1 /****************************************************************************
2 *
3 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
4 * Copyright (C) 2003-2013 Sourcefire, Inc.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License Version 2 as
8 * published by the Free Software Foundation. You may not use, modify or
9 * distribute this program under any other version of the GNU General
10 * Public License.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 *
21 ****************************************************************************/
22
23 /**
24 ** @file hi_ad.c
25 **
26 ** @author Daniel Roelker <droelker@sourcefire.com>
27 **
28 ** @brief This is the server anomaly module file. Looks for anomalous
29 ** servers and other stuff. Still thinking about it.
30 **
31 ** NOTES:
32 ** - 3.2.03: Initial development. DJR
33 */
34 #include <stdlib.h>
35 #include <sys/types.h>
36
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #endif
40
41 #include "hi_ui_config.h"
42 #include "hi_return_codes.h"
43 #include "hi_eo_log.h"
44 #include "hi_si.h"
45
46 /*
47 ** NAME
48 ** hi_server_anomaly_detection::
49 */
50 /**
51 ** Inspect packet/streams for anomalous server detection and tunneling.
52 **
53 ** This really checks for anything that we want to look at for rogue
54 ** HTTP servers, HTTP tunneling in unknown servers, and detection of
55 ** sessions that are actually talking HTTP.
56 **
57 ** @param Session pointer to the session there is no server conf
58 ** @param data unsigned char to payload/stream data
59 ** @param dsize the size of the payload/stream data
60 **
61 ** @return integer
62 **
63 ** @retval HI_SUCCESS function successful
64 */
hi_server_anomaly_detection(void * S,const u_char * data,int dsize)65 int hi_server_anomaly_detection(void *S, const u_char *data, int dsize)
66 {
67 HI_SESSION *Session = (HI_SESSION *)S;
68 HTTPINSPECT_GLOBAL_CONF *GlobalConf;
69
70 if(data == NULL || dsize < 1)
71 return HI_INVALID_ARG;
72
73 GlobalConf = Session->global_conf;
74
75 /*
76 ** We are just going to look for server responses on non-HTTP
77 ** ports.
78 */
79 if(GlobalConf->anomalous_servers && dsize > 5)
80 {
81 /*
82 ** We now do the checking for anomalous HTTP servers
83 */
84 if(data[0]=='H' && data[1]=='T' && data[2]=='T' && data[3]=='P' &&
85 data[4]=='/')
86 {
87 hi_eo_anom_server_event_log(Session, HI_EO_ANOM_SERVER,
88 NULL, NULL);
89 }
90 }
91
92 return HI_SUCCESS;
93 }
94