sp_asn1.c File Reference

Decode and detect ASN.1 types, lengths, and data. More...

#include <sys/types.h>
#include <stdlib.h>
#include <ctype.h>
#include "bounds.h"
#include "rules.h"
#include "decode.h"
#include "plugbase.h"
#include "parser.h"
#include "debug.h"
#include "util.h"
#include "plugin_enum.h"
#include "asn1.h"

Go to the source code of this file.

Defines

#define BITSTRING_OPT   "bitstring_overflow"

#define DOUBLE_OPT   "double_overflow"

#define LENGTH_OPT   "oversize_length"

#define DBL_FREE_OPT   "double_free"

#define ABS_OFFSET_OPT   "absolute_offset"

#define REL_OFFSET_OPT   "relative_offset"

#define PRINT_OPT   "print"

#define ABS_OFFSET   1

#define REL_OFFSET   2

#define DELIMITERS   " ,\t\n"

Typedefs

typedef s_ASN1_CTXT ASN1_CTXT

Functions

static void Asn1RuleParse (char *data, OptTreeNode *otn, ASN1_CTXT *asn1)

static int BitStringOverflow (ASN1_TYPE *asn1, void *user)

static int DetectBitStringOverflow (ASN1_TYPE *asn1)

static int DoubleOverflow (ASN1_TYPE *asn1, void *user)

static int DetectDoubleOverflow (ASN1_TYPE *asn1)

static int OversizeLength (ASN1_TYPE *asn1, void *user)

static int DetectOversizeLength (ASN1_TYPE *asn1, unsigned int max_size)

static int Asn1DetectFuncs (ASN1_TYPE *asn1, ASN1_CTXT *ctxt, int dec_ret_val)

static int Asn1Detect (Packet *p, OptTreeNode *otn, OptFpList *fp_list)

static void Asn1Init (char *data, OptTreeNode *otn, int protocol)

void SetupAsn1 ()

Variables

u_int8_t * doe_ptr

Detailed Description

Decode and detect ASN.1 types, lengths, and data.

Author:: Daniel Roelker <droelker@sourcefire.com>

This detection plugin adds ASN.1 detection functions on a per rule basis. ASN.1 detection plugins can be added by editing this file and providing an interface in the configuration code.

Detection Plugin Interface:

asn1: [detection function],[arguments],[offset type],[size]

Detection Functions:

bitstring_overflow: no arguments double_overflow: no arguments oversize_length: max size (if no max size, then just return value)

alert udp any any -> any 161 (msg:"foo"; \ asn1: oversize_length 10000, absolute_offset 0;)

alert tcp any any -> any 162 (msg:"foo2"; \ asn1: bitstring_overflow, oversize_length 500, relative_offset 7;)

Note that further general information about ASN.1 can be found in the file doc/README.asn1.

Definition in file sp_asn1.c.

Define Documentation

#define ABS_OFFSET 1

Definition at line 64 of file sp_asn1.c.
Referenced by Asn1Detect(), and Asn1RuleParse().

#define ABS_OFFSET_OPT "absolute_offset"

Definition at line 60 of file sp_asn1.c.
Referenced by Asn1RuleParse().

#define BITSTRING_OPT "bitstring_overflow"

Definition at line 55 of file sp_asn1.c.
Referenced by Asn1RuleParse().

#define DBL_FREE_OPT "double_free"

Definition at line 58 of file sp_asn1.c.

#define DELIMITERS " ,\t\n"

Definition at line 67 of file sp_asn1.c.
Referenced by Asn1RuleParse(), ParseLogFile(), ParseMemcap(), ParseProtos(), ParseScanType(), ParseSenseLevel(), and PortscanInit().

#define DOUBLE_OPT "double_overflow"

Definition at line 56 of file sp_asn1.c.
Referenced by Asn1RuleParse().

#define LENGTH_OPT "oversize_length"

Definition at line 57 of file sp_asn1.c.
Referenced by Asn1RuleParse().

#define PRINT_OPT "print"

Definition at line 62 of file sp_asn1.c.
Referenced by Asn1RuleParse().

#define REL_OFFSET 2

Definition at line 65 of file sp_asn1.c.
Referenced by Asn1Detect(), and Asn1RuleParse().

#define REL_OFFSET_OPT "relative_offset"

Definition at line 61 of file sp_asn1.c.
Referenced by Asn1RuleParse().

Typedef Documentation

typedef struct s_ASN1_CTXT ASN1_CTXT

Function Documentation

static int Asn1Detect ( Packet * p,

OptTreeNode * otn,

OptFpList * fp_list

) [static]

The main snort detection function. We grab the context ptr from the otn and go forth. We check all the offsets to make sure we're in bounds, etc.

Returns:
integer

Return values:

0 failed

1 detected

Definition at line 433 of file sp_asn1.c.
References ABS_OFFSET, asn1_decode(), Asn1DetectFuncs(), _OptFpList::context, _Packet::data, DEBUG_ASN1, DEBUG_WRAP, doe_ptr, _Packet::dsize, inBounds(), _OptFpList::next, NULL, s_ASN1_CTXT::offset, s_ASN1_CTXT::offset_type, _OptFpList::OptTestFunc, and REL_OFFSET.
Referenced by Asn1Init().

static int Asn1DetectFuncs ( ASN1_TYPE * asn1,

ASN1_CTXT * ctxt,

int dec_ret_val

) [static]

The main function for adding ASN.1 detection type functionality.

Returns:
integer

Return values:

0 failed

1 detected

Definition at line 362 of file sp_asn1.c.
References ASN1_ERR_OVERLONG_LEN, asn1_print_types(), asn1_traverse(), s_ASN1_CTXT::bs_overflow, DetectBitStringOverflow(), DetectDoubleOverflow(), DetectOversizeLength(), s_ASN1_CTXT::double_overflow, s_ASN1_CTXT::length, s_ASN1_CTXT::max_length, NULL, and s_ASN1_CTXT::print.
Referenced by Asn1Detect().

static void Asn1Init ( char * data,

OptTreeNode * otn,

int protocol

) [static]

Definition at line 530 of file sp_asn1.c.
References AddOptFuncToList(), Asn1Detect(), Asn1RuleParse(), _OptFpList::context, memset, and SnortAlloc().
Referenced by SetupAsn1().

static void Asn1RuleParse ( char * data,

OptTreeNode * otn,

ASN1_CTXT * asn1

) [static]

Parse the detection option arguments.

bitstring_overflow
double_overflow
oversize_length
print
abs_offset
rel_offset

Returns:
void

Definition at line 102 of file sp_asn1.c.
References ABS_OFFSET, ABS_OFFSET_OPT, BITSTRING_OPT, s_ASN1_CTXT::bs_overflow, DELIMITERS, DOUBLE_OPT, s_ASN1_CTXT::double_overflow, FatalError(), file_line, file_name, s_ASN1_CTXT::length, LENGTH_OPT, s_ASN1_CTXT::max_length, NULL, s_ASN1_CTXT::offset, s_ASN1_CTXT::offset_type, s_ASN1_CTXT::print, PRINT_OPT, REL_OFFSET, REL_OFFSET_OPT, and strcasecmp.
Referenced by Asn1Init().

static int BitStringOverflow ( ASN1_TYPE * asn1,

void * user

) [static]

The neccessary info to detect possible bitstring overflows. Thanks once again to microsoft for keeping us in business.

Returns:
integer

Return values:

0 failed

1 detected

Definition at line 201 of file sp_asn1.c.
References s_ASN1_TYPE::data, s_ASN1_IDENT::flag, s_ASN1_TYPE::ident, int(), s_ASN1_TYPE::len, SF_ASN1_TAG_BIT_STR, s_ASN1_LEN::size, and s_ASN1_IDENT::tag.
Referenced by DetectBitStringOverflow().

static int DetectBitStringOverflow ( ASN1_TYPE * asn1 ) [static]

This is just a wrapper to the traverse function. It's important because this allows us to do more with individual nodes in the future.

Returns:
integer

Return values:

0 failed 1 detected

Definition at line 240 of file sp_asn1.c.
References asn1_traverse(), BitStringOverflow(), and NULL.
Referenced by Asn1DetectFuncs().

static int DetectDoubleOverflow ( ASN1_TYPE * asn1 ) [static]

This is just a wrapper to the traverse function. It's important because this allows us to do more with individual nodes in the future.

Returns:
integer

Return values:

0 failed 1 detected

Definition at line 298 of file sp_asn1.c.
References asn1_traverse(), DoubleOverflow(), and NULL.
Referenced by Asn1DetectFuncs().

static int DetectOversizeLength ( ASN1_TYPE * asn1,

unsigned int max_size

) [static]

This is just a wrapper to the traverse function. It's important because this allows us to do more with individual nodes in the future.

Returns:
integer

Return values:

0 failed 1 detected

Definition at line 345 of file sp_asn1.c.
References asn1_traverse(), and OversizeLength().
Referenced by Asn1DetectFuncs().

static int DoubleOverflow ( ASN1_TYPE * asn1,

void * user

) [static]

This is the info to detect double overflows. This may not be a remotely exploitable (remote services may not call the vulnerable microsoft function), but better safe than sorry.

Returns:
integer

Return values:

0 failed

1 detected

Definition at line 259 of file sp_asn1.c.
References s_ASN1_TYPE::data, s_ASN1_IDENT::flag, s_ASN1_TYPE::ident, s_ASN1_TYPE::len, SF_ASN1_TAG_REAL, s_ASN1_LEN::size, and s_ASN1_IDENT::tag.
Referenced by DetectDoubleOverflow().

static int OversizeLength ( ASN1_TYPE * asn1,

void * user

) [static]

This is the most generic of our ASN.1 detection functionalities. This will compare the ASN.1 type lengths against the user defined max length and alert if the length is greater than the user supplied length.

Returns:
integer

Return values:

0 failed

1 detected

Definition at line 317 of file sp_asn1.c.
References s_ASN1_TYPE::len, and s_ASN1_LEN::size.
Referenced by DetectOversizeLength().

void SetupAsn1 ( )

Definition at line 549 of file sp_asn1.c.
References Asn1Init(), DEBUG_PLUGIN, DEBUG_WRAP, and RegisterPlugin().
Referenced by InitPlugIns().

Variable Documentation

u_int8_t* doe_ptr

Definition at line 72 of file sp_pattern_match.c.
Referenced by Asn1Detect(), ByteJump(), ByteTest(), CheckANDPatternMatch(), CheckUriPatternMatch(), fpEvalHeader(), fpEvalHeaderSW(), fpEvalRTNSW(), FTPBounce(), IsDataAt(), mSearch(), mSearchCI(), pcre_search(), SnortPcre(), and uniSearchReal().

Generated on Sun May 14 14:51:22 2006 by

1.4.2


Defines
#define	BITSTRING_OPT "bitstring_overflow"
#define	DOUBLE_OPT "double_overflow"
#define	LENGTH_OPT "oversize_length"
#define	DBL_FREE_OPT "double_free"
#define	ABS_OFFSET_OPT "absolute_offset"
#define	REL_OFFSET_OPT "relative_offset"
#define	PRINT_OPT "print"
#define	ABS_OFFSET 1
#define	REL_OFFSET 2
#define	DELIMITERS " ,\t\n"
Typedefs
typedef s_ASN1_CTXT	ASN1_CTXT
Functions
static void	Asn1RuleParse (char data, OptTreeNode otn, ASN1_CTXT *asn1)
static int	BitStringOverflow (ASN1_TYPE asn1, void user)
static int	DetectBitStringOverflow (ASN1_TYPE *asn1)
static int	DoubleOverflow (ASN1_TYPE asn1, void user)
static int	DetectDoubleOverflow (ASN1_TYPE *asn1)
static int	OversizeLength (ASN1_TYPE asn1, void user)
static int	DetectOversizeLength (ASN1_TYPE *asn1, unsigned int max_size)
static int	Asn1DetectFuncs (ASN1_TYPE asn1, ASN1_CTXT ctxt, int dec_ret_val)
static int	Asn1Detect (Packet p, OptTreeNode otn, OptFpList *fp_list)
static void	Asn1Init (char data, OptTreeNode otn, int protocol)
void	SetupAsn1 ()
Variables
u_int8_t *	doe_ptr