1 /* $Id: plugins.h,v 2.54 2009/11/27 01:39:39 fknobbe Exp $ 2 * 3 * 4 * Copyright (c) 2001-2008 Frank Knobbe <frank@knobbe.us> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * 29 * This file contains the plugins registry. 30 * 31 */ 32 33 34 #ifndef __PLUGINS_H__ 35 #define __PLUGINS_H__ 36 37 38 #include "snortsam.h" 39 40 #include "ssp_opsec.h" 41 #include "ssp_fwexec.h" 42 #include "ssp_fwsam.h" 43 #include "ssp_pix.h" 44 #include "ssp_ciscoacl.h" 45 #include "ssp_cisco_nullroute.h" 46 #include "ssp_cisco_nullroute2.h" 47 #include "ssp_email.h" 48 #include "ssp_netscreen.h" 49 #include "ssp_ipf.h" 50 #include "ssp_pf.h" 51 #include "ssp_pf2.h" 52 #include "ssp_ipchains.h" 53 #include "ssp_iptables.h" 54 #include "ssp_ebtables.h" 55 #include "ssp_wgrd.h" 56 #include "ssp_8signs.h" 57 #include "ssp_isa.h" 58 #include "ssp_isa2004.h" 59 #include "ssp_chxi.h" 60 #include "ssp_ipfw2.h" 61 #include "ssp_snmp_interface_down.h" 62 #include "ssp_forward.h" 63 64 65 #define TH_NONE 0 /* Threading model: See below for more info */ 66 #define TH_SINGLE 1 67 #define TH_MULTI 2 68 69 70 typedef struct _plugins 71 { int (*PluginInit)(DATALIST *); /* Pointer to init routine, or NULL if not needed */ 72 void (*PluginConfigParse)(char *, /* Pointer to config file parsing routine, or NULL if not needed */ 73 char *,unsigned long, 74 DATALIST *); 75 void (*PluginBlock)(BLOCKINFO *, /* Pointer to blocking routine, or NULL if not needed (huh?) */ 76 void *,unsigned long); 77 void (*PluginExit)(DATALIST *); /* Pointer to exit routine, or NULL if not needed */ 78 void (*PluginKeepAlive)(DATALIST *); /* Pointer to keep-alive routing for support of persistent connections to firewalls */ 79 int PluginNeedsExpiration; /* Set this to TRUE, if SnortSam needs to expire the block */ 80 int PluginDoesReblockOnSignal; /* Set this to FALSE to avoid blocking again on USR1 reload (for forward and email) */ 81 int PluginThreading; /* Set this to TH_MULTI, TH_SINGLE, TH_NONE. */ 82 char PluginHandle[40]; /* Short handle, used in config file */ 83 char PluginAuthor[100]; /* Your name here (or "" if not used) */ 84 char PluginVersion[30]; /* Version of your plugin (or "" if not used) */ 85 } PLUGINREGISTRY; 86 87 /* 88 PluginInit: A function SnortSam calls when it encounters a plugin in the 89 configuration file. The function returns either TRUE or FALSE, 90 indicating a successful or unsuccessful initialization. If functions 91 returns FALSE, SnortSam will disable the plugin. 92 The parameter is a pointer to the first element in the device/parameter list. 93 (Plugin may use it at it's own discretion) 94 95 PluginConfigParse: A function SnortSam calls on every configuration line for the plugin. 96 The first parameter is the config line. The second parameter is the 97 config file name itself, the third parameter is the line number. 98 (the last two are useful for logging purposes.) 99 The third parameter is a pointer to a device/parameter structure (not the list). 100 If the plugin allocates it, SnortSam will link it into the list for you. 101 102 PluginBlock: A function SnortSam calls when it needs to block an IP address. 103 The first parameter is a pointer to the BLOCKINFO struct which contains 104 the IP address, port, protocol, etc and also the flag for block or unblock. 105 The second parameter is a pointer to a device/parameter structure (not the list). 106 107 PluginExit: A function SnortSam calls when it terminates. This gives the plugin a 108 chance to clean itself up before exiting. 109 The parameter is a pointer to the device/parameter list if the plugin uses one. 110 (If not, it would still be NULL). 111 NOTE: The plugin does not need to free the elements itself anymore. Snortsam will 112 free the elements and clean up the chain itself. The parameter is provided for final 113 communication to devices if the plugin needs to perform this. 114 115 PluginKeepAlive: This function is called during "keepalive" intervals in order to maintain an external 116 connection with the given plugin device (ie router). This was added in preparation for 117 persistent TCP connections to telnet based firewalls/routers in order to avoid frequent 118 login/logout sequences. Not implemented in any plugin yet. 119 120 PluginNeedsExpiration: This can be set to TRUE if SnortSam has to time-out the blocks. 121 Can be set to FALSE if the firewall will time-out itself. 122 If set to TRUE, SnortSam will keep track of blocks and even create 123 a state file so that timeouts/unblocks can be processed even if 124 SnortSam is restarted. 125 126 PluginReblockOnSignal: Most plugins (all firewalls) can be reloaded with USR1 which causes block from the 127 statefile to be blocked again. However, "forward" should not forward blocks on reload, 128 and emails would also cause a flood. Thus these to don't need to act on reload. 129 With this flag at FALSE, the plugin can avoid to be called on USR1 reloads. * 130 131 PluginThreading: This can be set to TH_MULTI if the plugin can be executed more than once (for multiple 132 firewalls) and can run simultaneously, and is capable if being launched in separate 133 threads. The plugin will be launched in parallel with other plugins, and with other 134 instances of itself. If the plugin is capable of multithreading, but should only contact 135 its own devices sequentially, set this flag to TH_SINGLE. This plugin will then be 136 executed in parallel to the other plugins, but it will only process one device at a time. 137 If the plugin has problems with threads, set this flag to TH_NONE. In that case SnortSam 138 will not launch it in its own thread(s), but run it inline the main thread/process. 139 Currently, the OPSEC plugin suffers from this and has to be run that way. 140 141 PluginHandle: Short text handle. This is used in config files to pass the config line 142 on to the plugin. 143 144 PluginAuthor: The name entered here is listed on startup of SnortSam. 145 146 PluginVersion: The version entered here is listed on startup of SnortSam. 147 148 */ 149 150 PLUGINREGISTRY Plugins[]={ 151 /* ------------------------------------------------------------ */ 152 /* Native FW-Sam plugin (self assembled packet) */ 153 { NULL, 154 FWSamParse, 155 FWSamBlock, 156 NULL, 157 NULL, 158 FALSE, 159 TRUE, 160 TH_MULTI, 161 "fwsam", 162 "Frank Knobbe", 163 "2.5" 164 }, 165 /* ------------------------------------------------------------ */ 166 /* Old fwexec, now plugin */ 167 { NULL, 168 FWExecParse, 169 FWExecBlock, 170 NULL, 171 NULL, 172 FALSE, 173 TRUE, 174 TH_SINGLE, 175 "fwexec", 176 "Frank Knobbe", 177 "2.7" 178 }, 179 /* ------------------------------------------------------------ */ 180 /* OPSEC compliant plugin */ 181 #ifdef ENABLE_OPSEC 182 { NULL, 183 OPSEC_Parse, 184 OPSEC_Block, 185 NULL, 186 NULL, 187 FALSE, 188 TRUE, 189 TH_NONE, 190 "opsec", 191 "Frank Knobbe", 192 "2.6" 193 }, 194 #endif 195 /* ------------------------------------------------------------ */ 196 /* PIX Plugin (using the SHUN command) */ 197 { NULL, 198 PIXParse, 199 PIXBlock, 200 NULL, 201 NULL, 202 TRUE, 203 TRUE, 204 TH_MULTI, 205 "pix", 206 "Frank Knobbe", 207 "2.9" 208 }, 209 /* ------------------------------------------------------------ */ 210 /* CISCO ACL Plugin */ 211 { NULL, 212 CISCOACLParse, 213 CISCOACLBlock, 214 NULL, 215 NULL, 216 TRUE, 217 TRUE, 218 TH_SINGLE, 219 "ciscoacl", 220 "Ali Basel <alib@sabanciuniv.edu>", 221 "2.12" 222 }, 223 /* ------------------------------------------------------------ */ 224 /* Cisco Null Route Plugin */ 225 { NULL, 226 CiscoNullRouteParse, 227 CiscoNullRouteBlock, 228 NULL, 229 NULL, 230 TRUE, 231 TRUE, 232 TH_MULTI, 233 "cisconullroute", 234 "Frank Knobbe", 235 "2.5" 236 }, 237 /* ------------------------------------------------------------ */ 238 /* Cisco Null Route2 Plugin */ 239 { NULL, 240 CiscoNullRoute2Parse, 241 CiscoNullRoute2Block, 242 NULL, 243 NULL, 244 TRUE, 245 TRUE, 246 TH_MULTI, 247 "cisconullroute2", 248 "Wouter de Jong <maddog2k@maddog2k.net>", 249 "2.2" 250 }, 251 /* ------------------------------------------------------------ */ 252 /* Netscreen Plugin (deny-group) */ 253 { NULL, 254 NetScrnParse, 255 NetScrnBlock, 256 NULL, 257 NULL, 258 TRUE, 259 TRUE, 260 TH_MULTI, 261 "netscreen", 262 "Frank Knobbe", 263 "2.10" 264 }, 265 /* ------------------------------------------------------------ */ 266 #if !defined(WIN32) && !defined(Linux) && !defined(OpenBSD) 267 /* IPFilter Plugin */ 268 { NULL, 269 IPFParse, 270 IPFBlock, 271 NULL, 272 NULL, 273 TRUE, 274 TRUE, 275 TH_SINGLE, 276 "ipf", 277 "Erik Sneep <erik@webflex.nl>", 278 "2.16" 279 }, 280 #endif 281 /* ------------------------------------------------------------ */ 282 #ifdef USE_SSP_PF 283 #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) 284 /* PF Plugin */ 285 { NULL, 286 PFParse, 287 PFBlock, 288 NULL, 289 NULL, 290 TRUE, 291 TRUE, 292 TH_SINGLE, 293 "pf", 294 "Hector Paterno <apaterno@dsnsecurity.com>", 295 "3.6" 296 }, 297 #endif 298 #endif /* USE_SSP_PF */ 299 /* ------------------------------------------------------------ */ 300 #ifndef USE_SSP_PF 301 #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) 302 /* PF2 Plugin */ 303 { NULL, 304 PF2Parse, 305 PF2Block, 306 NULL, 307 NULL, 308 TRUE, 309 TRUE, 310 TH_SINGLE, 311 "pf2", 312 "Olaf Schreck <chakl@syscall.de>", 313 "3.3" 314 }, 315 #endif 316 #endif /* !USE_SSP_PF */ 317 /* ------------------------------------------------------------ */ 318 #ifdef FreeBSD 319 /* IPFW2 Plugin */ 320 { NULL, 321 IPFW2Parse, 322 IPFW2Block, 323 NULL, 324 NULL, 325 TRUE, 326 TRUE, 327 TH_SINGLE, 328 "ipfw2", 329 "Robert Rolfe <rob@wehostwebpages.com>", 330 "2.4" 331 }, 332 #endif 333 /* ------------------------------------------------------------ */ 334 #ifdef Linux 335 /* Ipchains Plugin */ 336 { NULL, 337 IPCHParse, 338 IPCHBlock, 339 NULL, 340 NULL, 341 TRUE, 342 TRUE, 343 TH_SINGLE, 344 "ipchains", 345 "Hector A. Paterno <apaterno@dsnsecurity.com>", 346 "2.8" 347 }, 348 /* ------------------------------------------------------------ */ 349 /* Iptables Plugin */ 350 { NULL, 351 IPTParse, 352 IPTBlock, 353 NULL, 354 NULL, 355 TRUE, 356 TRUE, 357 TH_SINGLE, 358 "iptables", 359 "Fabrizio Tivano <fabrizio@sad.it>, Luis Marichal <luismarichal@gmail.com>", 360 "2.9" 361 }, 362 /* ------------------------------------------------------------ */ 363 /* EBtables Plugin */ 364 { NULL, 365 EBTParse, 366 EBTBlock, 367 NULL, 368 NULL, 369 TRUE, 370 TRUE, 371 TH_SINGLE, 372 "ebtables", 373 "Bruno Scatolin <ipsystems@uol.com.br>", 374 "2.4" 375 }, 376 #endif 377 /* ------------------------------------------------------------ */ 378 /* Watchguard plugin */ 379 { NULL, 380 WGRDParse, 381 WGRDBlock, 382 NULL, 383 NULL, 384 FALSE, 385 TRUE, 386 TH_MULTI, 387 "watchguard", 388 "Thomas Maier <thomas.maier@arcos.de>", 389 "2.7" 390 }, 391 /* ------------------------------------------------------------ */ 392 #ifdef WIN32 393 /* 8signs plugin */ 394 { NULL, 395 DFWParse, 396 DFWBlock, 397 NULL, 398 NULL, 399 TRUE, /* Actually FALSE since it can expire itself. But it only... */ 400 TRUE, /* ...takes day, week, or forever, so we just time-out ourselves. */ 401 TH_SINGLE, 402 "8signs", 403 "Frank Knobbe" 404 "2.3" 405 }, 406 /* ------------------------------------------------------------ */ 407 /* CHX-I plugin */ 408 { NULL, 409 CHXIParse, 410 CHXIBlock, 411 NULL, 412 NULL, 413 FALSE, 414 TRUE, 415 TH_SINGLE, 416 "chx-i", 417 "Frank Knobbe" 418 "2.4" 419 }, 420 /* ------------------------------------------------------------ */ 421 #ifdef WITH_ISA2002 422 /* Microsoft ISA Server plugin */ 423 { NULL, 424 ISAParse, 425 ISABlock, 426 NULL, 427 NULL, 428 TRUE, 429 TRUE, 430 TH_NONE, /* Maybe single. (COM interfaces calling restrictions) */ 431 "isa", 432 "Nima Sharifi Mehr <nimahacker@yahoo.com>", 433 "2.4" 434 }, 435 #endif 436 /* ------------------------------------------------------------ */ 437 #ifdef WITH_ISA2004 438 /* Microsoft ISA 2004 Server plugin */ 439 { NULL, 440 ISAParse2004, 441 ISABlock2004, 442 NULL, 443 NULL, 444 TRUE, 445 TRUE, 446 TH_NONE, /* Maybe single. (COM interfaces calling restrictions) */ 447 "isa2004", 448 "Mark P Clift <mark_clift@yahoo.com>", 449 "2.2" 450 }, 451 #endif 452 #endif /* WIN32 */ 453 /* ------------------------------------------------------------ */ 454 /* Email Notifcation plugin */ 455 { NULL, 456 EmailParse, 457 EmailSend, 458 NULL, 459 NULL, 460 TRUE, 461 FALSE, 462 TH_MULTI, 463 "email", 464 "Frank Knobbe", 465 "2.12" 466 },/* ------------------------------------------------------------ */ 467 /* Email Block only Notifcation plugin */ 468 { NULL, 469 EmailParse, 470 EmailSendBlockOnly, 471 NULL, 472 NULL, 473 FALSE, 474 FALSE, 475 TH_MULTI, 476 "email-blocks-only", 477 "Frank Knobbe", 478 "2.12" 479 }, 480 /* ------------------------------------------------------------ */ 481 /* SNMP Interface Down plugin */ 482 { NULL, 483 SNMPINTERFACEDOWNParse, 484 SNMPINTERFACEDOWNBlock, 485 NULL, 486 NULL, 487 TRUE, 488 TRUE, 489 TH_SINGLE, 490 "snmpinterfacedown", 491 "Ali BASEL <ali@basel.name.tr>", 492 "2.3" 493 }, 494 /* ------------------------------------------------------------ */ 495 /* Forwarder plugin */ 496 { NULL, 497 ForwardParse, 498 ForwardBlock, 499 ForwardExit, 500 NULL, 501 FALSE, 502 FALSE, 503 TH_MULTI, 504 "forward", 505 "Frank Knobbe", 506 "2.8" 507 }/* ------------------------------------------------------------ */ 508 /* add other plugins here */ 509 }; 510 511 512 #endif /* __PLUGINS_H__ */ 513