorBytes;
336 uint64_t responderBytes;
337 } stats;
338
339 /* Policy and rule ID for related flows (e.g. ftp-data) */
340 struct AppIdData *expectedFlow;
341 //struct FwEarlyData *fwData;
342
343 dnsSession *dsession;
344
345 void * firewallEarlyData;
346 tAppId pastIndicator;
347 tAppId pastForecast;
348
349 SEARCH_SUPPORT_TYPE search_support_type;
350
351 uint16_t hostCacheVersion;
352 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)
353 uint16_t serviceAsId; //This is specific to VRF
354 #endif
355 #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
356 uint32_t carrierId;
357 #endif
358 } tAppIdData;
359 /**
360 * Mark a flow with a particular flag
361 *
362 * @param flow
363 * @param flags
364 */
setAppIdFlag(tAppIdData * flow,uint64_t flags)365 static inline void setAppIdFlag(tAppIdData *flow, uint64_t flags)
366 {
367 flow->common.flags |= flags;
368 }
369
370 /**
371 * Mark a flow with a particular flag
372 *
373 * @param flow
374 * @param flags
375 */
clearAppIdFlag(tAppIdData * flow,uint64_t flags)376 static inline void clearAppIdFlag(tAppIdData *flow, uint64_t flags)
377 {
378 flow->common.flags &= ~flags;
379 }
380
381 /**
382 * Check to see if a particular flag exists
383 *
384 * @param flow
385 * @param flags
386 */
getAppIdFlag(tAppIdData * flow,uint64_t flags)387 static inline uint64_t getAppIdFlag(tAppIdData *flow, uint64_t flags)
388 {
389 return (flow->common.flags & flags);
390 }
391
392 void AppIdFlowdataFree(tAppIdData *flowp);
393 void AppIdFlowdataFini(void);
394 void *AppIdFlowdataGet(tAppIdData *flowp, unsigned id);
395 int AppIdFlowdataAdd(tAppIdData *flowp, void *data, unsigned id, AppIdFreeFCN fcn);
396 void *AppIdFlowdataRemove(tAppIdData *flowp, unsigned id);
397 void AppIdFlowdataDelete(tAppIdData *flowp, unsigned id);
398 void AppIdFlowdataDeleteAllByMask(tAppIdData *flowp, unsigned mask);
399 tAppIdData *AppIdEarlySessionCreate(tAppIdData *flowp, SFSnortPacket *ctrlPkt, sfaddr_t *cliIp, uint16_t cliPort,
400 sfaddr_t *srvIp, uint16_t srvPort, uint8_t proto, int16_t app_id, int flags);
401 struct RNAServiceElement;
402 int AppIdFlowdataAddId(tAppIdData *flowp, uint16_t port, const struct RNAServiceElement *svc_element);
403
404 #endif /* _APPID_SESSION_H */
405
406