1 /* $Id: plugins.h,v 2.54 2009/11/27 01:39:39 fknobbe Exp $
2  *
3  *
4  * Copyright (c) 2001-2008 Frank Knobbe <frank@knobbe.us>
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  *
28  *
29  * This file contains the plugins registry.
30  *
31  */
32 
33 
34 #ifndef		__PLUGINS_H__
35 #define		__PLUGINS_H__
36 
37 
38 #include "snortsam.h"
39 
40 #include "ssp_opsec.h"
41 #include "ssp_fwexec.h"
42 #include "ssp_fwsam.h"
43 #include "ssp_pix.h"
44 #include "ssp_ciscoacl.h"
45 #include "ssp_cisco_nullroute.h"
46 #include "ssp_cisco_nullroute2.h"
47 #include "ssp_email.h"
48 #include "ssp_netscreen.h"
49 #include "ssp_ipf.h"
50 #include "ssp_pf.h"
51 #include "ssp_pf2.h"
52 #include "ssp_ipchains.h"
53 #include "ssp_iptables.h"
54 #include "ssp_ebtables.h"
55 #include "ssp_wgrd.h"
56 #include "ssp_8signs.h"
57 #include "ssp_isa.h"
58 #include "ssp_isa2004.h"
59 #include "ssp_chxi.h"
60 #include "ssp_ipfw2.h"
61 #include "ssp_snmp_interface_down.h"
62 #include "ssp_forward.h"
63 
64 
65 #define TH_NONE			0		/* Threading model: See below for more info */
66 #define TH_SINGLE		1
67 #define TH_MULTI		2
68 
69 
70 typedef struct _plugins
71 {	int (*PluginInit)(DATALIST *);			/* Pointer to init routine, or NULL if not needed */
72 	void (*PluginConfigParse)(char *,		/* Pointer to config file parsing routine, or NULL if not needed */
73 		  char *,unsigned long,
74 		  DATALIST *);
75 	void (*PluginBlock)(BLOCKINFO *,		/* Pointer to blocking routine, or NULL if not needed (huh?) */
76 		  void *,unsigned long);
77 	void (*PluginExit)(DATALIST *);			/* Pointer to exit routine, or NULL if not needed */
78 	void (*PluginKeepAlive)(DATALIST *);	/* Pointer to keep-alive routing for support of persistent connections to firewalls */
79 	int PluginNeedsExpiration;				/* Set this to TRUE, if SnortSam needs to expire the block */
80 	int PluginDoesReblockOnSignal;			/* Set this to FALSE to avoid blocking again on USR1 reload (for forward and email) */
81 	int PluginThreading;					/* Set this to TH_MULTI, TH_SINGLE, TH_NONE. */
82 	char PluginHandle[40];					/* Short handle, used in config file */
83 	char PluginAuthor[100];					/* Your name here (or "" if not used) */
84 	char PluginVersion[30];					/* Version of your plugin (or "" if not used) */
85 } PLUGINREGISTRY;
86 
87 /*
88 PluginInit:				A function SnortSam calls when it encounters a plugin in the
89 						configuration file. The function returns either TRUE or FALSE,
90 						indicating a successful or unsuccessful initialization. If functions
91 						returns FALSE, SnortSam will disable the plugin.
92 						The parameter is a pointer to the first element in the device/parameter list.
93 						(Plugin may use it at it's own discretion)
94 
95 PluginConfigParse:		A function SnortSam calls on every configuration line for the plugin.
96 						The first parameter is the config line. The second parameter is the
97 						config file name itself, the third parameter is the line number.
98 						(the last two are useful for logging purposes.)
99 						The third parameter is a pointer to a device/parameter structure (not the list).
100 						If the plugin allocates it, SnortSam will link it into the list for you.
101 
102 PluginBlock:			A function SnortSam calls when it needs to block an IP address.
103 						The first parameter is a pointer to the BLOCKINFO struct which contains
104 						the IP address, port, protocol, etc and also the flag for block or unblock.
105 						The second parameter is a pointer to a device/parameter structure (not the list).
106 
107 PluginExit:				A function SnortSam calls when it terminates. This gives the plugin a
108 						chance to clean itself up before exiting.
109 						The parameter is a pointer to the device/parameter list if the plugin uses one.
110 						(If not, it would still be NULL).
111 						NOTE: The plugin does not need to free the elements itself anymore. Snortsam will
112 						free the elements and clean up the chain itself. The parameter is provided for final
113 						communication to devices if the plugin needs to perform this.
114 
115 PluginKeepAlive:		This function is called during "keepalive" intervals in order to maintain an external
116                         connection with the given plugin device (ie router). This was added in preparation for
117                         persistent TCP connections to telnet based firewalls/routers in order to avoid frequent
118                         login/logout sequences. Not implemented in any plugin yet.
119 
120 PluginNeedsExpiration:	This can be set to TRUE if SnortSam has to time-out the blocks.
121 						Can be set to FALSE if the firewall will time-out itself.
122 						If set to TRUE, SnortSam will keep track of blocks and even create
123 						a state file so that timeouts/unblocks can be processed even if
124 						SnortSam is restarted.
125 
126 PluginReblockOnSignal:  Most plugins (all firewalls) can be reloaded with USR1 which causes block from the
127                         statefile to be blocked again. However, "forward" should not forward blocks on reload,
128                         and emails would also cause a flood. Thus these to don't need to act on reload.
129 					    With this flag at FALSE, the plugin can avoid to be called on USR1 reloads. *
130 
131 PluginThreading:		This can be set to TH_MULTI if the plugin can be executed more than once (for multiple
132 						firewalls) and can run simultaneously, and is capable if being launched in separate
133 						threads. The plugin will be launched in parallel with other plugins, and with other
134 						instances of itself. If the plugin is capable of multithreading, but should only contact
135 						its own devices sequentially, set this flag to TH_SINGLE. This plugin will then be
136 						executed in parallel to the other plugins, but it will only process one device at a time.
137 						If the plugin has problems with threads, set this flag to TH_NONE. In that case SnortSam
138 						will not launch it in its own thread(s), but run it inline the main thread/process.
139 						Currently, the OPSEC plugin suffers from this and has to be run that way.
140 
141 PluginHandle:			Short text handle. This is used in config files to pass the config line
142 						on to the plugin.
143 
144 PluginAuthor:			The name entered here is listed on startup of SnortSam.
145 
146 PluginVersion:			The version entered here is listed on startup of SnortSam.
147 
148 */
149 
150 PLUGINREGISTRY Plugins[]={
151 /* ------------------------------------------------------------ */
152 /* Native FW-Sam plugin (self assembled packet) */
153 {	NULL,
154 	FWSamParse,
155 	FWSamBlock,
156 	NULL,
157 	NULL,
158 	FALSE,
159 	TRUE,
160 	TH_MULTI,
161 	"fwsam",
162 	"Frank Knobbe",
163 	"2.5"
164 },
165 /* ------------------------------------------------------------ */
166 /* Old fwexec, now plugin */
167 {	NULL,
168 	FWExecParse,
169 	FWExecBlock,
170 	NULL,
171 	NULL,
172 	FALSE,
173 	TRUE,
174 	TH_SINGLE,
175 	"fwexec",
176 	"Frank Knobbe",
177 	"2.7"
178 },
179 /* ------------------------------------------------------------ */
180 /* OPSEC compliant plugin */
181 #ifdef ENABLE_OPSEC
182 {	NULL,
183 	OPSEC_Parse,
184 	OPSEC_Block,
185 	NULL,
186 	NULL,
187 	FALSE,
188 	TRUE,
189 	TH_NONE,
190 	"opsec",
191 	"Frank Knobbe",
192 	"2.6"
193 },
194 #endif
195 /* ------------------------------------------------------------ */
196 /* PIX Plugin (using the SHUN command) */
197 {	NULL,
198 	PIXParse,
199 	PIXBlock,
200 	NULL,
201 	NULL,
202 	TRUE,
203 	TRUE,
204 	TH_MULTI,
205 	"pix",
206 	"Frank Knobbe",
207 	"2.9"
208 },
209 /* ------------------------------------------------------------ */
210 /* CISCO ACL Plugin  */
211 {	NULL,
212 	CISCOACLParse,
213 	CISCOACLBlock,
214 	NULL,
215 	NULL,
216 	TRUE,
217 	TRUE,
218 	TH_SINGLE,
219 	"ciscoacl",
220 	"Ali Basel <alib@sabanciuniv.edu>",
221 	"2.12"
222 },
223 /* ------------------------------------------------------------ */
224 /* Cisco Null Route Plugin  */
225 {	NULL,
226 	CiscoNullRouteParse,
227 	CiscoNullRouteBlock,
228 	NULL,
229 	NULL,
230 	TRUE,
231 	TRUE,
232 	TH_MULTI,
233 	"cisconullroute",
234 	"Frank Knobbe",
235 	"2.5"
236 },
237 /* ------------------------------------------------------------ */
238 /* Cisco Null Route2 Plugin  */
239 {	NULL,
240 	CiscoNullRoute2Parse,
241 	CiscoNullRoute2Block,
242 	NULL,
243 	NULL,
244 	TRUE,
245 	TRUE,
246 	TH_MULTI,
247 	"cisconullroute2",
248 	"Wouter de Jong <maddog2k@maddog2k.net>",
249 	"2.2"
250 },
251 /* ------------------------------------------------------------ */
252 /* Netscreen Plugin (deny-group) */
253 {	NULL,
254 	NetScrnParse,
255 	NetScrnBlock,
256 	NULL,
257 	NULL,
258 	TRUE,
259 	TRUE,
260 	TH_MULTI,
261 	"netscreen",
262 	"Frank Knobbe",
263 	"2.10"
264 },
265 /* ------------------------------------------------------------ */
266 #if !defined(WIN32) && !defined(Linux) && !defined(OpenBSD)
267 /* IPFilter Plugin */
268 {	NULL,
269 	IPFParse,
270 	IPFBlock,
271 	NULL,
272 	NULL,
273 	TRUE,
274 	TRUE,
275 	TH_SINGLE,
276 	"ipf",
277 	"Erik Sneep <erik@webflex.nl>",
278 	"2.16"
279 },
280 #endif
281 /* ------------------------------------------------------------ */
282 #ifdef USE_SSP_PF
283 #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD)
284 /* PF Plugin */
285 {	NULL,
286 	PFParse,
287 	PFBlock,
288 	NULL,
289 	NULL,
290 	TRUE,
291 	TRUE,
292 	TH_SINGLE,
293 	"pf",
294 	"Hector Paterno <apaterno@dsnsecurity.com>",
295  	"3.6"
296 },
297 #endif
298 #endif /* USE_SSP_PF */
299 /* ------------------------------------------------------------ */
300 #ifndef USE_SSP_PF
301 #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD)
302 /* PF2 Plugin */
303 {     NULL,
304       PF2Parse,
305       PF2Block,
306       NULL,
307       NULL,
308       TRUE,
309       TRUE,
310       TH_SINGLE,
311       "pf2",
312       "Olaf Schreck <chakl@syscall.de>",
313       "3.3"
314 },
315 #endif
316 #endif  /* !USE_SSP_PF */
317 /* ------------------------------------------------------------ */
318 #ifdef FreeBSD
319 /* IPFW2 Plugin */
320 {	NULL,
321 	IPFW2Parse,
322 	IPFW2Block,
323 	NULL,
324 	NULL,
325 	TRUE,
326 	TRUE,
327 	TH_SINGLE,
328 	"ipfw2",
329 	"Robert Rolfe <rob@wehostwebpages.com>",
330  	"2.4"
331 },
332 #endif
333 /* ------------------------------------------------------------ */
334 #ifdef Linux
335 /* Ipchains Plugin */
336 {	NULL,
337 	IPCHParse,
338 	IPCHBlock,
339 	NULL,
340 	NULL,
341 	TRUE,
342 	TRUE,
343 	TH_SINGLE,
344 	"ipchains",
345 	"Hector A. Paterno <apaterno@dsnsecurity.com>",
346 	"2.8"
347 },
348 /* ------------------------------------------------------------ */
349 /* Iptables Plugin */
350 {	NULL,
351 	IPTParse,
352 	IPTBlock,
353 	NULL,
354 	NULL,
355 	TRUE,
356 	TRUE,
357 	TH_SINGLE,
358 	"iptables",
359 	"Fabrizio Tivano <fabrizio@sad.it>, Luis Marichal <luismarichal@gmail.com>",
360 	"2.9"
361 },
362 /* ------------------------------------------------------------ */
363 /* EBtables Plugin */
364 {	NULL,
365 	EBTParse,
366 	EBTBlock,
367 	NULL,
368 	NULL,
369 	TRUE,
370 	TRUE,
371 	TH_SINGLE,
372 	"ebtables",
373 	"Bruno Scatolin <ipsystems@uol.com.br>",
374 	"2.4"
375 },
376 #endif
377 /* ------------------------------------------------------------ */
378 /* Watchguard plugin */
379 {	NULL,
380 	WGRDParse,
381 	WGRDBlock,
382 	NULL,
383 	NULL,
384 	FALSE,
385 	TRUE,
386 	TH_MULTI,
387 	"watchguard",
388 	"Thomas Maier <thomas.maier@arcos.de>",
389 	"2.7"
390 },
391 /* ------------------------------------------------------------ */
392 #ifdef WIN32
393 /* 8signs plugin */
394 {	NULL,
395 	DFWParse,
396 	DFWBlock,
397 	NULL,
398 	NULL,
399 	TRUE,		/* Actually FALSE since it can expire itself. But it only... */
400 	TRUE,		/* ...takes day, week, or forever, so we just time-out ourselves. */
401 	TH_SINGLE,
402 	"8signs",
403 	"Frank Knobbe"
404 	"2.3"
405 },
406 /* ------------------------------------------------------------ */
407 /* CHX-I plugin */
408 {	NULL,
409 	CHXIParse,
410 	CHXIBlock,
411 	NULL,
412 	NULL,
413 	FALSE,
414 	TRUE,
415 	TH_SINGLE,
416 	"chx-i",
417 	"Frank Knobbe"
418 	"2.4"
419 },
420 /* ------------------------------------------------------------ */
421 #ifdef WITH_ISA2002
422 /* Microsoft ISA Server plugin */
423 {	NULL,
424 	ISAParse,
425 	ISABlock,
426 	NULL,
427 	NULL,
428 	TRUE,
429 	TRUE,
430 	TH_NONE,	/* Maybe single. (COM interfaces calling restrictions) */
431 	"isa",
432 	"Nima Sharifi Mehr <nimahacker@yahoo.com>",
433 	"2.4"
434 },
435 #endif
436 /* ------------------------------------------------------------ */
437 #ifdef WITH_ISA2004
438 /* Microsoft ISA 2004 Server plugin */
439 {	NULL,
440 	ISAParse2004,
441 	ISABlock2004,
442 	NULL,
443 	NULL,
444 	TRUE,
445 	TRUE,
446 	TH_NONE,	/* Maybe single. (COM interfaces calling restrictions) */
447 	"isa2004",
448 	"Mark P Clift <mark_clift@yahoo.com>",
449 	"2.2"
450 },
451 #endif
452 #endif /* WIN32 */
453 /* ------------------------------------------------------------ */
454 /* Email Notifcation plugin */
455 {	NULL,
456 	EmailParse,
457 	EmailSend,
458 	NULL,
459 	NULL,
460 	TRUE,
461 	FALSE,
462 	TH_MULTI,
463 	"email",
464 	"Frank Knobbe",
465 	"2.12"
466 },/* ------------------------------------------------------------ */
467 /* Email Block only Notifcation plugin */
468 {	NULL,
469 	EmailParse,
470 	EmailSendBlockOnly,
471 	NULL,
472 	NULL,
473 	FALSE,
474 	FALSE,
475 	TH_MULTI,
476 	"email-blocks-only",
477 	"Frank Knobbe",
478 	"2.12"
479 },
480 /* ------------------------------------------------------------ */
481 /* SNMP Interface Down plugin */
482 {	NULL,
483 	SNMPINTERFACEDOWNParse,
484 	SNMPINTERFACEDOWNBlock,
485 	NULL,
486 	NULL,
487 	TRUE,
488 	TRUE,
489 	TH_SINGLE,
490 	"snmpinterfacedown",
491 	"Ali BASEL <ali@basel.name.tr>",
492 	"2.3"
493 },
494 /* ------------------------------------------------------------ */
495 /* Forwarder plugin */
496 {	NULL,
497 	ForwardParse,
498 	ForwardBlock,
499 	ForwardExit,
500 	NULL,
501 	FALSE,
502 	FALSE,
503 	TH_MULTI,
504 	"forward",
505 	"Frank Knobbe",
506 	"2.8"
507 }/* ------------------------------------------------------------ */
508 /* add other plugins here */
509 };
510 
511 
512 #endif /* __PLUGINS_H__ */
513