1 /****************************************************************************
2  *
3  * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
4  * Copyright (C) 2003-2013 Sourcefire, Inc.
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License Version 2 as
8  * published by the Free Software Foundation.  You may not use, modify or
9  * distribute this program under any other version of the GNU General
10  * Public License.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
20  *
21  ****************************************************************************/
22 
23 /**
24 **  @file       hi_ui_config.h
25 **
26 **  @author     Daniel Roelker <droelker@sourcefire.com>
27 **
28 **  @brief      This file contains the internal configuration structures
29 **              for HttpInspect.
30 **
31 **  This file holds the configuration constructs for the HttpInspect global
32 **  configuration and the server configurations.  It also contains the function
33 **  prototypes for accessing server configurations.
34 */
35 
36 #ifndef __HI_UI_CONFIG_H__
37 #define __HI_UI_CONFIG_H__
38 
39 #include "hi_include.h"
40 #include "snort_bounds.h"
41 #include "sfrt.h"
42 #include "ipv6_port.h"
43 #include "sf_ip.h"
44 #include "sfPolicy.h"
45 #include "hi_util_kmap.h"
46 #include "file_mail_common.h"
47 #include "file_api.h"
48 #include "file_decomp.h"
49 #include "session_api.h"
50 
51 /*
52 **  Defines
53 */
54 
55 #define HI_UI_CONFIG_MAX_HDR_DEFAULT 0
56 #define HI_UI_CONFIG_MAX_HEADERS_DEFAULT 0
57 #define HI_UI_CONFIG_MAX_SPACES_DEFAULT 200
58 
59 /*
60 **  Special characters treated as whitespace before or after URI
61 */
62 
63 #define HI_UI_CONFIG_WS_BEFORE_URI 0x01
64 #define HI_UI_CONFIG_WS_AFTER_URI  0x02
65 
66 /**Maximum number of entries in server_lookup table.
67 */
68 #define HI_UI_CONFIG_MAX_SERVERS 1025
69 
70 /**
71 **  Defines a search type for the server configurations in the
72 **  global configuration.  We want this generic so we can change
73 **  it easily if we change the search type.
74 */
75 typedef table_t SERVER_LOOKUP;
76 
77 /**
78 **  This structure simply holds a value for on/off and whether
79 **  alert is on/off.  Should be used for many configure options.
80 */
81 typedef struct s_HTTPINSPECT_CONF_OPT
82 {
83 
84     int on;     /**< if true, configuration option is on */
85     int alert;  /**< if true, alert if option is found */
86 
87 }  HTTPINSPECT_CONF_OPT;
88 
89 /* The following are used to delineate server profiles for user output
90  * and debugging information. */
91 typedef enum e_PROFILES
92 {
93     HI_ALL,
94     HI_APACHE,
95     HI_IIS,
96     HI_IIS4,
97     HI_IIS5
98 } PROFILES;
99 
100 typedef KMAP CMD_LOOKUP;
101 
102 typedef struct s_HTTP_CMD_CONF
103 {
104     char cmd_name[1];  // variable length array
105 
106 }  HTTP_CMD_CONF;
107 
108 typedef struct _HISmallChunkLength
109 {
110     uint8_t size;
111     uint8_t num;
112 
113 } HISmallChunkLength;
114 
115 /**
116 **  This is the configuration construct that holds the specific
117 **  options for a server.  Each unique server has it's own structure
118 **  and there is a global structure for servers that don't have
119 **  a unique configuration.
120 */
121 typedef struct s_HTTPINSPECT_CONF
122 {
123     int  port_count;
124     uint8_t ports[MAXPORTS_STORAGE];
125     int  server_flow_depth;
126     int  client_flow_depth;
127     int  post_depth;
128 
129     int64_t  server_extract_size;
130     int64_t  post_extract_size;
131     /*
132     **  Unicode mapping for IIS servers
133     */
134     uint8_t *iis_unicode_map;
135     char *iis_unicode_map_filename;
136     int  iis_unicode_codepage;
137 
138     int  long_dir;
139 
140     /*
141     **  Chunk encoding anomaly detection
142     */
143     unsigned int chunk_length;
144     HISmallChunkLength small_chunk_length;
145 
146     char uri_only;
147     char no_alerts;
148     char enable_cookie;
149     char inspect_response;
150     char enable_xff;
151     uint8_t *xff_headers[HTTP_MAX_XFF_FIELDS];
152     uint8_t xff_header_lengths[HTTP_MAX_XFF_FIELDS];
153     char log_uri;
154     char log_hostname;
155 
156     char unlimited_decompress;
157     char extract_gzip;
158     unsigned long file_decomp_modes;
159 
160    /* Support Extended ascii codes in the URI */
161     char extended_ascii_uri;
162     /*
163     **  pipeline requests
164     */
165     char no_pipeline;
166 
167     /*
168     **  Enable non-strict (apache) URI handling.  This allows us to catch the
169     **  non-standard URI parsing that apache does.
170     */
171     char non_strict;
172 
173     /*
174     **  Allow proxy use for this server.
175     */
176     char allow_proxy;
177 
178     /*
179     **  Handle tab char (0x09) as a URI delimiter.  Apache honors this, IIS does not.
180     */
181     char tab_uri_delimiter;
182 
183     /*
184     **  Normalize HTTP Headers if they exist.
185     XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization.
186     */
187     char normalize_headers;
188 
189     /*
190     **  Normalize HTTP Headers if they exist.
191     XXX Not sure what Apache & IIS do with respect to HTTP header 'uri' normalization.
192     */
193     char normalize_cookies;
194 
195     /*
196     **  Normalize multi-byte UTF charsets in HTTP server responses.
197     */
198     char normalize_utf;
199 
200     /*
201      * Normalize Javascripts in HTTP server responses
202      */
203     char normalize_javascript;
204 
205     /*
206     **  Characters to be treated as whitespace bracketing a URI.
207     */
208     char whitespace[256];
209 
210     /*
211     **  These are the URI encoding configurations
212     */
213     HTTPINSPECT_CONF_OPT ascii;
214     HTTPINSPECT_CONF_OPT double_decoding;
215     HTTPINSPECT_CONF_OPT u_encoding;
216     HTTPINSPECT_CONF_OPT bare_byte;
217     HTTPINSPECT_CONF_OPT utf_8;
218     HTTPINSPECT_CONF_OPT iis_unicode;
219     char                 non_rfc_chars[256];
220 
221     /*
222     **  These are the URI normalization configurations
223     */
224     HTTPINSPECT_CONF_OPT multiple_slash;
225     HTTPINSPECT_CONF_OPT iis_backslash;
226     HTTPINSPECT_CONF_OPT directory;
227     HTTPINSPECT_CONF_OPT webroot;
228     HTTPINSPECT_CONF_OPT apache_whitespace;
229     HTTPINSPECT_CONF_OPT iis_delimiter;
230     int max_hdr_len;
231     int max_headers;
232     int max_spaces;
233     int max_js_ws;
234 
235     PROFILES profile;
236     CMD_LOOKUP    *cmd_lookup;
237 
238     /**Used to track references to this allocated data structure. Each additional
239      * reference should increment referenceCount. Each attempted free should
240      * decrement it. When free is attempted and reference count is 0, then
241      * this HTTPINSPECT_CONF should be actually freed.
242      */
243     int referenceCount;
244 #if defined(FEAT_OPEN_APPID)
245     char appid_enabled;
246 #endif /* defined(FEAT_OPEN_APPID) */
247     uint8_t file_policy;
248     bool h2_mode;
249 
250 }  HTTPINSPECT_CONF;
251 
252 /**
253 **  This is the configuration for the global HttpInspect
254 **  configuration.  It contains the global aspects of the
255 **  configuration, a standard global default configuration,
256 **  and server configurations.
257 */
258 typedef struct s_HTTPINSPECT_GLOBAL_CONF
259 {
260     int              disabled;
261     int              anomalous_servers;
262     int              proxy_alert;
263 
264     /*
265     **  These variables are for tracking the IIS
266     **  Unicode Map configuration.
267     */
268     uint8_t          *iis_unicode_map;
269     char             *iis_unicode_map_filename;
270     int              iis_unicode_codepage;
271 
272     HTTPINSPECT_CONF *global_server;
273     SERVER_LOOKUP    *server_lookup;
274 
275 
276     int max_gzip_sessions;
277     unsigned int max_gzip_mem;
278     int compr_depth;
279     int decompr_depth;
280     int memcap;
281     uint32_t xtra_trueip_id;
282     uint32_t xtra_uri_id;
283     uint32_t xtra_hname_id;
284     uint32_t xtra_gzip_id;
285     uint32_t xtra_jsnorm_id;
286     DecodeConfig decode_conf;
287     MAIL_LogConfig mime_conf;
288     bool normalize_nulls;
289     bool fast_blocking;
290 }  HTTPINSPECT_GLOBAL_CONF;
291 
292 #define INVALID_HEX_VAL -1
293 #define HEX_VAL          1
294 
295 /*
296 **  Functions
297 */
298 int hi_ui_config_init_global_conf(HTTPINSPECT_GLOBAL_CONF *GlobalConf);
299 int hi_ui_config_default(HTTPINSPECT_CONF *GlobalConf);
300 int hi_ui_config_reset_global(HTTPINSPECT_GLOBAL_CONF *GlobalConf);
301 int hi_ui_config_reset_server(HTTPINSPECT_CONF *ServerConf);
302 void hi_ui_config_reset_http_methods(HTTPINSPECT_CONF *ServerConf);
303 
304 int hi_ui_config_add_server(HTTPINSPECT_GLOBAL_CONF *GlobalConf,
305                             sfcidr_t *ServerIP,
306                             HTTPINSPECT_CONF *ServerConf);
307 
308 int hi_ui_config_set_profile_apache(HTTPINSPECT_CONF *GlobalConf);
309 int hi_ui_config_set_profile_iis(HTTPINSPECT_CONF *GlobalConf, uint8_t *);
310 int hi_ui_config_set_profile_iis_4or5(HTTPINSPECT_CONF *GlobalConf, uint8_t *);
311 int hi_ui_config_set_profile_all(HTTPINSPECT_CONF *GlobalConf, uint8_t *);
312 void HttpInspectCleanupHttpMethodsConf(void *);
313 
314 extern int hex_lookup[256];
315 extern int valid_lookup[256];
316 #endif
317