1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation. You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 //--------------------------------------------------------------------------
18
19 // tcp_event_logger.cc author davis mcpherson <davmcphe@cisco.com>
20 // Created on: Jul 30, 2015
21
22 #ifdef HAVE_CONFIG_H
23 #include "config.h"
24 #endif
25
26 #include "tcp_event_logger.h"
27
28 #include "detection/detection_engine.h"
29 #include "detection/rules.h"
30 #include "filters/sfrf.h"
31 #include "main/snort_config.h"
32 #include "packet_tracer/packet_tracer.h"
33
34 #include "tcp_module.h"
35
36 using namespace snort;
37
38 struct tcp_event_sid
39 {
40 uint32_t event_id;
41 uint32_t sid;
42 const char* event_description;
43 };
44
45 // ffs returns 1 as bit position of lsb so event id array
46 // has dummy entry for index 0
47 struct tcp_event_sid tcp_event_sids[] =
48 {
49 { 0, 0, nullptr },
50 { EVENT_SYN_ON_EST, STREAM_TCP_SYN_ON_EST, "SYN_ON_EST" },
51 { EVENT_DATA_ON_SYN, STREAM_TCP_DATA_ON_SYN, "DATA_ON_SYN" },
52 { EVENT_DATA_ON_CLOSED, STREAM_TCP_DATA_ON_CLOSED, "DATA_ON_CLOSED" },
53 { EVENT_BAD_TIMESTAMP, STREAM_TCP_BAD_TIMESTAMP, "BAD_TIMESTAMP" },
54 { EVENT_WINDOW_TOO_LARGE, STREAM_TCP_WINDOW_TOO_LARGE, "WINDOW_TOO_LARGE" },
55 { EVENT_DATA_AFTER_RESET, STREAM_TCP_DATA_AFTER_RESET, "DATA_AFTER_RESET" },
56 { EVENT_SESSION_HIJACK_CLIENT, STREAM_TCP_SESSION_HIJACKED_CLIENT, "SESSION_HIJACK_CLIENT" },
57 { EVENT_SESSION_HIJACK_SERVER, STREAM_TCP_SESSION_HIJACKED_SERVER, "SESSION_HIJACK_SERVER" },
58 { EVENT_DATA_WITHOUT_FLAGS, STREAM_TCP_DATA_WITHOUT_FLAGS, "DATA_WITHOUT_FLAGS" },
59 { EVENT_4WHS, STREAM_TCP_4WAY_HANDSHAKE, "4WHS" },
60 { EVENT_NO_TIMESTAMP, STREAM_TCP_NO_TIMESTAMP, "NO_TIMESTAMP" },
61 { EVENT_BAD_RST, STREAM_TCP_BAD_RST, "BAD_RST" },
62 { EVENT_BAD_FIN, STREAM_TCP_BAD_FIN, "BAD_FIN" },
63 { EVENT_BAD_ACK, STREAM_TCP_BAD_ACK, "BAD_ACK" },
64 { EVENT_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD, "DATA_AFTER_RST_RCVD" },
65 { EVENT_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM, "WINDOW_SLAM" },
66 { EVENT_NO_3WHS, STREAM_TCP_NO_3WHS, "NO_3WHS" },
67 { EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT, "BAD_SEGMENT" },
68 { EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, "EXCESSIVE_OVERLAP" },
69 { EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT, "MAX_SMALL_SEGS_EXCEEDED" },
70 { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr },
71 { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr },
72 { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }
73 };
74
log_internal_event(uint32_t eventSid)75 void TcpEventLogger::log_internal_event(uint32_t eventSid)
76 {
77 if (is_internal_event_enabled(SnortConfig::get_conf()->rate_filter_config, eventSid))
78 {
79 tcpStats.internalEvents++;
80 DetectionEngine::queue_event(GID_SESSION, eventSid);
81 }
82 }
83
log_tcp_events()84 void TcpEventLogger::log_tcp_events()
85 {
86 while ( tcp_events )
87 {
88 uint32_t idx = ffs(tcp_events);
89 if ( idx )
90 {
91 DetectionEngine::queue_event(GID_STREAM_TCP, tcp_event_sids[idx].sid);
92 if ( PacketTracer::is_active() )
93 PacketTracer::log("Stream: TCP normalization error in %s\n",
94 tcp_event_sids[idx].event_description);
95 tcp_events ^= tcp_event_sids[idx].event_id;
96 tcpStats.events++;
97 }
98 }
99 }
100
101