#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "snort.h"
#include "detect.h"
#include "decode.h"
#include "log.h"
#include "event.h"
#include "generators.h"
#include "debug.h"
#include "plugbase.h"
#include "util.h"
#include "event_queue.h"
#include "stream.h"
#include "hi_return_codes.h"
#include "hi_ui_config.h"
#include "hi_ui_iis_unicode_map.h"
#include "hi_si.h"
#include "hi_mi.h"
#include "hi_norm.h"
Go to the source code of this file.
Defines | |
| #define | MAX_FILENAME 1000 |
| #define | CONF_SEPARATORS " \t\n\r" |
| #define | GLOBAL "global" |
| #define | GLOBAL_SERVER "global_server" |
| #define | SERVER "server" |
| #define | MAX_PIPELINE "max_pipeline" |
| #define | ANOMALOUS_SERVERS "detect_anomalous_servers" |
| #define | PROXY_ALERT "proxy_alert" |
| #define | INSPECT_TYPE "inspection_type" |
| #define | DEFAULT "default" |
| #define | INSPECT_TYPE_STATELESS "stateless" |
| #define | INSPECT_TYPE_STATEFUL "stateful" |
| #define | PORTS "ports" |
| #define | FLOW_DEPTH "flow_depth" |
| #define | IIS_UNICODE_MAP "iis_unicode_map" |
| #define | CHUNK_LENGTH "chunk_length" |
| #define | PIPELINE "no_pipeline_req" |
| #define | ASCII "ascii" |
| #define | DOUBLE_DECODE "double_decode" |
| #define | U_ENCODE "u_encode" |
| #define | BARE_BYTE "bare_byte" |
| #define | BASE36 "base36" |
| #define | UTF_8 "utf_8" |
| #define | IIS_UNICODE "iis_unicode" |
| #define | NON_RFC_CHAR "non_rfc_char" |
| #define | MULTI_SLASH "multi_slash" |
| #define | IIS_BACKSLASH "iis_backslash" |
| #define | DIRECTORY "directory" |
| #define | APACHE_WS "apache_whitespace" |
| #define | IIS_DELIMITER "iis_delimiter" |
| #define | PROFILE "profile" |
| #define | NON_STRICT "non_strict" |
| #define | ALLOW_PROXY "allow_proxy_use" |
| #define | OVERSIZE_DIR "oversize_dir_length" |
| #define | INSPECT_URI_ONLY "inspect_uri_only" |
| #define | GLOBAL_ALERT "no_alerts" |
| #define | WEBROOT "webroot" |
| #define | TAB_URI_DELIMITER "tab_uri_delimiter" |
| #define | BOOL_YES "yes" |
| #define | BOOL_NO "no" |
| #define | APACHE "apache" |
| #define | IIS "iis" |
| #define | ALL "all" |
| #define | START_PORT_LIST "{" |
| #define | END_PORT_LIST "}" |
| #define | SERVER_DEFAULT "default" |
Functions | |
| static int | ProcessMaxPipeline (HTTPINSPECT_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessInspectType (HTTPINSPECT_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessIISUnicodeMap (int **iis_unicode_map, char **iis_unicode_map_filename, int *iis_unicode_map_codepage, char *ErrorString, int ErrStrLen) |
| static int | ProcessOversizeDir (HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessGlobalConf (HTTPINSPECT_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessProfile (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessPorts (HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessFlowDepth (HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessChunkLength (HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessConfOpt (HTTPINSPECT_CONF_OPT *ConfOpt, char *Option, char *ErrorString, int ErrStrLen) |
| static int | ProcessNonRfcChar (HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | ProcessServerConf (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HTTPINSPECT_CONF *ServerConf, char *ErrorString, int ErrStrLen) |
| static int | PrintConfOpt (HTTPINSPECT_CONF_OPT *ConfOpt, char *Option) |
| static int | PrintServerConf (HTTPINSPECT_CONF *ServerConf) |
| static int | ProcessUniqueServerConf (HTTPINSPECT_GLOBAL_CONF *GlobalConf, char *ErrorString, int ErrStrLen) |
| static int | PrintGlobalConf (HTTPINSPECT_GLOBAL_CONF *GlobalConf) |
| int | HttpInspectSnortConf (HTTPINSPECT_GLOBAL_CONF *GlobalConf, char *args, int iGlobal, char *ErrorString, int ErrStrLen) |
| static int | LogEvents (HI_SESSION *hi_ssn, Packet *p, int iInspectMode) |
| static int | SetSiInput (HI_SI_INPUT *SiInput, Packet *p) |
| int | SnortHttpInspect (HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p) |
Variables | |
| PV | pv |
The file takes a Packet structure from the Snort IDS to start the HttpInspect flow. This also uses the Stream Interface Module which is also Snort-centric. Mainly, just a wrapper to HttpInspect functionality, but a key part to starting the basic flow.
The main bulk of this file is taken up with user configuration and parsing. The reason this is so large is because HttpInspect takes very detailed configuration parameters for each specified server. Hopefully every web server that is out there can be emulated with these configuration options.
The main functions of note are:
NOTES:
Definition in file snort_httpinspect.c.
|
|
Definition at line 149 of file snort_httpinspect.c. Referenced by ProcessProfile(). |
|
|
Definition at line 131 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Specifies whether to alert on anomalous HTTP servers or not. Definition at line 90 of file snort_httpinspect.c. Referenced by ProcessGlobalConf(). |
|
|
Definition at line 147 of file snort_httpinspect.c. Referenced by ProcessProfile(). |
|
|
Definition at line 127 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 116 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 119 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 120 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 142 of file snort_httpinspect.c. Referenced by ProcessConfOpt(). |
|
|
Definition at line 141 of file snort_httpinspect.c. Referenced by ProcessConfOpt(). |
|
|
Definition at line 114 of file snort_httpinspect.c. Referenced by ProcessChunkLength(), and ProcessServerConf(). |
|
|
The definition of the configuration separators in the snort.conf configure line. Definition at line 68 of file snort_httpinspect.c. Referenced by HttpInspectSnortConf(), ProcessArgs(), ProcessChunkLength(), ProcessConfOpt(), ProcessFlowDepth(), ProcessGlobalConf(), ProcessIISUnicodeMap(), ProcessInspectType(), ProcessMaxPipeline(), ProcessNonRfcChar(), ProcessOptionList(), ProcessOversizeDir(), ProcessPorts(), ProcessProfile(), ProcessServerConf(), ProcessUniqueServerConf(), and XLINK2STATE_ParseArgs(). |
|
|
Definition at line 100 of file snort_httpinspect.c. |
|
|
Definition at line 126 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 117 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 155 of file snort_httpinspect.c. Referenced by ProcessNonRfcChar(), and ProcessPorts(). |
|
|
Definition at line 112 of file snort_httpinspect.c. Referenced by ProcessFlowDepth(), and ProcessServerConf(). |
|
|
Definition at line 75 of file snort_httpinspect.c. Referenced by HttpInspectSnortConf(), ProcessGlobalConf(), and ProcessServerConf(). |
|
|
Definition at line 134 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 76 of file snort_httpinspect.c. Referenced by ProcessUniqueServerConf(). |
|
|
Definition at line 148 of file snort_httpinspect.c. Referenced by ProcessProfile(). |
|
|
Definition at line 125 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 128 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 122 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 113 of file snort_httpinspect.c. Referenced by ProcessGlobalConf(), ProcessIISUnicodeMap(), and ProcessServerConf(). |
|
|
Takes an inspection type argument stateful or stateless Definition at line 99 of file snort_httpinspect.c. Referenced by ProcessGlobalConf(), and ProcessInspectType(). |
|
|
Definition at line 106 of file snort_httpinspect.c. Referenced by ProcessInspectType(). |
|
|
Definition at line 105 of file snort_httpinspect.c. Referenced by ProcessInspectType(). |
|
|
Definition at line 133 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 62 of file snort_httpinspect.c. Referenced by ProcessIISUnicodeMap(). |
|
|
Takes an integer arugment Definition at line 85 of file snort_httpinspect.c. Referenced by ProcessGlobalConf(), and ProcessMaxPipeline(). |
|
|
Definition at line 124 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 123 of file snort_httpinspect.c. Referenced by ProcessNonRfcChar(), and ProcessServerConf(). |
|
|
Definition at line 130 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 132 of file snort_httpinspect.c. Referenced by ProcessOversizeDir(), and ProcessServerConf(). |
|
|
Definition at line 115 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 111 of file snort_httpinspect.c. Referenced by ProcessPorts(), ProcessServerConf(), and XLINK2STATE_ParseArgs(). |
|
|
Definition at line 129 of file snort_httpinspect.c. Referenced by ProcessProfile(), and ProcessServerConf(). |
|
|
Alert on general proxy use Definition at line 94 of file snort_httpinspect.c. Referenced by ProcessGlobalConf(). |
|
|
Definition at line 77 of file snort_httpinspect.c. Referenced by HttpInspectSnortConf(), and ProcessUniqueServerConf(). |
|
|
Definition at line 160 of file snort_httpinspect.c. Referenced by ProcessUniqueServerConf(). |
|
|
Definition at line 154 of file snort_httpinspect.c. Referenced by ProcessNonRfcChar(), and ProcessPorts(). |
|
|
Definition at line 136 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 118 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 121 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
|
Definition at line 135 of file snort_httpinspect.c. Referenced by ProcessServerConf(). |
|
||||||||||||||||||||||||
|
This function takes the HttpInspect configuration line from the snort.conf and creats an HttpInspect configuration. This routine takes care of the snort specific configuration processing and calls the generic routines to add specific server configurations. It sets the configuration structure elements in this routine. The ErrorString is passed in as a pointer, and the ErrStrLen tells us the length of the pointer.
Definition at line 1808 of file snort_httpinspect.c. References CONF_SEPARATORS, GLOBAL, s_HTTPINSPECT_GLOBAL_CONF::global_server, hi_ui_config_reset_global(), hi_ui_config_reset_server(), NULL, PrintGlobalConf(), ProcessGlobalConf(), ProcessUniqueServerConf(), SERVER, and snprintf. Referenced by HttpInspectInit(). |
|
||||||||||||||||
|
This is the routine that logs HttpInspect alerts through Snort. Every Session gets looked at for any logged events, and if there are events to be logged then we select the one with the highest priority. We use a generic event structure that we set for each different event structure. This way we can use the same code for event logging regardless of what type of event strucure we are dealing with. The important things to know about this function is how to work with the event queue. The number of unique events is contained in the stack_count variable. So we loop through all the unique events and find which one has the highest priority. During this loop, we also re-initialize the individual event counts for the next iteration, saving us time in a separate initialization phase. After we've iterated through all the events and found the one with the highest priority, we then log that event through snort. We've mapped the HttpInspect and the Snort alert IDs together, so we can access them directly instead of having a more complex mapping function. It's the only good way to do this.
Definition at line 1978 of file snort_httpinspect.c. References s_HI_EVENT_INFO::alert_id, s_HI_EVENT_INFO::alert_str, s_HI_SESSION::anom_server, s_HI_SESSION::client, s_HI_EVENT::count, s_HI_EVENT::event_info, s_HI_ANOM_SERVER::event_list, s_HI_CLIENT::event_list, s_HI_ANOM_SERVER_EVENTS::events, s_HI_CLIENT_EVENTS::events, s_HI_GEN_EVENTS::events, GENERATOR_SPP_HTTP_INSPECT_ANOM_SERVER, GENERATOR_SPP_HTTP_INSPECT_CLIENT, HI_SI_CLIENT_MODE, HI_SI_SERVER_MODE, _Session::http_alert_flags, NULL, s_HI_EVENT_INFO::priority, SnortEventqAdd(), _Packet::ssnptr, s_HI_ANOM_SERVER_EVENTS::stack, s_HI_CLIENT_EVENTS::stack, s_HI_GEN_EVENTS::stack, s_HI_ANOM_SERVER_EVENTS::stack_count, s_HI_CLIENT_EVENTS::stack_count, and s_HI_GEN_EVENTS::stack_count. Referenced by SnortHttpInspect(). |
|
||||||||||||
|
Definition at line 1511 of file snort_httpinspect.c. References s_HTTPINSPECT_CONF_OPT::alert, HI_INVALID_ARG, LogMessage(), and s_HTTPINSPECT_CONF_OPT::on. Referenced by PrintServerConf(). |
|
|
Definition at line 1758 of file snort_httpinspect.c. References s_HTTPINSPECT_GLOBAL_CONF::iis_unicode_codepage, s_HTTPINSPECT_GLOBAL_CONF::iis_unicode_map_filename, s_HTTPINSPECT_GLOBAL_CONF::inspection_type, LogMessage(), s_HTTPINSPECT_GLOBAL_CONF::max_pipeline_requests, and s_HTTPINSPECT_GLOBAL_CONF::proxy_alert. Referenced by HttpInspectSnortConf(). |
|
|
||||||||||||||||
|
Process and verify the chunk length for the server configuration.
Definition at line 924 of file snort_httpinspect.c. References s_HTTPINSPECT_CONF::chunk_length, CHUNK_LENGTH, CONF_SEPARATORS, NULL, snprintf, and strtol(). Referenced by ProcessServerConf(). |
|
||||||||||||||||||||
|
Set the CONF_OPT on and alert fields. We check to make sure of valid parameters and then set the appropriate fields. Not much more to it, than that.
Definition at line 985 of file snort_httpinspect.c. References s_HTTPINSPECT_CONF_OPT::alert, BOOL_NO, BOOL_YES, CONF_SEPARATORS, NULL, s_HTTPINSPECT_CONF_OPT::on, and snprintf. Referenced by ProcessServerConf(). |
|
||||||||||||||||
|
Configure the flow depth for a server. Check that the value for flow depth is within bounds and is a valid number.
Definition at line 866 of file snort_httpinspect.c. References CONF_SEPARATORS, s_HTTPINSPECT_CONF::flow_depth, FLOW_DEPTH, NULL, snprintf, and strtol(). Referenced by ProcessServerConf(). |
|
||||||||||||||||
|
This is where we process the global configuration for HttpInspect. We set the values of the global configuraiton here. Any errors that are encountered are specified in the error string and the type of error is returned through the return code, i.e. fatal, non-fatal. The configuration options that are dealt with here are:
Definition at line 541 of file snort_httpinspect.c. References s_HTTPINSPECT_GLOBAL_CONF::anomalous_servers, ANOMALOUS_SERVERS, CONF_SEPARATORS, GLOBAL, s_HTTPINSPECT_GLOBAL_CONF::iis_unicode_codepage, s_HTTPINSPECT_GLOBAL_CONF::iis_unicode_map, IIS_UNICODE_MAP, s_HTTPINSPECT_GLOBAL_CONF::iis_unicode_map_filename, INSPECT_TYPE, MAX_PIPELINE, NULL, ProcessIISUnicodeMap(), ProcessInspectType(), ProcessMaxPipeline(), s_HTTPINSPECT_GLOBAL_CONF::proxy_alert, PROXY_ALERT, and snprintf. Referenced by HttpInspectSnortConf(). |
|
||||||||||||||||||||||||
|
Definition at line 328 of file snort_httpinspect.c. References CONF_SEPARATORS, _progvars::config_dir, HI_FATAL_ERR, HI_INVALID_FILE, hi_ui_parse_iis_unicode_map(), IIS_UNICODE_MAP, MAX_FILENAME, NULL, snprintf, and strtol(). Referenced by ProcessGlobalConf(), and ProcessServerConf(). |
|
||||||||||||||||
|
Process the type of inspection. This sets the type of inspection for HttpInspect to do.
Definition at line 283 of file snort_httpinspect.c. References CONF_SEPARATORS, HI_UI_CONFIG_STATEFUL, HI_UI_CONFIG_STATELESS, INSPECT_TYPE, INSPECT_TYPE_STATEFUL, INSPECT_TYPE_STATELESS, s_HTTPINSPECT_GLOBAL_CONF::inspection_type, NULL, and snprintf. Referenced by ProcessGlobalConf(). |
|
||||||||||||||||
|
Process the max pipeline configuration. This sets the maximum number of pipeline requests that we will buffer while waiting for responses, before inspection. There is a maximum limit on this, but we can track a user defined amount.
Definition at line 217 of file snort_httpinspect.c. References CONF_SEPARATORS, HI_UI_CONFIG_MAX_PIPE, MAX_PIPELINE, s_HTTPINSPECT_GLOBAL_CONF::max_pipeline_requests, NULL, snprintf, and strtol(). Referenced by ProcessGlobalConf(). |
|
||||||||||||||||
|
Definition at line 1045 of file snort_httpinspect.c. References CONF_SEPARATORS, END_PORT_LIST, NON_RFC_CHAR, s_HTTPINSPECT_CONF::non_rfc_chars, NULL, snprintf, START_PORT_LIST, and strtol(). Referenced by ProcessServerConf(). |
|
||||||||||||||||
|
Definition at line 475 of file snort_httpinspect.c. References CONF_SEPARATORS, s_HTTPINSPECT_CONF::long_dir, NULL, OVERSIZE_DIR, snprintf, and strtol(). Referenced by ProcessServerConf(). |
|
||||||||||||||||
|
Process the port list for the server configuration. This configuration is a list of valid ports and is ended by a delimiter.
Definition at line 771 of file snort_httpinspect.c. References CONF_SEPARATORS, END_PORT_LIST, NULL, s_HTTPINSPECT_CONF::port_count, PORTS, s_HTTPINSPECT_CONF::ports, snprintf, START_PORT_LIST, and strtol(). Referenced by ProcessServerConf(), and XLINK2STATE_ParseArgs(). |
|
||||||||||||||||||||
|
Process the PROFILE configuration. This function verifies that the argument to the profile configuration is valid. We also check to make sure there is no additional configuration after the PROFILE. This is no allowed, so we alert on that fact.
Definition at line 655 of file snort_httpinspect.c. References ALL, APACHE, CONF_SEPARATORS, HI_MEM_ALLOC_FAIL, hi_ui_config_set_profile_all(), hi_ui_config_set_profile_apache(), hi_ui_config_set_profile_iis(), IIS, s_HTTPINSPECT_GLOBAL_CONF::iis_unicode_map, NULL, PROFILE, and snprintf. Referenced by ProcessServerConf(). |
|
||||||||||||||||||||
|
||||||||||||||||
|
Definition at line 1628 of file snort_httpinspect.c. References CONF_SEPARATORS, s_HTTPINSPECT_GLOBAL_CONF::global_server, GLOBAL_SERVER, HI_NONFATAL_ERR, hi_ui_config_add_server(), hi_ui_config_reset_server(), LogMessage(), memset, NULL, PrintServerConf(), ProcessServerConf(), SERVER, SERVER_DEFAULT, and snprintf. Referenced by HttpInspectSnortConf(). |
|
||||||||||||
|
Definition at line 2108 of file snort_httpinspect.c. References s_HI_SI_INPUT::dip, _Packet::dp, s_HI_SI_INPUT::dport, HI_SI_CLIENT_MODE, HI_SI_NO_MODE, HI_SI_SERVER_MODE, HI_SUCCESS, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, NULL, _Packet::packet_flags, s_HI_SI_INPUT::pdir, PKT_FROM_CLIENT, PKT_FROM_SERVER, _Session::session_flags, s_HI_SI_INPUT::sip, _Packet::sp, s_HI_SI_INPUT::sport, SSNFLAG_MIDSTREAM, and _Packet::ssnptr. Referenced by SnortHttpInspect(). |
|
||||||||||||
|
This function calls the HttpInspect function that processes an HTTP session. We need to instantiate a pointer for the HI_SESSION that HttpInspect fills in. Right now stateless processing fills in this session, which we then normalize, and eventually detect. We'll have to handle separately the normalization events, etc. This function is where we can see from the highest level what the HttpInspect flow looks like.
Definition at line 2171 of file snort_httpinspect.c. References s_HI_SESSION::anom_server, s_HI_SESSION::client, _Packet::data, _HttpUri::decode_flags, Detect(), do_detect, _Packet::dsize, s_HI_ANOM_SERVER::event_list, s_HTTPINSPECT_CONF::flow_depth, s_HI_SERVER::header_size, hi_mi_mode_inspection(), hi_normalization(), HI_SI_CLIENT_MODE, HI_SI_SERVER_MODE, hi_si_session_inspection(), HTTPURI_PIPELINE_REQ, _Packet::iph, _HttpUri::length, LogEvents(), NULL, otn_tmp, _Packet::packet_flags, s_HI_CLIENT_REQ::pipeline_req, PKT_HTTP_DECODE, PP_PORTSCAN, PP_STREAM4, _Packet::preprocessors, s_HI_CLIENT::request, s_HI_SESSION::server, s_HI_SESSION::server_conf, SetSiInput(), s_HI_ANOM_SERVER_EVENTS::stack_count, _Packet::tcph, _HttpUri::uri, s_HI_CLIENT_REQ::uri, URI_COUNT, _Packet::uri_count, s_HI_CLIENT_REQ::uri_norm, s_HI_CLIENT_REQ::uri_norm_size, s_HTTPINSPECT_CONF::uri_only, s_HI_CLIENT_REQ::uri_size, and UriBufs. Referenced by HttpInspect(). |
|
|
|
1.4.2