1 /****************************************************************************
2  *
3  * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
4  * Copyright (C) 2003-2013 Sourcefire, Inc.
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License Version 2 as
8  * published by the Free Software Foundation.  You may not use, modify or
9  * distribute this program under any other version of the GNU General
10  * Public License.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
20  *
21  ****************************************************************************/
22 
23 /**
24 **  @file       hi_ad.c
25 **
26 **  @author     Daniel Roelker <droelker@sourcefire.com>
27 **
28 **  @brief      This is the server anomaly module file.  Looks for anomalous
29 **              servers and other stuff.  Still thinking about it.
30 **
31 **  NOTES:
32 **    - 3.2.03:  Initial development.  DJR
33 */
34 #include <stdlib.h>
35 #include <sys/types.h>
36 
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #endif
40 
41 #include "hi_ui_config.h"
42 #include "hi_return_codes.h"
43 #include "hi_eo_log.h"
44 #include "hi_si.h"
45 
46 /*
47 **  NAME
48 **    hi_server_anomaly_detection::
49 */
50 /**
51 **  Inspect packet/streams for anomalous server detection and tunneling.
52 **
53 **  This really checks for anything that we want to look at for rogue
54 **  HTTP servers, HTTP tunneling in unknown servers, and detection of
55 **  sessions that are actually talking HTTP.
56 **
57 **  @param Session pointer to the session there is no server conf
58 **  @param data    unsigned char to payload/stream data
59 **  @param dsize   the size of the payload/stream data
60 **
61 **  @return integer
62 **
63 **  @retval HI_SUCCESS function successful
64 */
hi_server_anomaly_detection(void * S,const u_char * data,int dsize)65 int hi_server_anomaly_detection(void *S, const u_char *data, int dsize)
66 {
67     HI_SESSION *Session = (HI_SESSION *)S;
68     HTTPINSPECT_GLOBAL_CONF *GlobalConf;
69 
70     if(data == NULL || dsize < 1)
71         return HI_INVALID_ARG;
72 
73     GlobalConf = Session->global_conf;
74 
75     /*
76     **  We are just going to look for server responses on non-HTTP
77     **  ports.
78     */
79     if(GlobalConf->anomalous_servers && dsize > 5)
80     {
81         /*
82         **  We now do the checking for anomalous HTTP servers
83         */
84         if(data[0]=='H' && data[1]=='T' && data[2]=='T' && data[3]=='P' &&
85            data[4]=='/')
86         {
87             hi_eo_anom_server_event_log(Session, HI_EO_ANOM_SERVER,
88                                         NULL, NULL);
89         }
90     }
91 
92     return HI_SUCCESS;
93 }
94