1 //--------------------------------------------------------------------------
2 // Copyright (C) 2016-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation. You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 //--------------------------------------------------------------------------
18
19 // dce_udp_module.cc author Maya Dagon <mdagon@cisco.com>
20
21 #ifdef HAVE_CONFIG_H
22 #include "config.h"
23 #endif
24
25 #include "dce_udp_module.h"
26
27 #include "log/messages.h"
28 #include "trace/trace.h"
29
30 #include "dce_udp.h"
31
32 using namespace snort;
33 using namespace std;
34
35 THREAD_LOCAL const Trace* dce_udp_trace = nullptr;
36
37 static const Parameter s_params[] =
38 {
39 { "limit_alerts", Parameter::PT_BOOL, nullptr, "true",
40 "limit DCE alert to at most one per signature per flow" },
41
42 { "disable_defrag", Parameter::PT_BOOL, nullptr, "false",
43 "disable DCE/RPC defragmentation" },
44
45 { "max_frag_len", Parameter::PT_INT, "1514:65535", "65535",
46 "maximum fragment size for defragmentation" },
47
48 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
49 };
50
51 static const RuleMap dce2_udp_rules[] =
52 {
53 { DCE2_CL_BAD_MAJOR_VERSION, DCE2_CL_BAD_MAJOR_VERSION_STR },
54 { DCE2_CL_BAD_PDU_TYPE, DCE2_CL_BAD_PDU_TYPE_STR },
55 { DCE2_CL_DATA_LT_HDR, DCE2_CL_DATA_LT_HDR_STR },
56 { DCE2_CL_BAD_SEQ_NUM, DCE2_CL_BAD_SEQ_NUM_STR },
57 { 0, nullptr }
58 };
59
60 static const PegInfo dce2_udp_pegs[] =
61 {
62 { CountType::SUM, "events", "total events" },
63 { CountType::SUM, "udp_sessions", "total udp sessions" },
64 { CountType::SUM, "udp_packets", "total udp packets" },
65 { CountType::SUM, "requests", "total connection-less requests" },
66 { CountType::SUM, "acks", "total connection-less acks" },
67 { CountType::SUM, "cancels", "total connection-less cancels" },
68 { CountType::SUM, "client_facks", "total connection-less client facks" },
69 { CountType::SUM, "ping", "total connection-less ping" },
70 { CountType::SUM, "responses", "total connection-less responses" },
71 { CountType::SUM, "rejects", "total connection-less rejects" },
72 { CountType::SUM, "cancel_acks", "total connection-less cancel acks" },
73 { CountType::SUM, "server_facks", "total connection-less server facks" },
74 { CountType::SUM, "faults", "total connection-less faults" },
75 { CountType::SUM, "no_calls", "total connection-less no calls" },
76 { CountType::SUM, "working", "total connection-less working" },
77 { CountType::SUM, "other_requests", "total connection-less other requests" },
78 { CountType::SUM, "other_responses", "total connection-less other responses" },
79 { CountType::SUM, "fragments", "total connection-less fragments" },
80 { CountType::SUM, "max_fragment_size", "connection-less maximum fragment size" },
81 { CountType::SUM, "frags_reassembled", "total connection-less fragments reassembled" },
82 { CountType::SUM, "max_seqnum", "max connection-less seqnum" },
83 { CountType::NOW, "concurrent_sessions", "total concurrent sessions" },
84 { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sessions" },
85 { CountType::END, nullptr, nullptr }
86 };
87
Dce2UdpModule()88 Dce2UdpModule::Dce2UdpModule() : Module(DCE2_UDP_NAME, DCE2_UDP_HELP, s_params)
89 { }
90
set_trace(const Trace * trace) const91 void Dce2UdpModule::set_trace(const Trace* trace) const
92 { dce_udp_trace = trace; }
93
get_trace_options() const94 const TraceOption* Dce2UdpModule::get_trace_options() const
95 {
96 #ifndef DEBUG_MSGS
97 return nullptr;
98 #else
99 static const TraceOption dce_udp_trace_options(nullptr, 0, nullptr);
100 return &dce_udp_trace_options;
101 #endif
102 }
103
get_rules() const104 const RuleMap* Dce2UdpModule::get_rules() const
105 {
106 return dce2_udp_rules;
107 }
108
get_pegs() const109 const PegInfo* Dce2UdpModule::get_pegs() const
110 {
111 return dce2_udp_pegs;
112 }
113
get_counts() const114 PegCount* Dce2UdpModule::get_counts() const
115 {
116 return (PegCount*)&dce2_udp_stats;
117 }
118
get_profile() const119 ProfileStats* Dce2UdpModule::get_profile() const
120 {
121 return &dce2_udp_pstat_main;
122 }
123
set(const char *,Value & v,SnortConfig *)124 bool Dce2UdpModule::set(const char*, Value& v, SnortConfig*)
125 {
126 return dce2_set_common_config(v,config.common);
127 }
128
get_data(dce2UdpProtoConf & dce2_udp_config)129 void Dce2UdpModule::get_data(dce2UdpProtoConf& dce2_udp_config)
130 {
131 dce2_udp_config = config;
132 }
133
print_dce2_udp_conf(const dce2UdpProtoConf & config)134 void print_dce2_udp_conf(const dce2UdpProtoConf& config)
135 {
136 print_dce2_common_config(config.common);
137 }
138
139