Changes - j0ke.net Open Build Service

@@ -1,3 +1,198 @@ +2012-3-17 Steven Sturges <ssturges@sourcefire.com> +Snort 2.9.2.2 + * src/build.h: + Updated to build 121. + + * src/preprocessors/HttpInspect/normalization/hi_norm.c: + Fix HTTP URI normalization when URI has more than 2k slashes. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed split fin-ack tracking and flush/free app data on reset + when listener is in fin-wait-1, fin-wait-2, or closing state. + + * src/: encode.c, encode.h, snort.c, snort.h, + Fix generation of response packets on fragmented IPv6 packet + by using the frag reassembled packet to encode. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix logical byte count and remove unreachable code + + * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: + Update to handle IPv6 traffic for processing of IP header + options within .so rules. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Expand slam threshold to <= 4 and fix for non-reassembled + sessions. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Check seq within window relative to window base. + + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: + Fix flow flags for single segment PDUs from PAF. + + * doc/: faq.pdf, faq.tex, snort_manual.pdf, snort_manual.tex: + Remove references to deprecated servers. + + * src/dynamic-preprocessors/sip/sip_parser.c: + Unknown method alert is generated only after verifying the + packet is SIP. Don't generate alerts for a. multiple SIP + messages within one UDP packet (140:17) and b. mismatched + content length (140:18) simultaneously. + + * doc/: INSTALL, snort_manual.pdf, snort_manual.tex: + Updates to the manual to fix formatting, clarify detection_filter, + and remove obsolete configure options. Thanks to Larry Hughes, + Eoin Miller, Beenph and Joshua Kinard for reading it! + + * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, + src/dynamic-preprocessors/sip/sip_config.c, + src/dynamic-preprocessors/sip/sip_config.h, + src/dynamic-preprocessors/sip/sip_dialog.c, + src/dynamic-preprocessors/sip/sip_dialog.h, + src/dynamic-preprocessors/sip/spp_sip.c, + src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map: + Limit number of dialogs within a stream session. Thanks + to Filip Valder for providing the information. + + * src/active.c: + Allow repeated responses to non-TCP/UDP traffic. + + * src/: sfdaq.c, sfdaq.h, output-plugins/spo_unified2.c: + Correctly log blocked flag in unified2 events when an interface + is passive. + + * doc/: README.filters, snort_manual.pdf, snort_manual.tex: + Update README & manual to document -1 as acceptable value for + event_filter. + + * src/: snort.c: + Add stats output to dirty pig shutdown. + + * src/: preprocessors/Stream5/stream5_common.c: + Update initialization for stream_ip. + + * doc/snort_manual.pdf, src/byte_extract.c, src/util.h, + src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: + Make byte extraction of strings only allow for positive values. + + * src/preprocessors/HttpInspect/client/hi_client.c: + Check for paf_max before marking a packet as request body. + + * doc/: README.SMTP, snort_manual.pdf, snort_manual.tex, + preproc_rules/preprocessor.rules, src/generators.h, + src/dynamic-preprocessors/smtp/smtp_config.h, + src/dynamic-preprocessors/smtp/smtp_util.c, + src/dynamic-preprocessors/smtp/snort_smtp.c, + src/dynamic-preprocessors/smtp/spp_smtp.c: + Added SMTP preproc shutdown stats. Remove the decoding memcap + exceeded alert and displaying this info instead. + + * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, + spp_ftptelnet.c: + Update parsing for ftptelnet config. + + * src/dynamic-preprocessors/modbus/spp_modbus.c: + Update to free the modbus session data. + + * src/: snort_bounds.h, + preprocessors/HttpInspect/server/hi_server_norm.c: + Update javascript normalization to call a safeboundsmemmove + function when the src and dst buffers overlap. + + * src/preprocessors/HttpInspect/client/hi_client.c: + Change the code to not look for POST data (while parsing method) + when PAF is enabled and process request packets when the + method is undefined. + + * src/dynamic-preprocessors/pop/: snort_pop.c, snort_pop.h: + Decode data following +OK response without the octets string. + + * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: + Made macro in dcerpc2 preprocessor used for progressing through + data more robust. + + * src/preprocessors/: snort_httpinspect.h, + HttpInspect/client/hi_client.c, HttpInspect/server/hi_server.c: + Eliminate false positives (no content-length or transfer-encoding) + when chunk size spans across multiple packets. Thanks to Daniel + Dallmann for reporting the issue. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Update handling of retransmitted segments overlapping the + window on the left + + * src/preprocessors/HttpInspect/server/hi_server.c: + Set the file_data to the raw HTTP response body (de-chunked/ + normalized) when decompression fails due to false GZIP headers. + Set the inspect_body flag after resetting the decompress_data + flag to allow extraction of HTTP response body across packets + when decompression fails entirely. Thanks to Eoin Miller for + reporting this issue. + + * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex, + src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h: + Remove the Max on the gzip memcap. Thanks to Eoin Miller for + the request. + + * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_paf.c, + dce2_session.h, dce2_smb.c, dce2_smb.h, snort_dce2.c, + snort_dce2.h: + State tracking improvements to SMB processing in the dcerpc2 + preprocessor when missing packets on a session. + + * tools/u2spewfoo/u2spewfoo.c: + Tweaks to dump u2 files in the presence of certain errors. + + * src/encode.c: + Fix overhead calculation to ensure sufficient buffer space for + defragging a maximum length IP datagram regardless of encapsulations. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix false positives on 129:16. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix stream5 to not purge too early when normalizing streams. + + * src/decode.c: + Remove redundant clearing of pointer in error case. Thanks + to Josh Kinard for pointing out the error. + + * src/preprocessors/spp_normalize.c: + Change normalizer priority to ensure ahead of frag3 regardless + of conf ordering. + + * src/detection-plugins/sp_react.c, doc/README.active, + doc/snort_manual.pdf, doc/snort_manual.tex: + Don't allow more than one % in a user-defined HTML page used + for react rule options. Thanks to Cleber S. Brandão for + reporting the issue. + + * configure.in: + Update configure script to correctly display 'Disable' help + verbage for the --disable-xxx options. Thanks to Kungu Panda for + pointing it out. + + * src/: plugbase.c, plugbase.h, snort.c, + output-plugins/spo_alert_arubaaction.c, + output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c, + output-plugins/spo_alert_prelude.c, + output-plugins/spo_alert_syslog.c, + output-plugins/spo_alert_test.c, + output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c, + output-plugins/spo_database.c, output-plugins/spo_log_ascii.c, + output-plugins/spo_log_null.c, output-plugins/spo_log_tcpdump.c, + output-plugins/spo_unified.c, output-plugins/spo_unified2.c: + Update unified2 output to rotate the unified2 file on reload. + + * src/dynamic-preprocessors/smtp/smtp_util.c: + Truncate the trailing end of the email id when the + rcpt to or mail from addresses are too long. + + * doc/snort_manual.tex, doc/README.GTP, src/: + dynamic-plugins/sf_dynamic_plugins.c, util.c, util.h: + Throttle the so rules memcap error message. + 2012-1-17 16:16 Hui Cao <hcao@sourcefire.com> Snort 2.9.2.1 All files: updated copyright to 2012 @@ -81,7 +276,7 @@ * src/: generators.h, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/event_output/hi_eo_log.c, - preprocessors/HttpInspect/include/hi_eo_events.h: Bugs + preprocessors/HttpInspect/include/hi_eo_events.h: Added a preprocessor alert to alert when a HTTP method being parsed is not a GET or a POST or not defined by the user.

@@ -1,4 +1,28 @@ -2012-1-17 - Snort 2.9.2.1 +2012-03-26 - Snort 2.9.2.2 +[*] Improvements + * Updates to HTTP Inspect to handle normalization with large + number of directories, eliminate false positives when chunks + span multiple packets, and remove the upper limit on the + gzip memcap. + + * Update stream handling for TCP session cleanup with RSTs and + other TCP state tracking. + + * Update for responses to fragmented IPv6 traffic and to the + react page configuration. + + * Updates SIP preprocessor to limit false positives. + + * Update for correct logging in unified2 when interface is passive. + + * Add stats for SMTP preprocessor at termination. + + * State tracking improvements to SMB processing in the dcerpc2 + preprocessor when missing packets on a session. + + * + +2012-01-17 - Snort 2.9.2.1 [*] New Additions * Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).

@@ -1495,41 +1495,41 @@ optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9 and 10). - --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries) + --disable-dynamicplugin Disable Ability to dynamically load preprocessors, detection engine, and rules lib --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library --enable-control-socket Enable the control socket - --disable-static-daq Link static DAQ modules. + --disable-static-daq Link static DAQ modules. --enable-build-dynamic-examples Enable building of example dynamically loaded preprocessor and rule (off by default) - --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. - --disable-ipv6 Disable IPv6 support - --disable-zlib Enable Http Response Decompression - --disable-gre Enable GRE and IP in IP encapsulation support - --disable-mpls Enable MPLS support - --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) - --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events - --disable-ppm Enable packet/rule performance monitor - --disable-perfprofiling Enable preprocessor and rule performance profiling - --enable-linux-smp-stats Enable statistics reporting through proc + --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. + --disable-ipv6 Disable IPv6 support + --disable-zlib Disable Http Response Decompression + --disable-gre Disable GRE and IP in IP encapsulation support + --disable-mpls Disable MPLS support + --disable-targetbased Disable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) + --disable-decoder-preprocessor-rules Disable rule actions for decoder and preprocessor events + --disable-ppm Disable packet/rule performance monitor + --disable-perfprofiling Disable preprocessor and rule performance profiling + --enable-linux-smp-stats Enable statistics reporting through proc --enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly) --enable-prelude Enable Prelude Hybrid IDS support - --disable-pthread Disable pthread support + --disable-pthread Disable pthread support --enable-debug-msgs Enable debug printing options (bugreports and developers only) --enable-debug Enable debugging options (bugreports and developers only) - --enable-gdb Enable gdb debugging information + --enable-gdb Enable gdb debugging information --enable-profile Enable profiling options (developers only) - --disable-ppm-test Enable packet/rule performance monitor + --disable-ppm-test Disable packet/rule performance monitor --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling,--enable-decoder-preprocessor-rules, --enable-ppm --disable-corefiles Prevent Snort from generating core files - --disable-active-response Enable reject injection - --disable-normalizer Enable packet/stream normalizations - --disable-reload Enable reloading a configuration without restarting - --disable-reload-error-restart Enable restarting on reload error - --disable-paf disable protocol aware flushing - --disable-react Intercept and terminate offending HTTP accesses - --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts + --disable-active-response Disable reject injection + --disable-normalizer Disable packet/stream normalizations + --disable-reload Disable reloading a configuration without restarting + --disable-reload-error-restart Disable restarting on reload error + --disable-paf Disable protocol aware flushing + --disable-react Disable interception and termination of offending HTTP accesses + --disable-flexresp3 Disable flexible responses (v3) on hostile connection attempts --enable-aruba Enable Aruba output plugin --enable-intel-soft-cpm Enable Intel Soft CPM support - --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only) + --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only) --enable-rzb-saac Enable Razorback SaaC support --enable-large-pcap Enable support for pcaps larger than 2 GB @@ -3075,7 +3075,7 @@ # Define the identity of the package. PACKAGE=snort - VERSION=2.9.2.1 + VERSION=2.9.2.2 cat >>confdefs.h <<_ACEOF

@@ -6,7 +6,7 @@ AM_CONFIG_HEADER(config.h) # When changing the snort version, please also update the VERSION # definition in "src/win32/WIN32-Includes/config.h" -AM_INIT_AUTOMAKE(snort,2.9.2.1) +AM_INIT_AUTOMAKE(snort,2.9.2.2) NO_OPTIMIZE="no" ADD_WERROR="no" @@ -533,7 +533,7 @@ fi AC_ARG_ENABLE(dynamicplugin, -[ --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries)], +[ --disable-dynamicplugin Disable Ability to dynamically load preprocessors, detection engine, and rules lib], enable_dynamicplugin="$enableval", enable_dynamicplugin="yes") AM_CONDITIONAL(HAVE_DYNAMIC_PLUGINS, test "x$enable_dynamicplugin" = "xyes") @@ -621,7 +621,7 @@ fi AC_ARG_ENABLE(static_daq, -[ --disable-static-daq Link static DAQ modules.], +[ --disable-static-daq Link static DAQ modules.], enable_static_daq="$enableval", enable_static_daq="yes") if test "x$enable_static_daq" = "xyes" \ @@ -751,14 +751,14 @@ fi AC_ARG_ENABLE(dlclose, -[ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], +[ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], enable_dlclose="$enableval", enable_dlclose="yes") if test "x$enable_dlclose" = "xno"; then AC_DEFINE([DISABLE_DLCLOSE_FOR_VALGRIND_TESTING],[1],[Don't close opened shared objects for valgrind leak testing of dynamic libraries]) fi AC_ARG_ENABLE(ipv6, -[ --disable-ipv6 Disable IPv6 support], +[ --disable-ipv6 Disable IPv6 support], enable_ipv6="$enableval", enable_ipv6="yes") if test "x$enable_ipv6" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DSUP_IP6" @@ -766,7 +766,7 @@ AM_CONDITIONAL(HAVE_SUP_IP6, test "x$enable_ipv6" = "xyes") AC_ARG_ENABLE(zlib, -[ --disable-zlib Enable Http Response Decompression], +[ --disable-zlib Disable Http Response Decompression], enable_zlib="$enableval", enable_zlib="yes") AM_CONDITIONAL(HAVE_ZLIB, test "x$enable_zlib" = "xyes") if test "x$enable_zlib" = "xyes"; then @@ -792,21 +792,21 @@ fi AC_ARG_ENABLE(gre, -[ --disable-gre Enable GRE and IP in IP encapsulation support], +[ --disable-gre Disable GRE and IP in IP encapsulation support], enable_gre="$enableval", enable_gre="yes") if test "x$enable_gre" = "xyes"; then CPPFLAGS="$CPPFLAGS -DGRE" fi AC_ARG_ENABLE(mpls, -[ --disable-mpls Enable MPLS support], +[ --disable-mpls Disable MPLS support], enable_mpls="$enableval", enable_mpls="yes") if test "x$enable_mpls" = "xyes"; then CPPFLAGS="$CPPFLAGS -DMPLS" fi AC_ARG_ENABLE(targetbased, -[ --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], +[ --disable-targetbased Disable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], enable_targetbased="$enableval", enable_targetbased="yes") AM_CONDITIONAL(HAVE_TARGET_BASED, test "x$enable_targetbased" = "xyes") @@ -832,28 +832,28 @@ fi AC_ARG_ENABLE(decoder-preprocessor-rules, -[ --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events], +[ --disable-decoder-preprocessor-rules Disable rule actions for decoder and preprocessor events], enable_decoder_preprocessor_rules="$enableval", enable_decoder_preprocessor_rules="yes") if test "x$enable_decoder_preprocessor_rules" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS" fi AC_ARG_ENABLE(ppm, -[ --disable-ppm Enable packet/rule performance monitor], +[ --disable-ppm Disable packet/rule performance monitor], enable_ppm="$enableval", enable_ppm="yes") if test "x$enable_ppm" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_MGR" fi AC_ARG_ENABLE(perfprofiling, -[ --disable-perfprofiling Enable preprocessor and rule performance profiling], +[ --disable-perfprofiling Disable preprocessor and rule performance profiling], enable_perfprofiling="$enableval", enable_perfprofiling="yes") if test "x$enable_perfprofiling" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(linux-smp-stats, -[ --enable-linux-smp-stats Enable statistics reporting through proc], +[ --enable-linux-smp-stats Enable statistics reporting through proc], enable_linux_smp_stats="$enableval", enable_linux_smp_stats="no") AM_CONDITIONAL(BUILD_PROCPIDSTATS, test "x$enable_linux_smp_stats" = "xyes") if test "x$enable_linux_smp_stats" = "xyes"; then @@ -884,7 +884,7 @@ fi AC_ARG_ENABLE(pthread, -[ --disable-pthread Disable pthread support], +[ --disable-pthread Disable pthread support], enable_pthread="$enableval", enable_pthread="yes") if test "x$enable_pthread" = "xyes"; then @@ -914,7 +914,7 @@ fi AC_ARG_ENABLE(gdb, -[ --enable-gdb Enable gdb debugging information], +[ --enable-gdb Enable gdb debugging information], enable_gdb="$enableval", enable_gdb="no") if test "x$enable_gdb" = "xyes"; then @@ -935,7 +935,7 @@ fi AC_ARG_ENABLE(ppm-test, -[ --disable-ppm-test Enable packet/rule performance monitor], +[ --disable-ppm-test Disable packet/rule performance monitor], enable_ppm_test="$enableval", enable_ppm_test="no") if test "x$enable_ppm_test" = "xyes"; then @@ -960,19 +960,19 @@ fi AC_ARG_ENABLE(active-response, -[ --disable-active-response Enable reject injection], +[ --disable-active-response Disable reject injection], enable_active_response="$enableval", enable_active_response="yes") AC_ARG_ENABLE(normalizer, -[ --disable-normalizer Enable packet/stream normalizations], +[ --disable-normalizer Disable packet/stream normalizations], enable_normalizer="$enableval", enable_normalizer="yes") AC_ARG_ENABLE(reload, -[ --disable-reload Enable reloading a configuration without restarting], +[ --disable-reload Disable reloading a configuration without restarting], enable_reload="$enableval", enable_reload="yes") AC_ARG_ENABLE(reload-error-restart, -[ --disable-reload-error-restart Enable restarting on reload error], +[ --disable-reload-error-restart Disable restarting on reload error], enable_reload_error_restart="$enableval", enable_reload_error_restart="yes") if test "x$enable_reload" = "xyes"; then @@ -1423,7 +1423,7 @@ fi AC_ARG_ENABLE(paf, -[ --disable-paf disable protocol aware flushing], +[ --disable-paf Disable protocol aware flushing], enable_paf="$enableval", enable_paf="yes") if test "x$enable_paf" = "xyes"; then @@ -1431,11 +1431,11 @@ fi AC_ARG_ENABLE(react, -[ --disable-react Intercept and terminate offending HTTP accesses], +[ --disable-react Disable interception and termination of offending HTTP accesses], enable_react="$enableval", enable_react="yes") AC_ARG_ENABLE(flexresp3, -[ --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts], +[ --disable-flexresp3 Disable flexible responses (v3) on hostile connection attempts], enable_flexresp3="$enableval", enable_flexresp3="yes") AC_ARG_ENABLE(aruba, @@ -1508,7 +1508,7 @@ fi AC_ARG_ENABLE(shared_rep, - [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], + [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], enable_shared_rep="$enableval", enable_shared_rep="no") if test "x$enable_shared_rep" = "xyes"; then

@@ -65,9 +65,6 @@ Enable linking of dynamically loaded preprocessors with a static preprocessor library. -`--enable-timestats' - Enable real-time performance statistics. - `--enable-perfprofiling' Enable performance profiling of individual rules and preprocessors. @@ -518,5 +515,5 @@ autoconf Then run configure with any desired options (--enable-dynamicplugin, ---enable-inline, etc). +etc).

@@ -68,7 +68,7 @@ Different from GTP decoder, GTP preprocessor examines all signaling messages. The preprocessor configuration name is "gtp". -preprocessor sip +preprocessor gtp Option Argument Required Default ports <ports> No ports { 2123 3386 } @@ -90,10 +90,10 @@ Configuration examples preprocessor gtp - preprocessor sip: ports { 2123 3386 2152 } + preprocessor gtp: ports { 2123 3386 2152 } Default configuration - preprocessor sip + preprocessor gtp GTP Decoder Events ================================================================================

@@ -234,9 +234,6 @@ default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable SMTP preprocessor in a config). -When the memcap for decoding (max_mime_mem) is exceeded the SMTP preprocessor alert with sid 9 is -generated (when enabled). - * log_mailfrom * This option enables SMTP preprocessor to parse and log the sender's email address extracted from the "MAIL FROM" command along with all the generated events for that session. The maximum

@@ -139,6 +139,10 @@ "You are attempting to access a forbidden site.<br />" \ "Consult your system administrator for details."; +Additional formatting operators beyond a single %s are prohibited, including +%d, %x, %s, as well as any URL encodings such as as %20 (space) that may be +within a reference URL. + This is an example rule: drop tcp any any -> any $HTTP_PORTS ( \

@@ -190,7 +190,8 @@ source IP addresses, or unique destination IP addresses. * count c: number of rule matching in s seconds that will cause event filter - limit to exceed. C must be nonzero value. + limit to exceed. C must be nonzero value. A count of -1 disables the + event filter and can be used to override the global event_filter. * seconds s: time period over which count is accrued. S must be nonzero value.

@@ -77,7 +77,7 @@ * max_gzip_mem * This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor -will use for decompression. This value can be set from 3276 bytes to 100MB. This option +will use for decompression. The minimum allowed value for this option is 3276 bytes. This option along with compress and decompress depth determines the gzip sessions that will be decompressed at any given instant. The default value for this option is 838860.

@@ -39,6 +39,7 @@ Option Argument Required Default disabled None No OFF max_sessions <max_sessions> No max_sessions 10000 +max_dialogs <max_dialogs> No max_dialogs 4 ports <ports> No ports { 5060 5061 } methods <methods> No methods { invite cancel ack bye register options } @@ -53,6 +54,7 @@ ignore_call_channel None No OFF max_sessions = 1024 - 4194303 +max_dialogs = 1 - 4194303 methods = "invite" | "cancel" | "ack" | "bye" | "register" | "options" | "refer" | "subscribe" | "update" | "join" | "info" | "message" | "notify" | "prack" @@ -77,6 +79,10 @@ Those sessions are stream sessions, so they are bounded by maximum number of stream sessions. Default is 10000. + max_dialogs + This specifies the maximum number of dialogs within one stream session. If exceeded, + the oldest dialog will be dropped. Default is 4. + ports This specifies on what ports to check for SIP messages. Typically, this will include 5060, 5061. @@ -228,6 +234,7 @@ 24 SIP version other than 2.0, 1.0, and 1.1 is invalid 25 Mismatch in Method of request and the CSEQ header 26 The method is unknown + 27 The number of dialogs in the stream session exceeds the maximal value. Rule Options ================================================================================

@@ -1420,22 +1420,6 @@ #EOF \end{verbatim} -\subsection{How do you get the latest Snort via cvs?} \label{cvs} - -Snort can be checked out through anonymous (pserver) CVS with the -following instruction set. The module you wish to check out must be -specified as the modulename. When prompted for a password for anonymous, -simply press the Enter key. -\begin{verbatim} - cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login - - cvs -z3 -d:pserver:anonymous@cvs.snort.org:/cvsroot co snort -\end{verbatim} -Updates from within the module's directory do not need the -d parameter. - -You will need to issue the command ``sh ./autojunk.sh'' before starting -./configure. - \subsection{How do I use a remote syslog machine?} Add the syslog switch, -s, and put this statement syslog.conf:

@@ -125,8 +125,9 @@ have a better way to say something or find that something in the documentation is outdated, drop us a line and we will update it. If you would like to submit patches for this document, you can find the latest version of the documentation -in \LaTeX\ format in the Snort CVS repository at \verb!/doc/snort_manual.tex!. -Small documentation updates are the easiest way to help out the Snort Project. +in \LaTeX\ format in the most recent source tarball under +\verb!/doc/snort_manual.tex!. Small documentation updates are the easiest way +to help out the Snort Project. \section{Getting Started} @@ -567,29 +568,6 @@ Note that the pcap DAQ does not count filtered packets. -\subsubsection{MMAPed pcap} - -On Linux, a modified version of libpcap is available that implements a shared -memory ring buffer. Phil Woods (cpw@lanl.gov) is the current maintainer of the -libpcap implementation of the shared memory ring buffer. The shared memory -ring buffer libpcap can be downloaded from his website at -\url{http://public.lanl.gov/cpw/}. - -Instead of the normal mechanism of copying the packets from kernel memory into -userland memory, by using a shared memory ring buffer, libpcap is able to queue -packets into a shared buffer that Snort is able to read directly. This change -speeds up Snort by limiting the number of times the packet is copied before -Snort gets to perform its detection upon it. - -Once Snort linked against the shared memory libpcap, enabling the ring buffer -is done via setting the environment variable \emph{PCAP\_FRAMES}. -\emph{PCAP\_FRAMES} is the size of the ring buffer. According to Phil, the -maximum size is 32768, as this appears to be the maximum number of iovecs the -kernel can handle. By using \emph{PCAP\_FRAMES=max}, libpcap will -automatically use the most frames possible. On Ethernet, this ends up being -1530 bytes per frame, for a total of around 52 Mbytes of memory for the ring -buffer alone. - \subsection{AFPACKET} afpacket functions similar to the memory mapped pcap DAQ but no external @@ -661,7 +639,7 @@ <qlen> ::= 0..65535; default is 0 \end{verbatim} -Notes on iptables are given below. +Notes on iptables can be found in the DAQ distro README. \subsection{IPQ} @@ -683,8 +661,6 @@ <proto> ::= ip4 | ip6; default is ip4 \end{verbatim} -Notes on iptables are given below. - \subsection{IPFW} IPFW is available for BSD systems. It replaces the inline version available in @@ -2387,14 +2363,6 @@ Use config event\_filter instead.)\\ \hline -\texttt{config timestats\_interval: <secs>} & - -Set the amount of time in seconds between logging time stats. Default is 3600 -(1 hour). Note this option is only available if Snort was built to use time -stats with \texttt{--enable-timestats}. \\ - - -\hline \texttt{config umask: <umask>} & Sets umask when running (\texttt{snort -m}). \\ \hline @@ -3367,7 +3335,7 @@ \begin{itemize} \item \texttt{TCP} \item \texttt{UDP} -\item \texttt{IGMP} +\item \texttt{ICMP} \item \texttt{ip\_proto} \item \texttt{all} \end{itemize} @@ -4039,8 +4007,8 @@ \item \texttt{max\_gzip\_mem $<$integer$>$} This option determines (in bytes) the maximum amount of memory the HTTP Inspect -preprocessor will use for decompression. This value can be set from 3276 bytes -to 100MB. This option along with \texttt{compress\_depth} and \texttt{decompress\_depth} +preprocessor will use for decompression. The minimum allowed value for this option +is 3276 bytes. This option along with \texttt{compress\_depth} and \texttt{decompress\_depth} determines the gzip sessions that will be decompressed at any given instant. The default value for this option is 838860. @@ -4540,8 +4508,8 @@ This option enables the normalization of Javascript within the HTTP response body. You should select the config option \texttt{extended\_response\_inspection} before configuring this option. When this option is turned on, Http Inspect searches for a Javascript within the -HTTP response body by searching for the <script> tags and starts normalizing it. -When Http Inspect sees the <script> tag without a type, it is considered as a javascript. +HTTP response body by searching for the $<$script$>$ tags and starts normalizing it. +When Http Inspect sees the $<$script$>$ tag without a type, it is considered as a javascript. The obfuscated data within the javascript functions such as unescape, String.fromCharCode, decodeURI, decodeURIComponent will be normalized. The different encodings handled within the unescape/ decodeURI/decodeURIComponent are \texttt{\%XX}, \texttt{\%uXXXX}, \texttt{\\XX} and \texttt{\\uXXXXi}. @@ -5321,9 +5289,6 @@ default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable SMTP preprocessor in a config). -When the memcap for decoding (\texttt{max\_mime\_mem}) is exceeded the SMTP preprocessor alert with sid 9 is -generated (when enabled) - \item \texttt{log\_mailfrom} This option enables SMTP preprocessor to parse and log the sender's email address extracted from the "MAIL FROM" command along with all the generated events for that session. The maximum @@ -8284,10 +8249,6 @@ \begin{itemize} \item -Truncate packets with excess payload to the datagram length specified in the -IP header. - -\item TTL normalization if enabled (explained below). \item @@ -8378,8 +8339,6 @@ Base normalizations enabled with "preprocessor \texttt{normalize\_tcp}" include: \begin{itemize} -\item -Remove data on SYN. \item Clear the reserved bits in the TCP header. @@ -8391,23 +8350,11 @@ Clear the urgent pointer and the urgent flag if there is no payload. \item -Set the urgent pointer to the payload length if it is greater than the -payload length. - -\item Clear the urgent flag if the urgent pointer is not set. \item Clear any option padding bytes. -\item -Remove any data from RST packet. - -\item -Trim data to window. - -\item -Trim data to MSS. \end{itemize} Optional normalizations include: @@ -8482,8 +8429,8 @@ <new_ttl> ::= (<min_ttl>+1..255) \end{verbatim} -If \texttt{new\_ttl }> \texttt{min\_ttl}, then if a packet is received with a -TTL < \texttt{min\_ttl}, the TTL will be set to \texttt{new\_ttl}. +If \texttt{new\_ttl }$>$ \texttt{min\_ttl}, then if a packet is received with a +TTL $<$ \texttt{min\_ttl}, the TTL will be set to \texttt{new\_ttl}. Note that this configuration item was deprecated in 2.8.6: @@ -8538,6 +8485,8 @@ \hline \texttt{max\_sessions} & \texttt{<max\_sessions>} & NO & \texttt{max\_sessions 10000}\\ \hline +\texttt{max\_dialogs} & \texttt{<max\_dialogs>} & NO & \texttt{max\_dialogs 4}\\ +\hline \texttt{ports} & \texttt{<ports>} & NO & \texttt{ports \{ 5060 5061 \} }\\ \hline \texttt{methods} & \texttt{<methods>} & NO & \texttt{methods \{ invite cancel ack bye @@ -8566,6 +8515,7 @@ \footnotesize \begin{verbatim} max_sessions = 1024-4194303 + max_dialogs = 1-4194303 methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ |"refer" |"subscribe"|"update"|"join"|"info"|"message"\ |"notify"|"prack" @@ -8593,6 +8543,11 @@ Those sessions are stream sessions, so they are bounded by maximum number of stream sessions. Default is 10000. \end{itemize} +\item[] \texttt{max\_dialogs} +\begin{itemize} +\item[] This specifies the maximum number of dialogs within one stream session. If exceeded, + the oldest dialog will be dropped. Default is 4. +\end{itemize} \item[] \texttt{ports} \begin{itemize} \item[] This specifies on what ports to check for SIP messages. Typically, this will @@ -8802,6 +8757,8 @@ \hline 26 & The method is unknown \\ \hline + 27 & The number of dialogs in the stream session exceeds the maximal value. \\ +\hline \end{longtable} \subsubsection{Rule Options} New rule options are supported by enabling the \texttt{sip} preprocessor: @@ -9337,7 +9294,7 @@ Different from GTP decoder, GTP preprocessor examines all signaling messages. The preprocessor configuration name is \texttt{gtp}. \begin{verbatim} -preprocessor sip +preprocessor gtp \end{verbatim} \textit{Option syntax} \begin{itemize} @@ -9356,7 +9313,7 @@ \begin{itemize} \item[] \texttt{ports} \begin{itemize} -\item[] This specifies on what ports to check for SIP messages. Typically, +\item[] This specifies on what ports to check for GTP messages. Typically, this will include 5060, 5061. \item[] \textit{Syntax} \begin{verbatim} @@ -11050,7 +11007,8 @@ \texttt{count c} & number of rule matching in s seconds that will cause \texttt{event\_filter} -limit to be exceeded. \texttt{c} must be nonzero value.\\ +limit to be exceeded. \texttt{c} must be nonzero value. A value of -1 disables +the event filter and can be used to override the global \texttt{event\_filter}.\\ \hline \texttt{seconds s} & @@ -11172,7 +11130,7 @@ \begin{verbatim} suppress \ - gen_id <gid>, sig_id <sid>, \ + gen_id <gid>, sig_id <sid> \end{verbatim} \begin{verbatim} @@ -11211,7 +11169,7 @@ \texttt{ip <list>} & Restrict the suppression to only source or destination IP addresses (indicated -by \texttt{track} parameter) determined by <list>. If track is provided, ip +by \texttt{track} parameter) determined by $<$list$>$. If track is provided, ip must be provided as well.\\ \hline @@ -11933,7 +11891,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/alert. You may specify "stdout" for terminal output. The name may +$<$logdir$>$/alert. You may specify "stdout" for terminal output. The name may include an absolute or relative path. \item \texttt{packet}: this option will cause multiline entries with full @@ -11970,7 +11928,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/alert. You may specify "stdout" for terminal output. The name may +$<$logdir$>$/alert. You may specify "stdout" for terminal output. The name may include an absolute or relative path. \item \texttt{limit}: an optional limit on file size which defaults to 128 MB. @@ -12016,7 +11974,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/snort.log. The name may include an absolute or relative path. A +$<$logdir$>$/snort.log. The name may include an absolute or relative path. A UNIX timestamp is appended to the filename. \item \texttt{limit}: an optional limit on file size which defaults to 128 MB. @@ -12180,7 +12138,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/alert.csv. You may specify "stdout" for terminal output. The name +$<$logdir$>$/alert.csv. You may specify "stdout" for terminal output. The name may include an absolute or relative path. \item \texttt{format}: The list of formatting options is below. If the @@ -13162,7 +13120,7 @@ Each attempt (sent in rapid succession) has a different sequence number. Each active response will actually cause this number of TCP resets to be sent. TCP data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is -sent, if and only if attempts > 0. +sent, if and only if attempts $>$ 0. \begin{verbatim} ./configure --enable-active-response @@ -13278,6 +13236,10 @@ "Consult your system administrator for details."; \end{verbatim} +Additional formatting operators beyond a single %s are prohibited, including +%d, %x, %s, as well as any URL encodings such as as %20 (space) that may be +within a reference URL. + This is an example rule: \begin{verbatim} @@ -15260,13 +15222,19 @@ \subsubsection{Example} -This example performs a case-insensitive search for the string BLAH in the payload. +This example performs a case-insensitive search for the HTTP URI \texttt{foo.php?id=<some numbers>} \begin{verbatim} - alert ip any any -> any any (pcre:"/BLAH/i";) + alert tcp any any -> any 80 (content:"/foo.php?id="; pcre:"/\/foo.php?id=[0-9]{1,10}/iU";) \end{verbatim} \begin{note} +It is wise to have at least one \texttt{content} keyword in a rule that uses \texttt{pcre}. This +allows the fast-pattern matcher to filter out non-matching packets so that the pcre evaluation is +not performed on each and every packet coming across the wire. +\end{note} + +\begin{note} Snort's handling of multiple URIs with PCRE does not work as expected. PCRE when used without a \texttt{uricontent} only evaluates the first URI. In order @@ -17212,6 +17180,11 @@ would normally be used in conjunction with an \texttt{event\_filter} to reduce the number of logged events. +\begin{note} +As mentioned above, Snort evaluates \texttt{detection\_filter} as the last step of +the detection and not in post-detection. +\end{note} + \subsection{Post-Detection Quick Reference} \begin{center} @@ -18183,7 +18156,7 @@ \item {OptionType: Protocol Header \& Structure: {\em HdrOptCheck}} The {\em HdrOptCheck} structure defines an option to check a protocol header -for a specific value. It includes the header field, the operation (<,>,=,etc), +for a specific value. It includes the header field, the operation ($<$,$>$,=,etc), a value, a mask to ignore that part of the header field, and flags. \begin{verbatim} @@ -18223,7 +18196,7 @@ The {\em ByteData} structure defines the information for both ByteTest and ByteJump operations. It includes the number of bytes, an operation (for -ByteTest, <,>,=,etc), a value, an offset, multiplier, and flags. The flags +ByteTest, $<$,$>$,=,etc), a value, an offset, multiplier, and flags. The flags must specify the buffer. \begin{verbatim}

@@ -456,6 +456,7 @@ 140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid 140 || 25 || sip: Mismatch in Method of request and the CSEQ header 140 || 26 || sip: The method is unknown +140 || 27 || sip: Maximum dialogs in a session reached 141 || 1 || imap: Unknown IMAP4 command 141 || 2 || imap: Unknown IMAP4 response 141 || 3 || imap: No memory available for decoding. Memcap exceeded.

@@ -10,7 +10,7 @@ # Snort bugs: bugs@snort.org # # Compatible with Snort Versions: -# VERSIONS : 2.9.2.1 +# VERSIONS : 2.9.2.2 # # Snort build options: # OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 @@ -72,7 +72,7 @@ ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on -portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371] +portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 @@ -89,6 +89,12 @@ # List of ports you run SIP servers on portvar SIP_PORTS [5060,5061,5600] +# List of file data ports for file inspection +portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] + +# List of GTP ports for GTP preprocessor +portvar GTP_PORTS [2123,2152,3386] + # other variables, these should not be modified ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] @@ -99,6 +105,14 @@ var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules +# If you are using reputation preprocessor set these +# Currently there is a bug with relative paths, they are relative to where snort is +# not relative to snort.conf like the above variables +# This is completely inconsistent with how other vars work, BUG 89986 +# Set the absolute path appropriately +var WHITE_LIST_PATH ../rules +var BLACK_LIST_PATH ../rules + ################################################### # Step #2: Configure the decoder. For more information, see README.decode ################################################### @@ -187,6 +201,13 @@ config event_queue: max_queue 8 log 3 order_events content_length ################################################### +## Configure GTP if it is to be used. +## For more information, see README.GTP +#################################################### + +# config enable_gtp + +################################################### # Per packet and rule latency enforcement # For more information see README.ppm ################################################### @@ -212,6 +233,12 @@ #config profile_preprocs: print all, sort avg_ticks ################################################### +# Configure protocol aware flushing +# For more information see README.stream5 +################################################### +config paf_max: 16000 + +################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### @@ -230,6 +257,9 @@ # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### +# GTP Control Channle Preprocessor. For more information, see README.GTP +# preprocessor gtp: ports { 2123 3386 2152 } + # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode preprocessor normalize_ip4 @@ -255,9 +285,9 @@ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \ 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ - ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \ + ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ - 7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 + 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 preprocessor stream5_udp: timeout 180 # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor @@ -266,6 +296,7 @@ # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ + http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ @@ -273,13 +304,16 @@ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ - ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 } \ + max_spaces 0 \ + small_chunk_length { 10 5 } \ + ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ + normalize_javascript \ apache_whitespace no \ ascii no \ bare_byte no \ @@ -289,7 +323,7 @@ iis_delimiter no \ iis_unicode no \ multi_slash no \ - utf_8 no \ + utf_8 no \ u_encode yes \ webroot no @@ -412,7 +446,7 @@ preprocessor sensitive_data: alert_threshold 25 # SIP Session Initiation Protocol preprocessor. For more information see README.sip -preprocessor sip: max_sessions 10000, \ +preprocessor sip: max_sessions 40000, \ ports { 5060 5061 5600 }, \ methods { invite \ cancel \ @@ -442,7 +476,7 @@ max_to_len 256, \ max_via_len 1024, \ max_contact_len 512, \ - max_content_len 1024 + max_content_len 2048 # IMAP preprocessor. For more information see README.imap preprocessor imap: \ @@ -460,6 +494,22 @@ bitenc_decode_depth 0 \ uu_decode_depth 0 +# Modbus preprocessor. For more information see README.modbus +preprocessor modbus: ports { 502 } + +# DNP3 preprocessor. For more information see README.dnp3 +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +# Reputation preprocessor. For more information see README.reputation +preprocessor reputation: \ + memcap 500, \ + priority whitelist, \ + nested_ip inner, \ + whitelist $WHITE_LIST_PATH/white_list.rules, \ + blacklist $BLACK_LIST_PATH/black_list.rules + ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules @@ -512,6 +562,7 @@ include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/exploit.rules +include $RULE_PATH/file-identify.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp.rules @@ -581,12 +632,10 @@ # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules -# include $SO_RULE_PATH/pop3.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/snmp.rules # include $SO_RULE_PATH/specific-threats.rules -# include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-iis.rules

@@ -102,7 +102,6 @@ alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; ) alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) -alert ( msg: "SMTP_DECODE_MEMCAP_EXCEEDED"; sid: 9; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_QP_DECODING_FAILED"; sid: 11; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) @@ -227,6 +226,7 @@ alert ( msg: "SIP_EVENT_INVALID_VERSION"; sid: 24; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MAX_DIALOGS_IN_A_SESSION"; sid: 27; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) alert ( msg: "IMAP_MEMCAP_EXCEEDED"; sid: 3; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )

@@ -91,7 +91,7 @@ Name: %{realname}%{inlinetext} %{?_with_inline:%define Name: %{realname}-inline } -Version: 2.9.2.1 +Version: 2.9.2.2 Epoch: 1 Release: %{release} Summary: An open source Network Intrusion Detection System (NIDS)

@@ -375,7 +375,12 @@ // explicitly drop packet Active_ForceDropPacket(); - _Active_DoIgnoreSession(p); + switch ( GET_IPH_PROTO(p) ) + { + case IPPROTO_TCP: + case IPPROTO_UDP: + _Active_DoIgnoreSession(p); + } return 0; }

@@ -1 +1 @@ -#define BUILD "107" +#define BUILD "121"

@@ -26,6 +26,7 @@ #endif #include "snort.h" +#include "util.h" #include <sys/types.h> #include <stdlib.h> @@ -179,12 +180,8 @@ byte_array[bytes_to_grab] = '\0'; - *value = strtoul(byte_array, &parse_helper, base); - - if(byte_array == parse_helper) - { + if (SnortStrToU32(byte_array, &parse_helper, value, base) != 0) return -1; - } #ifdef TEST_BYTE_EXTRACT printf("[----]\n");

@@ -753,7 +753,6 @@ if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) ) DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1); - p->iph = NULL; pc.discards++; pc.ethdisc++; PREPROC_PROFILE_END(decodePerfStats);

@@ -81,6 +81,7 @@ extern SnortConfig* snort_conf_for_parsing; static const char* MSG_KEY = "<>"; +static const char* MSG_PERCENT = "%"; static const char* DEFAULT_HTTP = "HTTP/1.1 403 Forbidden\r\n" @@ -312,6 +313,7 @@ static void React_GetPage (void) { char* msg; + char* percent_s; struct stat fs; FILE* fd; size_t n; @@ -345,6 +347,21 @@ s_page[n] = '\0'; msg = strstr(s_page, MSG_KEY); if ( msg ) strncpy(msg, "%s", 2); + + // search for % + percent_s = strstr(s_page, MSG_PERCENT); + if (percent_s) + { + percent_s += strlen(MSG_PERCENT); // move past current + // search for % again + percent_s = strstr(percent_s, MSG_PERCENT); + if (percent_s) + { + FatalError("react: %s(%d) can't specify more than one %%s or other " + "printf style formatting characters in react page '%s'.\n", + file_name, file_line, sc->react_page); + } + } } //--------------------------------------------------------------------

@@ -1061,6 +1061,8 @@ } DynamicRuleSessionData; static uint32_t so_rule_memory = 0; +/*Only only message will be logged within 60 seconds*/ +static ThrottleInfo error_throttleInfo = {0,60,0}; static void * DynamicRuleDataAlloc(size_t size) { @@ -1070,7 +1072,7 @@ if ((ScSoRuleMemcap() > 0) && (so_rule_memory + alloc_size) > ScSoRuleMemcap()) { - ErrorMessage("SO rule memcap exceeded: Wanted to allocate " + ErrorMessageThrottled(&error_throttleInfo,"SO rule memcap exceeded: Wanted to allocate " "%u bytes (and %d overhead) with memcap: %u and " "current memory: %u\n", (uint32_t)size, (int)sizeof(size_t), ScSoRuleMemcap(), so_rule_memory);

@@ -430,10 +430,15 @@ return RULE_NOMATCH; /* check if this rule only applies to reassembled */ - if ((flowFlags->flags & FLOW_ONLY_REASSEMBLED) && - !(sp->flags & FLAG_REBUILT_STREAM)) - return RULE_NOMATCH; - + if (flowFlags->flags & FLOW_ONLY_REASSEMBLED) + { + if ( !(sp->flags & FLAG_REBUILT_STREAM) +#ifdef ENABLE_PAF + && !PacketHasFullPDU(sp) +#endif + ) + return RULE_NOMATCH; + } /* check if this rule only applies to non-reassembled */ if ((flowFlags->flags & FLOW_IGNORE_REASSEMBLED) && (sp->flags & FLAG_REBUILT_STREAM))

@@ -171,12 +171,26 @@ } else if (byteData->flags & EXTRACT_AS_STRING) { + const uint8_t *space_ptr = cursor + byteData->offset; + if (byteData->bytes < 1 || byteData->bytes > (BYTE_STRING_LEN - 1)) { /* Log Error message */ return -2; } + // Only positive numbers should be processed and strtoul will + // eat up white space and process '-' and '+' so move past + // white space and check for a negative sign. + while ((space_ptr < (cursor + byteData->offset + byteData->bytes)) + && isspace((int)*space_ptr)) + space_ptr++; + + // If all spaces or a negative sign is found, return error. + if ((space_ptr == (cursor + byteData->offset + byteData->bytes)) + || (*space_ptr == '-')) + return -2; + if (byteData->flags & EXTRACT_AS_DEC) base = 10; else if (byteData->flags & EXTRACT_AS_HEX)

@@ -216,7 +216,8 @@ value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((uint16_t)GET_IPH_ID(pkt)); break; case IP_HDR_PROTO: - value = pkt->ip4_header->proto; + //value = pkt->ip4_header->proto; + value = GET_IPH_PROTO(pkt); break; case IP_HDR_FRAGBITS: return checkBits(optData->value, optData->op, ((ntohs(GET_IPH_OFF(pkt)) & 0xe000) & ~optData->mask_value)); @@ -225,10 +226,12 @@ value = ntohs(GET_IPH_OFF((pkt))) & 0x1FFF; break; case IP_HDR_TOS: - value = pkt->ip4_header->type_service; + //value = pkt->ip4_header->type_service; + value = GET_IPH_TOS(pkt); break; case IP_HDR_TTL: - value = pkt->ip4_header->time_to_live; + //value = pkt->ip4_header->time_to_live; + value = GET_IPH_TTL(pkt); break; case IP_HDR_OPTIONS: return checkOptions(optData->value, optData->op, pkt->ip_options, pkt->num_ip_options);

@@ -287,8 +287,8 @@ /* Reset tracker missed packets, since we've just * dealt with it */ - if (cot->missed_pkts) - cot->missed_pkts = 0; + cot->missed_pkts = 0; + DCE2_SsnClearMissedPkts(sd); } while (data_len > 0)

@@ -86,12 +86,43 @@ // Local function prototypes -static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t, bool); +static inline bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t, bool); +static inline bool DCE2_PafAbort(void *, uint32_t); static PAF_Status DCE2_SmbPaf(void *, void **, const uint8_t *, uint32_t, uint32_t, uint32_t *); static PAF_Status DCE2_TcpPaf(void *, void **, const uint8_t *, uint32_t, uint32_t, uint32_t *); /********************************************************************* + * Function: DCE2_PafAbort() + * + * Purpose: Queries the dcerpc2 session data to see if paf abort + * flag is set. + * + * Arguments: + * void * - stream session pointer + * uint32_t - flags passed in to callback. + * Should have PKT_FROM_CLIENT or PKT_FROM_SERVER set. + * + * Returns: + * bool - true if missed packets, false if not + * + *********************************************************************/ +static inline bool DCE2_PafAbort(void *ssn, uint32_t flags) +{ + DCE2_SsnData *sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(ssn, PP_DCE2); + + if (sd != NULL) + { + if (DCE2_SsnPafAbort(sd)) + return true; + else if (!DCE2_SsnSeenClient(sd) && (flags & FLAG_FROM_SERVER)) + return true; + } + + return false; +} + +/********************************************************************* * Function: DCE2_PafSmbIsValidNetbiosHdr() * * Purpose: Validates that the NetBIOS header is valid. If in @@ -105,7 +136,7 @@ * bool - true if valid, false if not * *********************************************************************/ -static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t nb_hdr, bool junk) +static inline bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t nb_hdr, bool junk) { uint8_t type = (uint8_t)(nb_hdr >> 24); uint8_t bit = (uint8_t)((nb_hdr & 0x00ff0000) >> 16); @@ -195,6 +226,12 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ss->state)); + if (DCE2_PafAbort(ssn, flags)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Aborting PAF\n")); + return PAF_ABORT; + } + while (n < len) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n])); @@ -240,7 +277,8 @@ "staying in State 7.\n")); break; } - if ((uint32_t)ss->nb_hdr != DCE2_SMB_ID) + if (((uint32_t)ss->nb_hdr != DCE2_SMB_ID) + && ((uint32_t)ss->nb_hdr != DCE2_SMB2_ID)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid SMB ID - " "staying in State 7.\n")); @@ -378,6 +416,12 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ds->state)); start_state = (uint8_t)ds->state; // determines how many bytes already looked at + if (DCE2_PafAbort(ssn, flags)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Aborting PAF\n")); + return PAF_ABORT; + } + while (n < len) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n]));

@@ -40,9 +40,11 @@ DCE2_SSN_FLAG__NONE = 0x0000, DCE2_SSN_FLAG__SEEN_CLIENT = 0x0001, DCE2_SSN_FLAG__SEEN_SERVER = 0x0002, - DCE2_SSN_FLAG__MISSED_PKTS = 0x0004, - DCE2_SSN_FLAG__AUTODETECTED = 0x0008, - DCE2_SSN_FLAG__NO_INSPECT = 0x0010, + DCE2_SSN_FLAG__CLI_MISSED_PKTS = 0x0004, + DCE2_SSN_FLAG__SRV_MISSED_PKTS = 0x0008, + DCE2_SSN_FLAG__AUTODETECTED = 0x0010, + DCE2_SSN_FLAG__NO_INSPECT = 0x0020, + DCE2_SSN_FLAG__PAF_ABORT = 0x0040, DCE2_SSN_FLAG__ALL = 0xffff } DCE2_SsnFlag; @@ -62,11 +64,9 @@ uint32_t cli_seq; uint32_t cli_nseq; - uint32_t cli_missed_bytes; uint16_t cli_overlap_bytes; uint32_t srv_seq; uint32_t srv_nseq; - uint32_t srv_missed_bytes; uint16_t srv_overlap_bytes; tSfPolicyId policy_id; @@ -93,6 +93,11 @@ static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData *); static inline int DCE2_SsnMissedPkts(DCE2_SsnData *); static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData *); +#ifdef ENABLE_PAF +static inline bool DCE2_SsnIsPafActive(SFSnortPacket *); +static inline void DCE2_SsnSetPafAbort(DCE2_SsnData *); +static inline int DCE2_SsnPafAbort(DCE2_SsnData *); +#endif static inline void DCE2_SsnSetSeenClient(DCE2_SsnData *); static inline int DCE2_SsnSeenClient(DCE2_SsnData *); static inline void DCE2_SsnSetSeenServer(DCE2_SsnData *); @@ -102,9 +107,7 @@ static inline int DCE2_SsnAutodetectDir(DCE2_SsnData *); static inline void DCE2_SsnSetNoInspect(DCE2_SsnData *); static inline int DCE2_SsnNoInspect(DCE2_SsnData *sd); - static inline uint16_t DCE2_SsnGetOverlap(DCE2_SsnData *); -static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd); /******************************************************************** * Function: DCE2_SsnIsEstablished() @@ -367,7 +370,10 @@ ********************************************************************/ static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData *sd) { - sd->flags |= DCE2_SSN_FLAG__MISSED_PKTS; + if (DCE2_SsnFromClient(sd->wire_pkt)) + sd->flags |= DCE2_SSN_FLAG__CLI_MISSED_PKTS; + else + sd->flags |= DCE2_SSN_FLAG__SRV_MISSED_PKTS; } /******************************************************************** @@ -386,7 +392,10 @@ ********************************************************************/ static inline int DCE2_SsnMissedPkts(DCE2_SsnData *sd) { - return sd->flags & DCE2_SSN_FLAG__MISSED_PKTS; + if (DCE2_SsnFromClient(sd->wire_pkt)) + return sd->flags & DCE2_SSN_FLAG__CLI_MISSED_PKTS; + else + return sd->flags & DCE2_SSN_FLAG__SRV_MISSED_PKTS; } /******************************************************************** @@ -403,8 +412,67 @@ ********************************************************************/ static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData *sd) { - sd->flags &= ~DCE2_SSN_FLAG__MISSED_PKTS; + if (DCE2_SsnFromClient(sd->wire_pkt)) + sd->flags &= ~DCE2_SSN_FLAG__CLI_MISSED_PKTS; + else + sd->flags &= ~DCE2_SSN_FLAG__SRV_MISSED_PKTS; +} + +#ifdef ENABLE_PAF +/******************************************************************** + * Function: DCE2_SsnIsPafActive() + * + * Purpose: Checks stream api to see if PAF is active for this side + * of the session. + * + * Arguments: + * DCE2_SsnData * - pointer to session data + * + * Returns: + * bool - true if paf is active + * false if not + * + ********************************************************************/ +static inline bool DCE2_SsnIsPafActive(SFSnortPacket *p) +{ + bool to_server = DCE2_SsnFromClient(p) ? true : false; + return _dpd.streamAPI->is_paf_active(p->stream_session_ptr, to_server); +} + +/******************************************************************** + * Function: DCE2_SsnSetPafAbort() + * + * Purpose: Sets paf abort flag + * + * Arguments: + * DCE2_SsnData * - pointer to session data + * + * Returns: None + * + ********************************************************************/ +static inline void DCE2_SsnSetPafAbort(DCE2_SsnData *sd) +{ + sd->flags |= DCE2_SSN_FLAG__PAF_ABORT; +} + +/******************************************************************** + * Function: DCE2_SsnPafAbort() + * + * Purpose: Checks paf abort flag + * + * Arguments: + * DCE2_SsnData * - pointer to session data + * + * Returns: + * int - non-zero if abort flag is set + * zero if abort flag not set + * + ********************************************************************/ +static inline int DCE2_SsnPafAbort(DCE2_SsnData *sd) +{ + return sd->flags & DCE2_SSN_FLAG__PAF_ABORT; } +#endif /******************************************************************** * Function: DCE2_SsnSetSeenClient() @@ -564,6 +632,9 @@ static inline void DCE2_SsnSetNoInspect(DCE2_SsnData *sd) { sd->flags |= DCE2_SSN_FLAG__NO_INSPECT; +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); +#endif } /******************************************************************** @@ -606,32 +677,6 @@ } return 0; -} - -/******************************************************************** - * Function: DCE2_SsnGetMissedBytes() - * - * Purpose: Returns the number of missed bytes. - * - * Arguments: - * DCE2_SsnData * - pointer to session data - * - * Returns: - * uint16_t - the number of overlapped bytes - * - ********************************************************************/ -static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData *sd) -{ - if ((sd->cli_missed_bytes != 0) && DCE2_SsnFromClient(sd->wire_pkt)) - { - return sd->cli_missed_bytes; - } - else if ((sd->srv_missed_bytes != 0) && DCE2_SsnFromServer(sd->wire_pkt)) - { - return sd->srv_missed_bytes; - } - - return 0; } #endif /* _DCE2_SESSION_H_ */

@@ -386,40 +386,21 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Processing SMB packet.\n")); dce2_stats.smb_pkts++; - /* If we missed packets previously and couldn't autodetect, we've - * already reset for missed packets. If we can autodetect, move on */ - if (ssd->missed_pkts) + if (DCE2_SsnMissedPkts(&ssd->sd)) { - if (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return; - - ssd->missed_pkts = 0; - } - else if (DCE2_SsnMissedPkts(&ssd->sd)) - { - uint32_t missed_bytes = DCE2_SsnGetMissedBytes(&ssd->sd); - - if (*ignore_bytes != 0) - { - if (*ignore_bytes > missed_bytes) - { - *ignore_bytes -= missed_bytes; - missed_bytes = 0; - } - else - { - *ignore_bytes = 0; - missed_bytes -= *ignore_bytes; - } - } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Missed packets.\n")); DCE2_SmbResetForMissedPkts(ssd); - if ((missed_bytes != 0) && (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE)) + if (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE) { - ssd->missed_pkts = 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, + "Missing bytes and autodetect failed - not inspecting.\n")); return; } + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Autodetect succeeded - continue processing.\n")); + DCE2_SsnClearMissedPkts(&ssd->sd); } if (overlap_bytes != 0) @@ -727,8 +708,12 @@ while ((tmp_ptr + sizeof(uint32_t)) <= (data_ptr + data_len)) { - if (SmbId((SmbNtHdr *)tmp_ptr) == DCE2_SMB_ID) + if ((SmbId((SmbNtHdr *)tmp_ptr) == DCE2_SMB_ID) + || (SmbId((SmbNtHdr *)tmp_ptr) == DCE2_SMB2_ID)) + { break; + } + tmp_ptr++; } @@ -762,9 +747,12 @@ DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); int smb_com = SmbCom(smb_hdr); - /* Don't support SMB2 yet */ + /* XXX Don't support SMB2 yet */ if (SmbId(smb_hdr) == DCE2_SMB2_ID) + { + DCE2_SetNoInspect(&ssd->sd); return 0; + } /* See if this is something we need to inspect */ switch (smb_com) @@ -846,8 +834,21 @@ if (smb_type == SMB_TYPE__REQUEST) { - ssd->req_uid = SmbUid(smb_hdr); - ssd->req_tid = SmbTid(smb_hdr); + // Only relevant for Samba policies that allow for + // OpenAndX -> SessionSetupAndX + // OpenAndX -> TreeConnectAndX + switch (DCE2_ScPolicy(ssd->sd.sconfig)) + { + case DCE2_POLICY__SAMBA_3_0_20: + case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: + case DCE2_POLICY__SAMBA: + ssd->req_uid = SmbUid(smb_hdr); + ssd->req_tid = SmbTid(smb_hdr); + break; + default: + break; + } } /* Handle the command */ @@ -1984,7 +1985,7 @@ // to care, or even look at this flag } - if (SmbId(smb_hdr) != DCE2_SMB_ID) + if ((SmbId(smb_hdr) != DCE2_SMB_ID) && (SmbId(smb_hdr) != DCE2_SMB2_ID)) { if (is_seg_buf) DCE2_SmbSegAlert(ssd, DCE2_EVENT__SMB_BAD_ID); @@ -6900,8 +6901,16 @@ if (ssd == NULL) return; - DCE2_BufferEmpty(ssd->cli_seg.buf); - DCE2_BufferEmpty(ssd->srv_seg.buf); + if (DCE2_SsnFromClient(ssd->sd.wire_pkt)) + { + ssd->cli_ignore_bytes = 0; + DCE2_BufferEmpty(ssd->cli_seg.buf); + } + else + { + ssd->srv_ignore_bytes = 0; + DCE2_BufferEmpty(ssd->srv_seg.buf); + } ssd->req_uid = DCE2_SENTINEL; ssd->req_tid = DCE2_SENTINEL;

@@ -169,9 +169,6 @@ int chained_tc; /* Set if client and chained TreeConnect */ int last_open_fid; /* The last inserted fid from an OpenAndX or NtCreateAndX */ - /* Boolean for whether or not packets have been currently been missed */ - char missed_pkts; - } DCE2_SmbSsnData; /******************************************************************** @@ -216,8 +213,11 @@ if (p->payload_size > (sizeof(NbssHdr) + sizeof(SmbNtHdr))) { - if (SmbId(smb_hdr) == DCE2_SMB_ID) + if ((SmbId(smb_hdr) == DCE2_SMB_ID) + || (SmbId(smb_hdr) == DCE2_SMB2_ID)) + { return DCE2_TRANS_TYPE__SMB; + } } }

@@ -38,7 +38,9 @@ #define DCE2_SENTINEL -1 #define DCE2_MOVE(data_ptr, data_len, amount) \ - { data_ptr = (uint8_t *)data_ptr + (amount); data_len -= (amount); } + { int64_t dcexxxxxx = (amount); \ + data_ptr = (uint8_t *)data_ptr + dcexxxxxx; \ + data_len -= dcexxxxxx; } /******************************************************************** * Enumerations

@@ -86,11 +86,7 @@ static DCE2_TransType DCE2_GetTransport(SFSnortPacket *, const DCE2_ServerConfig *, int *); static DCE2_TransType DCE2_GetDetectTransport(SFSnortPacket *, const DCE2_ServerConfig *); static DCE2_TransType DCE2_GetAutodetectTransport(SFSnortPacket *, const DCE2_ServerConfig *); -static DCE2_Ret DCE2_ConfirmTransport(DCE2_SsnData *, SFSnortPacket *); - static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData *, SFSnortPacket *); -static void DCE2_SetNoInspect(DCE2_SsnData *); - static void DCE2_SsnFree(void *); /********************************************************************* @@ -197,18 +193,8 @@ if (DCE2_SsnIsStreamInsert(p)) { -#if 0 #ifdef ENABLE_PAF - if (!_dpd.isPafEnabled()) -#endif - { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); - //DCE2_SsnFlush(p); // No need to flush since this is first data packet? - } -#endif - -#ifdef ENABLE_PAF - if (!_dpd.isPafEnabled() || !PacketHasFullPDU(p)) + if (!DCE2_SsnIsPafActive(p) || !PacketHasFullPDU(p)) #endif { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); @@ -282,7 +268,7 @@ if (DCE2_SsnIsStreamInsert(p)) { #ifdef ENABLE_PAF - if (!_dpd.isPafEnabled()) + if (!DCE2_SsnIsPafActive(p)) #endif { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); @@ -290,7 +276,7 @@ } #ifdef ENABLE_PAF - if (!_dpd.isPafEnabled() || !PacketHasFullPDU(p)) + if (!DCE2_SsnIsPafActive(p) || !PacketHasFullPDU(p)) #endif { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); @@ -325,13 +311,14 @@ DCE2_SsnClearAutodetected(sd); } + sd->wire_pkt = p; + if (IsTCP(p) && (DCE2_SetSsnState(sd, p) != DCE2_RET__SUCCESS)) { PREPROC_PROFILE_END(dce2_pstat_session); return DCE2_RET__NOT_INSPECTED; } - sd->wire_pkt = p; if (DCE2_PushPkt((void *)p) != DCE2_RET__SUCCESS) { DCE2_Log(DCE2_LOG_TYPE__ERROR, @@ -398,7 +385,7 @@ * Returns: * ********************************************************************/ -static void DCE2_SetNoInspect(DCE2_SsnData *sd) +void DCE2_SetNoInspect(DCE2_SsnData *sd) { if (sd == NULL) return; @@ -448,66 +435,64 @@ static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData *sd, SFSnortPacket *p) { uint32_t pkt_seq = ntohl(p->tcp_header->sequence); + uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Payload size: %u\n", p->payload_size)); if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd)) { -#if 0 - // This code should be obsoleted by the junk data check in dce2_smb.c - - /* Check to make sure we can continue processing */ - if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) + if (DCE2_SsnSeenServer(sd) && (sd->cli_seq != pkt_seq)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - sd->cli_seq = pkt_seq; - sd->cli_nseq = pkt_seq; - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, next seq: %u\n" - "Setting current and next to the same thing, since we're " - "not inspecting this packet.\n", sd->cli_seq, sd->cli_nseq)); - - return DCE2_RET__NOT_INSPECTED; - } + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); #endif + } DCE2_SsnSetSeenClient(sd); - sd->cli_seq = pkt_seq; sd->cli_nseq = pkt_seq + p->payload_size; + if (!DCE2_SsnSeenServer(sd)) + { + sd->srv_seq = pkt_ack; + } + else + { + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + // Saw server before client, missing packets, abort PAF + DCE2_SsnSetPafAbort(sd); +#endif + } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, next seq: %u\n", sd->cli_seq, sd->cli_nseq)); } else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd)) { -#if 0 - // This code should be obsoleted by the junk data check in dce2_smb.c - - /* Check to make sure we can continue processing */ - if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) + if (DCE2_SsnSeenClient(sd) && (sd->srv_seq != pkt_seq)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - sd->srv_seq = pkt_seq; - sd->srv_nseq = pkt_seq; - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, next seq: %u\n" - "Setting current and next to the same thing, since we're " - "not inspecting this packet.\n", sd->cli_seq, sd->cli_nseq)); - - return DCE2_RET__NOT_INSPECTED; - } + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); #endif + } DCE2_SsnSetSeenServer(sd); - sd->srv_seq = pkt_seq; sd->srv_nseq = pkt_seq + p->payload_size; + if (!DCE2_SsnSeenClient(sd)) + { + sd->cli_seq = pkt_ack; + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + // Saw server before client, missing packets, abort PAF + DCE2_SsnSetPafAbort(sd); +#endif + } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial server => seq: %u, next seq: %u\n", sd->srv_seq, sd->srv_nseq)); } @@ -515,14 +500,12 @@ { uint32_t *ssn_seq; uint32_t *ssn_nseq; - uint32_t *missed_bytes; uint16_t *overlap_bytes; if (DCE2_SsnFromClient(p)) { ssn_seq = &sd->cli_seq; ssn_nseq = &sd->cli_nseq; - missed_bytes = &sd->cli_missed_bytes; overlap_bytes = &sd->cli_overlap_bytes; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, next seq: %u\n", @@ -534,7 +517,6 @@ { ssn_seq = &sd->srv_seq; ssn_nseq = &sd->srv_nseq; - missed_bytes = &sd->srv_missed_bytes; overlap_bytes = &sd->srv_overlap_bytes; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, next seq: %u\n", @@ -553,7 +535,16 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Next expected sequence number (%u) is less than " "this sequence number (%u).\n", *ssn_nseq, pkt_seq)); + dce2_stats.missed_bytes += (pkt_seq - *ssn_nseq); + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missed %u bytes.\n", (pkt_seq - *ssn_nseq))); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Currently missing %u bytes.\n", + dce2_stats.missed_bytes)); + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); +#endif } else { @@ -563,9 +554,6 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, next seq: %u\n", pkt_seq, pkt_seq + p->payload_size)); - if (DCE2_SsnMissedPkts(sd)) - DCE2_SsnClearMissedPkts(sd); - /* Do what we can and take the difference and only inspect what we * haven't already inspected */ if ((pkt_seq + p->payload_size) > *ssn_nseq @@ -585,36 +573,6 @@ DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(p->payload, p->payload_size);); } - else if (DCE2_SsnMissedPkts(sd)) - { - DCE2_SsnClearMissedPkts(sd); - } - - if (DCE2_SsnMissedPkts(sd)) - { - *missed_bytes += (pkt_seq - *ssn_nseq); - dce2_stats.missed_bytes += (pkt_seq - *ssn_nseq); - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missed %u bytes.\n", (pkt_seq - *ssn_nseq))); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Currently missing %u bytes.\n", *missed_bytes)); - - if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) - { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - *ssn_seq = pkt_seq; - *ssn_nseq = pkt_seq + p->payload_size; - - return DCE2_RET__NOT_INSPECTED; - } - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Autodetected - continue to inspect.\n")); - } - else if (*missed_bytes != 0) - { - *missed_bytes = 0; - } *ssn_seq = pkt_seq; *ssn_nseq = pkt_seq + p->payload_size; @@ -819,98 +777,6 @@ } /********************************************************************* - * Function: DCE2_ConfirmTransport() - * - * Called when we're not sure where we are, e.g. because of missed - * packets. This function makes sure we can process this packet, with - * a decent amount of certainty, avoiding false positives. - * - * Arguments: - * SFSnortPacket * - * Pointer to packet structure. - * DCE2_TransType - * The transport to check. - * - * Returns: - * DCE2_Ret - * DCE2_RET__SUCCESS if we can autodetect the transport for - * which the session was created. - * DCE2_RET__ERROR if we can't autodetect the transport for - * which the session was created. - * - *********************************************************************/ -static DCE2_Ret DCE2_ConfirmTransport(DCE2_SsnData *sd, SFSnortPacket *p) -{ - if (IsTCP(p)) - { - switch (sd->trans) - { - case DCE2_TRANS_TYPE__SMB: - if (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - break; - - case DCE2_TRANS_TYPE__TCP: - if (DCE2_TcpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - break; - - case DCE2_TRANS_TYPE__HTTP_SERVER: - if (!DCE2_SsnSeenServer(sd) && DCE2_SsnFromServer(p)) - { - if (DCE2_HttpAutodetectServer(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - else if (DCE2_SsnSeenServer(sd) && DCE2_SsnSeenClient(sd)) - { - if (DCE2_TcpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - - break; - - case DCE2_TRANS_TYPE__HTTP_PROXY: - if (!DCE2_SsnSeenClient(sd) && DCE2_SsnFromClient(p)) - { - if (DCE2_HttpAutodetectProxy(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - else if (DCE2_SsnSeenServer(sd) && DCE2_SsnSeenClient(sd)) - { - if (DCE2_TcpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - - break; - - default: - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Invalid transport type: %d", - __FILE__, __LINE__, sd->trans); - return DCE2_RET__ERROR; - } - } - else /* it's UDP */ - { - switch (sd->trans) - { - case DCE2_TRANS_TYPE__UDP: - if (DCE2_UdpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - break; - - default: - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Invalid transport type: %d", - __FILE__, __LINE__, sd->trans); - return DCE2_RET__ERROR; - } - } - - return DCE2_RET__SUCCESS; -} - -/********************************************************************* * Function: DCE2_InitRpkts() * * Purpose: Allocate and initialize reassembly packets.

@@ -74,6 +74,7 @@ void DCE2_Detect(DCE2_SsnData *); uint16_t DCE2_GetRpktMaxData(DCE2_SsnData *, DCE2_RpktType); void DCE2_FreeGlobals(void); +void DCE2_SetNoInspect(DCE2_SsnData *); /******************************************************************** * Inline function prototypes

@@ -330,9 +330,17 @@ static void _addPortsToStream5(char *, tSfPolicyId, int); static void _addFtpServerConfPortsToStream5(void *); +char* mystrtok (char* s, const char* delim) +{ + static char* last = NULL; + if ( s || last ) + last = strtok(s, delim); + return last; +} + char *NextToken(char *delimiters) { - char *retTok = strtok(NULL, delimiters); + char *retTok = mystrtok(NULL, delimiters); if (retTok > maxToken) return NULL; @@ -2679,7 +2687,7 @@ { //list begin token matched ip_list = 1; - if ((pIpAddressList = strtok(NULL, END_IPADDR_LIST)) == NULL) + if ((pIpAddressList = mystrtok(NULL, END_IPADDR_LIST)) == NULL) { snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", CLIENT); @@ -3188,7 +3196,7 @@ char firstIpAddress = 1; FTP_SERVER_PROTO_CONF *new_server_conf = NULL; char *ConfigParseResumePtr = NULL; - char *unused; /* For unused token gotten from strtok */ + char *unused; /* For unused token gotten from mystrtok */ char ip_list = 0; FTP_SERVER_PROTO_CONF *ftp_conf = NULL; @@ -3209,7 +3217,7 @@ { //list begin token matched ip_list = 1; - if ((pIpAddressList = strtok(NULL, END_IPADDR_LIST)) == NULL) + if ((pIpAddressList = mystrtok(NULL, END_IPADDR_LIST)) == NULL) { snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", SERVER); @@ -3348,7 +3356,7 @@ char *default_conf_str = DefaultConf(&default_conf_len); maxToken = default_conf_str + default_conf_len; - default_client = strtok(default_conf_str, CONF_SEPARATORS); + default_client = mystrtok(default_conf_str, CONF_SEPARATORS); iRet = ProcessFTPServerOptions(ftp_conf, ErrorString, ErrStrLen); @@ -3361,10 +3369,10 @@ } } - /* Okay, now we need to reset the strtok pointers so we can process + /* Okay, now we need to reset the mystrtok pointers so we can process * the specific server configuration. Quick hack/trick here: reset - * the end of the client string to a conf separator, then call strtok. - * That will reset strtok's internal pointer to the next token after + * the end of the client string to a conf separator, then call mystrtok. + * That will reset mystrtok's internal pointer to the next token after * the client name, which is what we're expecting it to be. */ if (ConfigParseResumePtr < maxToken) @@ -3375,7 +3383,7 @@ else *ConfigParseResumePtr-- = CONF_SEPARATORS[0]; - unused = strtok(ConfigParseResumePtr, CONF_SEPARATORS); + unused = mystrtok(ConfigParseResumePtr, CONF_SEPARATORS); iRet = ProcessFTPServerOptions(ftp_conf, ErrorString, ErrStrLen); if (iRet < 0) {

@@ -208,6 +208,8 @@ * */ +extern char* mystrtok (char* s, const char* delim); + static void FTPTelnetInit(char *args) { char *pcToken; @@ -227,10 +229,10 @@ /* Find out what is getting configured */ maxToken = args + strlen(args); - pcToken = strtok(args, CONF_SEPARATORS); + pcToken = mystrtok(args, CONF_SEPARATORS); if (pcToken == NULL) { - DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it " + DynamicPreprocessorFatalMessage("%s(%d)mystrtok returned NULL when it " "should not.", __FILE__, __LINE__); } @@ -464,10 +466,10 @@ /* Find out what is getting configured */ maxToken = args + strlen(args); - pcToken = strtok(args, CONF_SEPARATORS); + pcToken = mystrtok(args, CONF_SEPARATORS); if (pcToken == NULL) { - DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it " + DynamicPreprocessorFatalMessage("%s(%d)mystrtok returned NULL when it " "should not.", __FILE__, __LINE__); }

@@ -658,4 +658,5 @@ } } } + free(session); }

@@ -398,6 +398,7 @@ pop_ssn->state = STATE_UNKNOWN; pop_ssn->data_state = STATE_DATA_INIT; + pop_ssn->prev_response = 0; pop_ssn->state_flags = 0; ClearEmailDecodeState(pop_ssn->decode_state); memset(&pop_ssn->mime_boundary, 0, sizeof(POPMimeBoundary)); @@ -439,6 +440,7 @@ pop_ssn = ssn; SetPopBuffers(ssn); + ssn->prev_response = 0; _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_POP, ssn, &POP_SessionFree); @@ -856,6 +858,7 @@ /* calculate length of command line */ cmd_line_len = eol - ptr; + /* TODO If the end of line marker coincides with the end of payload we can't be * sure that we got a command and not a substring which we could tell through * inspection of the next packet. Maybe a command pending state where the first @@ -1440,7 +1443,10 @@ if(tmp != NULL) pop_ssn->state = STATE_DATA; else + { + pop_ssn->prev_response = RESP_OK; pop_ssn->state = STATE_UNKNOWN; + } break; default: @@ -1450,16 +1456,19 @@ } else { - if(*ptr == '+' ) + if(pop_ssn->prev_response == RESP_OK) { - POP_GenerateAlert(POP_UNKNOWN_RESP, "%s", POP_UNKNOWN_RESP_STR); - DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response not found\n");); + { + pop_ssn->state = STATE_DATA; + pop_ssn->prev_response = 0; + continue; + } } - else + else if(*ptr == '+') { - DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response description\n");); + POP_GenerateAlert(POP_UNKNOWN_RESP, "%s", POP_UNKNOWN_RESP_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response not found\n");); } - } ptr = eol;

@@ -130,7 +130,7 @@ typedef enum _POPRespEnum { - RESP_OK = 0, + RESP_OK = 1, RESP_ERR, RESP_LAST @@ -180,6 +180,7 @@ typedef struct _POP { int state; + int prev_response; int data_state; int state_flags; int session_flags;

@@ -45,6 +45,7 @@ * Default values for configurable parameters. */ #define SIP_DEFAULT_MAX_SESSIONS 10000 +#define SIP_DEFAULT_MAX_DIALOGS_IN_SESSION 4 #define SIP_DEFAULT_MAX_URI_LEN 256 #define SIP_DEFAULT_MAX_CALL_ID_LEN 256 #define SIP_DEFAULT_MAX_REQUEST_NAME_LEN 20 @@ -59,6 +60,8 @@ */ #define MIN_MAX_NUM_SESSION 1024 #define MAX_MAX_NUM_SESSION 4194303 +#define MIN_MAX_NUM_DIALOG 1 +#define MAX_MAX_NUM_DIALOG 4194303 #define MIN_MAX_URI_LEN 0 #define MAX_MAX_URI_LEN 65535 #define MIN_MAX_CALL_ID_LEN 0 @@ -81,6 +84,7 @@ #define SIP_DISABLED_KEYWORD "disabled" #define SIP_PORTS_KEYWORD "ports" #define SIP_MAX_SESSION_KEYWORD "max_sessions" +#define SIP_MAX_DIALOG_KEYWORD "max_dialogs" #define SIP_METHODS_KEYWORD "methods" #define SIP_MAX_URI_LEN_KEYWORD "max_uri_len" #define SIP_MAX_CALL_ID_LEN_KEYWORD "max_call_id_len" @@ -178,6 +182,11 @@ config->maxNumSessions == SIP_DEFAULT_MAX_SESSIONS ? "(Default)" : "" ); + _dpd.logMsg(" Max number of dialogs in a session: %d %s \n", + config->maxNumDialogsInSession, + config->maxNumDialogsInSession + == SIP_DEFAULT_MAX_DIALOGS_IN_SESSION ? + "(Default)" : "" ); _dpd.logMsg(" Status: %s\n", config->disabled ? "DISABLED":"ENABLED"); @@ -544,6 +553,7 @@ if (config == NULL) return; config->maxNumSessions = SIP_DEFAULT_MAX_SESSIONS; + config->maxNumDialogsInSession = SIP_DEFAULT_MAX_DIALOGS_IN_SESSION; config->maxUriLen = SIP_DEFAULT_MAX_URI_LEN; config->maxCallIdLen = SIP_DEFAULT_MAX_CALL_ID_LEN; config->maxRequestNameLen = SIP_DEFAULT_MAX_REQUEST_NAME_LEN; @@ -620,6 +630,14 @@ MIN_MAX_NUM_SESSION, MAX_MAX_NUM_SESSION); } + else if ( !strcmp( cur_tokenp, SIP_MAX_DIALOG_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxNumDialogsInSession = (uint32_t)ParseNumInRange(cur_tokenp, + SIP_MAX_DIALOG_KEYWORD, + MIN_MAX_NUM_DIALOG, + MAX_MAX_NUM_DIALOG); + } else if ( !strcmp( cur_tokenp, SIP_MAX_URI_LEN_KEYWORD )) { cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS);

@@ -111,6 +111,7 @@ { uint8_t disabled; uint32_t maxNumSessions; + uint32_t maxNumDialogsInSession; uint8_t ports[MAXPORTS/8]; uint32_t methodsConfig; SIPMethodlist methods;

@@ -77,7 +77,7 @@ /*If dialog not exist, create one */ if((NULL == dialog)&&(SIP_METHOD_CANCEL != sipMsg->methodFlag)) { - dialog = SIP_addDialog(sipMsg, *dList, dList); + dialog = SIP_addDialog(sipMsg, dList->head, dList); } methodFlag = sipMsg->methodFlag; @@ -583,21 +583,21 @@ if (NULL != currDialog->prevD) currDialog->prevD->nextD = dialog; else - *dList = dialog; // become the head + dList->head = dialog; // become the head currDialog->prevD = dialog; } else { // The first dialog dialog->prevD = NULL; - *dList = dialog; + dList->head = dialog; } dialog->dlgID = sipMsg->dlgID; dialog->creator = sipMsg->methodFlag; dialog->state = SIP_DLG_CREATE; SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); - + dList->num_dialogs++; return dialog; } @@ -625,7 +625,7 @@ { if(NULL != currDialog->nextD) currDialog->nextD->prevD = NULL; - *dList = currDialog->nextD; + dList->head = currDialog->nextD; } else { @@ -635,6 +635,8 @@ } sip_freeMediaList(currDialog->mediaSessions); free(currDialog); + if( dList->num_dialogs > 0) + dList->num_dialogs--; return SIP_SUCCESS; } /******************************************************************** @@ -654,6 +656,7 @@ int SIP_updateDialog(SIPMsg *sipMsg, SIP_DialogList *dList, SFSnortPacket *p) { SIP_DialogData* dialog; + SIP_DialogData* oldDialog = NULL; int ret; if ((NULL == sipMsg)||(0 == sipMsg->dlgID.callIdHash)) @@ -661,7 +664,8 @@ DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updating Dialog id: %u, From: %u, To: %u\n", sipMsg->dlgID.callIdHash,sipMsg->dlgID.fromTagHash,sipMsg->dlgID.toTagHash)); - dialog = *dList; + + dialog = dList->head; /*Find out the dialog in the dialog list*/ @@ -676,9 +680,17 @@ break; } + oldDialog = dialog; dialog = dialog->nextD; } + /*If the number of dialogs exceeded, release the oldest one*/ + if((dList->num_dialogs >= sip_eval_config->maxNumDialogsInSession) && (!dialog)) + { + ALERT(SIP_EVENT_MAX_DIALOGS_IN_A_SESSION, SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR); + SIP_deleteDialog(oldDialog, dList); + } + /*Update the dialog information*/ if (sipMsg->status_code == 0) @@ -704,10 +716,10 @@ * Returns: None * ********************************************************************/ -void sip_freeDialogs (SIP_DialogList list) +void sip_freeDialogs (SIP_DialogList *list) { SIP_DialogData *nextNode; - SIP_DialogData *curNode = list; + SIP_DialogData *curNode = list->head; while (NULL != curNode) {

@@ -29,6 +29,6 @@ #include "spp_sip.h" int SIP_updateDialog(SIPMsg *sipMsg, SIP_DialogList *dList, SFSnortPacket *p); -void sip_freeDialogs (SIP_DialogList list); +void sip_freeDialogs (SIP_DialogList *list); #endif /* SIP_DIALOG_H_ */

@@ -400,12 +400,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_SIP, "method: %.*s\n", msg->methodLen, msg->method)); method = SIP_FindMethod (sip_eval_config->methods, msg->method, msg->methodLen); - if (NULL == method) - { - ALERT(SIP_EVENT_UNKOWN_METHOD, SIP_EVENT_UNKOWN_METHOD_STR); - return SIP_FAILURE; - } - else + if (method) { msg->methodFlag = method->methodFlag; DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag)); @@ -436,9 +431,13 @@ ALERT(SIP_EVENT_INVALID_VERSION,SIP_EVENT_INVALID_VERSION_STR); } + if (NULL == method) + { + ALERT(SIP_EVENT_UNKOWN_METHOD, SIP_EVENT_UNKOWN_METHOD_STR); + return SIP_FAILURE; + } } - return SIP_SUCCESS; } /******************************************************************** @@ -1178,7 +1177,7 @@ start = nextIndex; msg->bodyLen = end - start; /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ - if((!msg->isTcp)&&(msg->content_len != msg->bodyLen)) + if((!msg->isTcp)&&(msg->content_len > msg->bodyLen)) ALERT(SIP_EVENT_MISMATCH_CONTENT_LEN,SIP_EVENT_MISMATCH_CONTENT_LEN_STR); if (msg->content_len < msg->bodyLen) @@ -1193,10 +1192,16 @@ // Find out whether multiple SIP messages in this packet /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ - if ((!msg->isTcp) && (nextIndex < end)) + if ((!msg->isTcp) && (msg->content_len < msg->bodyLen)) { - if (SIP_SUCCESS == sip_startline_parse(msg, nextIndex, end, &nextIndex)) + if (SIP_SUCCESS == sip_startline_parse(msg, start + msg->content_len, end, &nextIndex)) + { ALERT(SIP_EVENT_MULTI_MSGS,SIP_EVENT_MULTI_MSGS_STR); + } + else + { + ALERT(SIP_EVENT_MISMATCH_CONTENT_LEN,SIP_EVENT_MISMATCH_CONTENT_LEN_STR); + } } return status; }

@@ -545,7 +545,7 @@ numSessions--; /*Free all the dialog data*/ - sip_freeDialogs(ssn->dialogs); + sip_freeDialogs(&ssn->dialogs); /*Clean the configuration data*/ if (ssn->config != NULL)

@@ -111,7 +111,11 @@ struct _SIP_DialogData *prevD; } SIP_DialogData; -typedef SIP_DialogData* SIP_DialogList; +typedef struct _SIP_DialogList +{ + SIP_DialogData* head; + uint32_t num_dialogs; +}SIP_DialogList; /* * Per-session data block containing current state @@ -218,6 +222,7 @@ #define SIP_EVENT_INVALID_VERSION 24 #define SIP_EVENT_MISMATCH_METHOD 25 #define SIP_EVENT_UNKOWN_METHOD 26 +#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION 27 /* * SIP preprocessor alert strings. @@ -248,6 +253,7 @@ #define SIP_EVENT_INVALID_VERSION_STR "(spp_sip) SIP version is invalid" #define SIP_EVENT_MISMATCH_METHOD_STR "(spp_sip) Mismatch in METHOD of request and the CSEQ header" #define SIP_EVENT_UNKOWN_METHOD_STR "(spp_sip) Method is unknown" +#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR "(spp_sip) Maximum dialogs within a session reached" #define MAX_STAT_CODE 999 #define MIN_STAT_CODE 100

@@ -32,6 +32,7 @@ #define __SMTP_CONFIG_H__ #include "sfPolicyUserData.h" +#include "sf_email_attach_decode.h" #define CONF_SEPARATORS " \t\n\r" #define CONF_PORTS "ports" #define CONF_INSPECTION_TYPE "inspection_type" @@ -178,6 +179,19 @@ } SMTPConfig; +typedef struct _SMTP_Stats +{ + uint64_t sessions; + uint64_t conc_sessions; + uint64_t max_conc_sessions; + uint64_t memcap_exceeded; + uint64_t attachments[DECODE_ALL]; + uint64_t decoded_bytes[DECODE_ALL]; + +} SMTP_Stats; + +extern SMTP_Stats smtp_stats; + /* Function prototypes */ void SMTP_ParseArgs(SMTPConfig *, char *); void SMTP_PrintConfig(SMTPConfig *config);

@@ -216,6 +216,8 @@ if(log_avail <= 0 || !alt_buf) return -1; + else if(log_avail < length) + length = log_avail; if ( *alt_len > 0 && ((*alt_len + 1) < alt_size)) { @@ -248,6 +250,7 @@ if( tmp != NULL ) { smtp_ssn->decode_state->decode_type = DECODE_B64; + smtp_stats.attachments[DECODE_B64]++; return; } } @@ -258,6 +261,7 @@ if( tmp != NULL ) { smtp_ssn->decode_state->decode_type = DECODE_QP; + smtp_stats.attachments[DECODE_QP]++; return; } } @@ -268,6 +272,7 @@ if( tmp != NULL ) { smtp_ssn->decode_state->decode_type = DECODE_UU; + smtp_stats.attachments[DECODE_UU]++; return; } } @@ -275,6 +280,7 @@ if(smtp_ssn->decode_state->bitenc_state.depth > -1) { smtp_ssn->decode_state->decode_type = DECODE_BITENC; + smtp_stats.attachments[DECODE_BITENC]++; return; }

@@ -267,7 +267,7 @@ } else { - SMTP_GenerateAlert(SMTP_DECODE_MEMCAP_EXCEEDED, "%s", SMTP_DECODE_MEMCAP_EXCEEDED_STR); + smtp_stats.memcap_exceeded++; } } } @@ -305,6 +305,12 @@ } } +static inline void SMTP_UpdateDecodeStats(Email_DecodeState *ds) +{ + smtp_stats.decoded_bytes[ds->decode_type] += ds->decoded_bytes; +} + + void SMTP_InitCmds(SMTPConfig *config) { @@ -571,6 +577,10 @@ ssn->policy_id = policy_id; ssn->config = smtp_config; pPolicyConfig->ref_count++; + smtp_stats.sessions++; + smtp_stats.conc_sessions++; + if(smtp_stats.max_conc_sessions < smtp_stats.conc_sessions) + smtp_stats.max_conc_sessions = smtp_stats.conc_sessions; return ssn; } @@ -755,6 +765,8 @@ } free(smtp); + if(smtp_stats.conc_sessions) + smtp_stats.conc_sessions--; } @@ -1432,6 +1444,7 @@ } _dpd.detect(p); smtp_ssn->state_flags &= ~SMTP_FLAG_MULTIPLE_EMAIL_ATTACH; + SMTP_UpdateDecodeStats(smtp_ssn->decode_state); ResetEmailDecodeState(smtp_ssn->decode_state); p->flags |=FLAG_ALLOW_MULTIPLE_DETECT; /* Reset the log count when a packet goes through detection multiple times */ @@ -1461,6 +1474,7 @@ if(smtp_ssn->decode_state != NULL) { _dpd.setFileDataPtr(smtp_ssn->decode_state->decodePtr, (uint16_t)smtp_ssn->decode_state->decoded_bytes); + SMTP_UpdateDecodeStats(smtp_ssn->decode_state); ResetDecodedBytes(smtp_ssn->decode_state); }

@@ -84,8 +84,8 @@ #define SetupSMTP DYNAMIC_PREPROC_SETUP MemPool *smtp_mime_mempool = NULL; +SMTP_Stats smtp_stats; MemPool *smtp_mempool = NULL; - tSfPolicyUserContextId smtp_config = NULL; SMTPConfig *smtp_eval_config = NULL; @@ -99,6 +99,7 @@ static void SMTPResetStatsFunction(int, void *); static void _addPortsToStream5Filter(SMTPConfig *, tSfPolicyId); static void SMTP_RegXtraDataFuncs(SMTPConfig *config); +static void SMTP_PrintStats(int); #ifdef TARGET_BASED static void _addServicesToStream5Filter(tSfPolicyId); #endif @@ -176,6 +177,7 @@ /* _dpd.addPreproc(SMTPDetect, PRIORITY_APPLICATION, PP_SMTP, PROTO_BIT__TCP);*/ _dpd.addPreprocExit(SMTPCleanExitFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocReset(SMTPResetFunction, NULL, PRIORITY_LAST, PP_SMTP); + _dpd.registerPreprocStats(SMTP_PROTO_REF_STR, SMTP_PrintStats); _dpd.addPreprocResetStats(SMTPResetStatsFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocConfCheck(SMTPCheckConfig); @@ -517,6 +519,27 @@ } } + +static void SMTP_PrintStats(int exiting) +{ + _dpd.logMsg("SMTP Preprocessor Statistics\n"); + _dpd.logMsg(" Total sessions : "STDu64"\n", smtp_stats.sessions); + _dpd.logMsg(" Max concurrent sessions : "STDu64"\n", smtp_stats.max_conc_sessions); + if (smtp_stats.sessions > 0) + { + _dpd.logMsg(" Base64 attachments decoded : "STDu64"\n", smtp_stats.attachments[DECODE_B64]); + _dpd.logMsg(" Total Base64 decoded bytes : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_B64]); + _dpd.logMsg(" Quoted-Printable attachments decoded : "STDu64"\n", smtp_stats.attachments[DECODE_QP]); + _dpd.logMsg(" Total Quoted decoded bytes : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_QP]); + _dpd.logMsg(" UU attachments decoded : "STDu64"\n", smtp_stats.attachments[DECODE_UU]); + _dpd.logMsg(" Total UU decoded bytes : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_UU]); + _dpd.logMsg(" Bit/Binary/Text attachments extracted : "STDu64"\n", smtp_stats.attachments[DECODE_BITENC]); + _dpd.logMsg(" Total Bit/Binary/Text bytes extracted : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_BITENC]); + if ( smtp_stats.memcap_exceeded ) + _dpd.logMsg(" Sessions not decoded due to memory unavailability : "STDu64"\n", smtp_stats.memcap_exceeded); + } + +} #ifdef SNORT_RELOAD static void SMTPReload(char *args)

@@ -34,6 +34,7 @@ #include <dnet.h> #endif +#include "assert.h" #include "encode.h" #include "sfdaq.h" #include "sf_iph.h" @@ -44,11 +45,14 @@ #define GET_TCP_HDR_LEN(h) (((h)->th_offx2 & 0xf0) >> 2) #define SET_TCP_HDR_LEN(h, n) (h)->th_offx2 = ((n << 2) & 0xF0) +#define MIN_TTL 64 #define MAX_TTL 255 + #define ICMP_UNREACH_DATA 8 // (per RFC 792) #define IP_ID_COUNT 8192 -static uint8_t *dst_mac = NULL; +static uint8_t* dst_mac = NULL; +Packet* encode_pkt = NULL; static inline int IsIcmp (int type) { @@ -85,7 +89,9 @@ #define FORWARD(e) (e->flags & ENC_FLAG_FWD) #define REVERSE(f) (!(f & ENC_FLAG_FWD)) -#define PKT_SZ (ETHERNET_HEADER_LEN + VLAN_HEADER_LEN + IP_MAXPACKET) +// PKT_MAX is sized to ensure that any reassembled packet +// can accommodate a full datagram at innermost layer +#define PKT_MAX (ETHERNET_HEADER_LEN + VLAN_HEADER_LEN + ETHERNET_MTU + IP_MAXPACKET) // all layer encoders look like this: typedef ENC_STATUS (*Encoder)(EncState*, Buffer* in, Buffer* out); @@ -182,6 +188,9 @@ enc.ip_len = 0; enc.proto = 0; + if ( encode_pkt ) + p = encode_pkt; + return Encode_Packet(&enc, p, len); } @@ -201,6 +210,9 @@ enc.ip_len = 0; enc.proto = 0; + if ( encode_pkt ) + p = encode_pkt; + return Encode_Packet(&enc, p, len); } @@ -272,9 +284,8 @@ c->data = lyr->start + lyr->length; len = c->data - c->pkt; - // should actually be max less specific layers - // but this is a safe limit - c->max_dsize = IP_MAXPACKET - len; + assert(len < PKT_MAX - IP_MAXPACKET); + c->max_dsize = IP_MAXPACKET; c->proto_bits = p->proto_bits; c->packet_flags |= PKT_PSEUDO; @@ -343,7 +354,7 @@ Packet* Encode_New () { Packet* p = SnortAlloc(sizeof(*p)); - uint8_t* b = SnortAlloc(sizeof(*p->pkth) + PKT_SZ + SPARC_TWIDDLE); + uint8_t* b = SnortAlloc(sizeof(*p->pkth) + PKT_MAX + SPARC_TWIDDLE); if ( !p || !b ) FatalError("Encode_New() => Failed to allocate packet\n"); @@ -371,7 +382,7 @@ // private implementation stuff //------------------------------------------------------------------------- -static uint8_t s_pkt[ETHERNET_HEADER_LEN+VLAN_HEADER_LEN+IP_MAXPACKET]; +static uint8_t s_pkt[PKT_MAX]; static const uint8_t* Encode_Packet( EncState* enc, const Packet* p, uint32_t* len) @@ -511,6 +522,8 @@ uint8_t new_ttl = GetTTL(enc); if ( !new_ttl ) new_ttl = ( MAX_TTL - ttl ); + if ( new_ttl < MIN_TTL ) + new_ttl = MIN_TTL; return new_ttl; } @@ -934,6 +947,9 @@ ho->th_flags = TH_RST | TH_ACK; } + // in case of ip6 extension headers, this gets next correct + enc->proto = IPPROTO_TCP; + // we don't need to set th_sum here because dnet's // ip_checksum() sets both IP and TCP checksums and // ip6_checksum() sets the TCP checksum.

@@ -28,6 +28,8 @@ #include "decode.h" +extern Packet *encode_pkt; + void Encode_Init(void); void Encode_Term(void); @@ -74,5 +76,21 @@ // Set the destination MAC address void Encode_SetDstMAC(uint8_t* ); +static inline void Encode_SetPkt(Packet* p) +{ + encode_pkt = p; +} + +static inline Packet* Encode_GetPkt(void) +{ + return encode_pkt; +} + +static inline void Encode_Reset(void) +{ + Encode_SetPkt(NULL); +} + + #endif // __ENCODE_H__

@@ -340,7 +340,8 @@ #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 -#define SMTP_DECODE_MEMCAP_EXCEEDED 9 +/* This alert is obsolete. * +* #define SMTP_DECODE_MEMCAP_EXCEEDED 9*/ #define SMTP_B64_DECODING_FAILED 10 #define SMTP_QP_DECODING_FAILED 11 #define SMTP_BITENC_DECODING_FAILED 12

@@ -158,7 +158,6 @@ void AlertArubaActionInit(char *); SpoAlertArubaActionData *ParseAlertArubaActionArgs(char *); void AlertArubaActionCleanExitFunc(int, void *); -void AlertArubaActionRestartFunc(int, void *); void AlertArubaAction(Packet *, char *, void *, Event *); int ArubaSwitchConnect(SpoAlertArubaActionData *data); int ArubaSwitchSend(SpoAlertArubaActionData *data, uint8_t *post, int len); @@ -220,7 +219,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertArubaAction, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertArubaActionCleanExitFunc, data); - AddFuncToRestartList(AlertArubaActionRestartFunc, data); } void AlertArubaAction(Packet *p, char *msg, void *arg, Event *event) @@ -645,14 +643,3 @@ free(data->role_name); free(data); } - -void AlertArubaActionRestartFunc(int signal, void *arg) -{ - SpoAlertArubaActionData *data = (SpoAlertArubaActionData *)arg; - - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertArubaActionRestartFunc\n");); - free(data->secret); - free(data->role_name); - free(data); -} -

@@ -96,7 +96,6 @@ static void AlertFastInit(char *); static SpoAlertFastData *ParseAlertFastArgs(char *); static void AlertFastCleanExitFunc(int, void *); -static void AlertFastRestartFunc(int, void *); static void AlertFast(Packet *, char *, void *, Event *); /* @@ -145,7 +144,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertFast, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertFastCleanExitFunc, data); - AddFuncToRestartList(AlertFastRestartFunc, data); } static void AlertFast(Packet *p, char *msg, void *arg, Event *event) @@ -371,8 +369,3 @@ AlertFastCleanup(signal, arg, "AlertFastCleanExitFunc"); } -static void AlertFastRestartFunc(int signal, void *arg) -{ - AlertFastCleanup(signal, arg, "AlertFastRestartFunc"); -} -

@@ -71,7 +71,6 @@ static SpoAlertFullData *ParseAlertFullArgs(char *); static void AlertFull(Packet *, char *, void *, Event *); static void AlertFullCleanExit(int, void *); -static void AlertFullRestart(int, void *); /* * not defined for backwards compatibility @@ -126,7 +125,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertFull, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertFullCleanExit, data); - AddFuncToRestartList(AlertFullRestart, data); } static void AlertFull(Packet *p, char *msg, void *arg, Event *event) @@ -319,8 +317,3 @@ AlertFullCleanup(signal, arg, "AlertFullCleanExit"); } -static void AlertFullRestart(int signal, void *arg) -{ - AlertFullCleanup(signal, arg, "AlertFullRestart"); -} -

@@ -792,7 +792,6 @@ AddFuncToOutputList(snort_alert_prelude, OUTPUT_TYPE__ALERT, client); AddFuncToCleanExitList(snort_alert_prelude_clean_exit, client); - AddFuncToRestartList(snort_alert_prelude_clean_exit, client); }

@@ -86,7 +86,6 @@ static SyslogData *ParseSyslogArgs(char *); static void AlertSyslog(Packet *, char *, void *, Event *); static void AlertSyslogCleanExit(int, void *); -static void AlertSyslogRestart(int, void *); @@ -140,7 +139,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertSyslog, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertSyslogCleanExit, data); - AddFuncToRestartList(AlertSyslogRestart, data); } @@ -627,11 +625,3 @@ free(data); } -static void AlertSyslogRestart(int signal, void *arg) -{ - SyslogData *data = (SyslogData *)arg; - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogRestartFunc\n");); - /* free memory from SyslogData */ - if(data) - free(data); -}

@@ -104,7 +104,6 @@ void AlertTestInit(char *); SpoAlertTestData *ParseAlertTestArgs(char *); void AlertTestCleanExitFunc(int, void *); -void AlertTestRestartFunc(int, void *); void AlertTest(Packet *, char *, void *, Event *); extern PacketCount pc; @@ -156,7 +155,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertTest, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertTestCleanExitFunc, data); - AddFuncToRestartList(AlertTestRestartFunc, data); } void AlertTest(Packet *p, char *msg, void *arg, Event *event) @@ -313,18 +311,6 @@ fclose(data->file); /*free memory from SpoAlertTestData */ - free(data); -} - -void AlertTestRestartFunc(int signal, void *arg) -{ - SpoAlertTestData *data = (SpoAlertTestData *)arg; - - /* close alert file */ - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertTestRestartFunc\n");); - fclose(data->file); - - /*free memory from SpoAlertTestData */ free(data); }

@@ -89,7 +89,6 @@ static void AlertUnixSock(Packet *, char *, void *, Event *); static void ParseAlertUnixSockArgs(char *); static void AlertUnixSockCleanExit(int, void *); -static void AlertUnixSockRestart(int, void *); static void OpenAlertSock(void); static void CloseAlertSock(void); @@ -138,7 +137,6 @@ AddFuncToOutputList(AlertUnixSock, OUTPUT_TYPE__ALERT, NULL); AddFuncToCleanExitList(AlertUnixSockCleanExit, NULL); - AddFuncToRestartList(AlertUnixSockRestart, NULL); } @@ -303,12 +301,6 @@ CloseAlertSock(); } -static void AlertUnixSockRestart(int signal, void *arg) -{ - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertUnixSockRestartFunc\n");); - CloseAlertSock(); -} - static void CloseAlertSock(void) { if(alertsd >= 0) {

@@ -95,7 +95,6 @@ static AlertCSVData *AlertCSVParseArgs(char *); static void AlertCSV(Packet *, char *, void *, Event *); static void AlertCSVCleanExit(int, void *); -static void AlertCSVRestart(int, void *); static void RealAlertCSV( Packet*, char* msg, char **args, int numargs, Event*, TextLog* ); @@ -146,7 +145,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(AlertCSV, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertCSVCleanExit, data); - AddFuncToRestartList(AlertCSVRestart, data); } /* @@ -260,12 +258,6 @@ AlertCSVCleanup(signal, arg, "AlertCSVCleanExit"); } -static void AlertCSVRestart(int signal, void *arg) -{ - AlertCSVCleanup(signal, arg, "AlertCSVRestart"); -} - - static void AlertCSV(Packet *p, char *msg, void *arg, Event *event) { AlertCSVData *data = (AlertCSVData *)arg;

@@ -298,7 +298,6 @@ static void Database(Packet *, char *, void *, Event *); static char * snort_escape_string(const char *, DatabaseData *); static void SpoDatabaseCleanExitFunction(int, void *); -static void SpoDatabaseRestartFunction(int, void *); //static void InitDatabase(void); static int UpdateLastCid(DatabaseData *, int, int); static int GetLastCid(DatabaseData *, int); @@ -410,7 +409,6 @@ } AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data); - AddFuncToRestartList(SpoDatabaseRestartFunction, data); AddFuncToPostConfigList(DatabaseInitFinalize, data); ++instances; @@ -3356,27 +3354,6 @@ if(data != NULL) { - UpdateLastCid(data, data->shared->sid, data->shared->cid-1); - Disconnect(data); - free(data->args); - free(data); - data = NULL; - } - - if(--instances == 0) - { - FreeSharedDataList(); - } -} - -static void SpoDatabaseRestartFunction(int signal, void *arg) -{ - DatabaseData *data = (DatabaseData *)arg; - - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): entered SpoDatabaseRestartFunction\n");); - - if(data != NULL) - { UpdateLastCid(data, data->shared->sid, data->shared->cid-1); Disconnect(data); free(data->args);

@@ -78,7 +78,6 @@ static void LogAsciiInit(char *args); static void LogAscii(Packet *p, char *msg, void *arg, Event *event); static void LogAsciiCleanExit(int signal, void *arg); -static void LogAsciiRestart(int signal, void *arg); static char *IcmpFileName(Packet * p); static FILE *OpenLogFile(int mode, Packet * p); @@ -105,7 +104,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(LogAscii, OUTPUT_TYPE__LOG, NULL); AddFuncToCleanExitList(LogAsciiCleanExit, NULL); - AddFuncToRestartList(LogAsciiRestart, NULL); } static void LogAscii(Packet *p, char *msg, void *arg, Event *event) @@ -161,11 +159,6 @@ { return; } - -static void LogAsciiRestart(int signal, void *arg) -{ - return; -} static char *logfile[] = { "", "PACKET_FRAG", "PACKET_BOGUS", "PACKET_NONIP", "ARP", "log" };

@@ -59,7 +59,6 @@ static void LogNullInit(char *); static void LogNull(Packet *, char *, void *, Event *); static void LogNullCleanExitFunc(int, void *); -static void LogNullRestartFunc(int, void *); void LogNullSetup(void) { @@ -78,7 +77,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(LogNull, OUTPUT_TYPE__LOG, NULL); AddFuncToCleanExitList(LogNullCleanExitFunc, NULL); - AddFuncToRestartList(LogNullRestartFunc, NULL); } @@ -94,7 +92,3 @@ return; } -static void LogNullRestartFunc(int signal, void *arg) -{ - return; -}

@@ -107,7 +107,6 @@ static void TcpdumpInitLogFile(LogTcpdumpData *, int); static void TcpdumpRollLogFile(LogTcpdumpData*); static void SpoLogTcpdumpCleanExitFunc(int, void *); -static void SpoLogTcpdumpRestartFunc(int, void *); static void LogTcpdumpSingle(Packet *, char *, void *, Event *); static void LogTcpdumpStream(Packet *, char *, void *, Event *); //static void DirectLogTcpdump(DAQ_PktHdr_t *, uint8_t *); @@ -165,7 +164,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(LogTcpdump, OUTPUT_TYPE__LOG, data); AddFuncToCleanExitList(SpoLogTcpdumpCleanExitFunc, data); - AddFuncToRestartList(SpoLogTcpdumpRestartFunc, data); } /* @@ -493,11 +491,6 @@ SpoLogTcpdumpCleanup(signal, arg, "SpoLogTcpdumpCleanExitFunc"); } -static void SpoLogTcpdumpRestartFunc(int signal, void *arg) -{ - SpoLogTcpdumpCleanup(signal, arg, "SpoLogTcpdumpRestartFunc"); -} - void LogTcpdumpReset(void) { TcpdumpRollLogFile(log_tcpdump_ptr);

@@ -181,7 +181,6 @@ /* -------------------- Local Functions -----------------------*/ static UnifiedConfig *UnifiedParseArgs(char *, char *); static void UnifiedCleanExit(int, void *); -static void UnifiedRestart(int, void *); static void UnifiedLogInitFinalize(int, void *); /* Unified Output functions */ @@ -270,7 +269,6 @@ AddFuncToOutputList(UnifiedLogPacketAlert, OUTPUT_TYPE__LOG, unifiedConfig); AddFuncToCleanExitList(UnifiedCleanExit, unifiedConfig); - AddFuncToRestartList(UnifiedRestart, unifiedConfig); } /* @@ -968,29 +966,6 @@ -/* - * Function: Restart() - * - * Purpose: For restarts (SIGHUP usually) clean up structs that need it - * - * Arguments: signal => signal that caused this event - * arg => data ptr to reference this plugin's data - * - * Returns: void function - */ -static void UnifiedRestart(int signal, void *arg) -{ - UnifiedConfig *data = (UnifiedConfig *)arg; - - DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified: Restart\n");); - - fclose(data->stream); - free(data->filename); - free(data); -} - - - /* Unified Alert functions (deprecated) */ void UnifiedAlertInit(char *args) { @@ -1008,7 +983,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(OldUnifiedLogAlert, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(UnifiedCleanExit, data); - AddFuncToRestartList(UnifiedRestart, data); } /* * Function: UnifiedInitAlertFile() @@ -1108,7 +1082,6 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(OldUnifiedLogPacketAlert, OUTPUT_TYPE__LOG, UnifiedInfo); AddFuncToCleanExitList(UnifiedCleanExit, UnifiedInfo); - AddFuncToRestartList(UnifiedRestart, UnifiedInfo); } static void UnifiedLogInitFinalize(int unused, void *arg)

@@ -148,7 +148,9 @@ /* -------------------- Local Functions -----------------------*/ static Unified2Config * Unified2ParseArgs(char *, char *); static void Unified2CleanExit(int, void *); -static void Unified2Restart(int, void *); +#ifdef SNORT_RELOAD +static void Unified2Reload(int, void *); +#endif /* Unified2 Output functions */ static void Unified2Init(char *); @@ -233,7 +235,9 @@ AddFuncToOutputList(Unified2LogPacketAlert, OUTPUT_TYPE__LOG, config); AddFuncToCleanExitList(Unified2CleanExit, config); - AddFuncToRestartList(Unified2Restart, config); +#ifdef SNORT_RELOAD + AddFuncToReloadList(Unified2Reload, config); +#endif AddFuncToPostConfigList(Unified2PostConfig, config); } @@ -375,8 +379,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -449,8 +461,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -541,8 +561,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -623,8 +651,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -731,8 +767,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -852,8 +896,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -1626,35 +1678,26 @@ } } +#ifdef SNORT_RELOAD /* - * Function: Restart() + * Function: Reload() * - * Purpose: For restarts (SIGHUP usually) clean up structs that need it + * Purpose: For reloads (SIGHUP usually), over the output * * Arguments: signal => signal that caused this event * arg => data ptr to reference this plugin's data * * Returns: void function */ -static void Unified2Restart(int signal, void *arg) +static void Unified2Reload(int signal, void *arg) { Unified2Config *config = (Unified2Config *)arg; - DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Restart\n");); + DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Reload\n");); - log_config = alert_config = NULL; - /* free up initialized memory */ - if (config != NULL) - { - if (config->stream != NULL) - fclose(config->stream); - - if (config->base_filename != NULL) - free(config->base_filename); - - free(config); - } + Unified2RotateFile(config); } +#endif /* Unified2 Alert functions (deprecated) */ static void Unified2AlertInit(char *args) @@ -1683,7 +1726,9 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(Unified2LogAlert, OUTPUT_TYPE__ALERT, config); AddFuncToCleanExitList(Unified2CleanExit, config); - AddFuncToRestartList(Unified2Restart, config); +#ifdef SNORT_RELOAD + AddFuncToReloadList(Unified2Reload, config); +#endif AddFuncToPostConfigList(Unified2PostConfig, config); } @@ -1716,7 +1761,9 @@ /* Set the preprocessor function into the function list */ AddFuncToOutputList(Unified2LogPacketAlert, OUTPUT_TYPE__LOG, config); AddFuncToCleanExitList(Unified2CleanExit, config); - AddFuncToRestartList(Unified2Restart, config); +#ifdef SNORT_RELOAD + AddFuncToReloadList(Unified2Reload, config); +#endif AddFuncToPostConfigList(Unified2PostConfig, config); }

@@ -145,7 +145,9 @@ extern PreprocStatsFuncNode *preproc_stats_funcs; extern PluginSignalFuncNode *plugin_shutdown_funcs; extern PluginSignalFuncNode *plugin_clean_exit_funcs; -extern PluginSignalFuncNode *plugin_restart_funcs; +#ifdef SNORT_RELOAD +extern PluginSignalFuncNode *plugin_reload_funcs; +#endif extern OutputFuncNode *AlertList; extern OutputFuncNode *LogList; extern PeriodicCheckFuncNode *periodic_check_funcs; @@ -549,7 +551,7 @@ head = head->next; - /* don't free sig->arg, that's free'd by the CleanExit/Restart func */ + /* don't free sig->arg, that's free'd by the CleanExit func */ free(tmp); } } @@ -1404,7 +1406,7 @@ while (head != NULL) { tmp = head->next; - /* don't free sig->arg, that's free'd by the CleanExit/Restart func */ + /* don't free sig->arg, that's free'd by the CleanExit func */ free(head); head = tmp; } @@ -1417,7 +1419,7 @@ while (head != NULL) { tmp = head->next; - /* don't free sig->arg, that's free'd by the CleanExit/Restart func */ + /* don't free sig->arg, that's free'd by the CleanExit func */ free(head); head = tmp; } @@ -1718,10 +1720,12 @@ /* functions to aid in cleaning up after plugins * Used for both rule options and output. Preprocessors have their own */ -void AddFuncToRestartList(PluginSignalFunc pl_sig_func, void *arg) +#ifdef SNORT_RELOAD +void AddFuncToReloadList(PluginSignalFunc pl_sig_func, void *arg) { - AddFuncToSignalList(pl_sig_func, arg, &plugin_restart_funcs); + AddFuncToSignalList(pl_sig_func, arg, &plugin_reload_funcs); } +#endif void AddFuncToCleanExitList(PluginSignalFunc pl_sig_func, void *arg) {

@@ -426,7 +426,9 @@ } PluginSignalFuncNode; /* Used for both rule options and output. Preprocessors have their own */ -void AddFuncToRestartList(PluginSignalFunc, void *); +#ifdef SNORT_RELOAD +void AddFuncToReloadList(PluginSignalFunc, void *); +#endif void AddFuncToCleanExitList(PluginSignalFunc, void *); void AddFuncToShutdownList(PluginSignalFunc, void *); void AddFuncToPostConfigList(PluginSignalFunc, void *);

@@ -125,7 +125,7 @@ */ int CheckChunkEncoding(HI_SESSION *Session, const u_char *start, const u_char *end, const u_char **post_end, u_char *iChunkBuf, uint32_t max_size, - uint32_t last_chunk_size, uint32_t *chunkSize, uint32_t *chunkRead, HttpSessionData *hsd, + uint32_t chunk_remainder, uint32_t *updated_chunk_remainder, uint32_t *chunkRead, HttpSessionData *hsd, int iInspectMode) { uint32_t iChunkLen = 0; @@ -143,33 +143,38 @@ ptr = start; - if(last_chunk_size) + if(chunk_remainder) { - if(last_chunk_size > max_size) - { - if(chunkSize) - *chunkSize = last_chunk_size - max_size ; - last_chunk_size = max_size; - } - iDataLen = end - ptr; - if(last_chunk_size > iDataLen) + if( iDataLen < max_size) + { + if( chunk_remainder > iDataLen ) + { + if(updated_chunk_remainder) + *updated_chunk_remainder = chunk_remainder - iDataLen ; + chunk_remainder = iDataLen; + } + } + else { - if(chunkSize) - *chunkSize = last_chunk_size - iDataLen ; - last_chunk_size = iDataLen; + if( chunk_remainder > max_size ) + { + if(updated_chunk_remainder) + *updated_chunk_remainder = chunk_remainder - max_size ; + chunk_remainder = max_size; + } } - jump_ptr = ptr + last_chunk_size - 1; + jump_ptr = ptr + chunk_remainder - 1; if(hi_util_in_bounds(start, end, jump_ptr)) { chunkPresent = 1; if(iChunkBuf) { - memcpy(iChunkBuf, ptr, last_chunk_size); - chunkBytesCopied = last_chunk_size; + memcpy(iChunkBuf, ptr, chunk_remainder); + chunkBytesCopied = chunk_remainder; } ptr = jump_ptr + 1; } @@ -254,8 +259,8 @@ if( iChunkLen > iDataLen) { - if(chunkSize) - *chunkSize = iChunkLen - iDataLen; + if(updated_chunk_remainder) + *updated_chunk_remainder = iChunkLen - iDataLen; iChunkLen = iDataLen; } @@ -2609,6 +2614,13 @@ end = data + dsize; ptr = start; +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + if(stream_ins) + return HI_INVALID_ARG; + } +#endif /* ** Apache and IIS strike again . . . Thanks Kanatoko @@ -2647,15 +2659,21 @@ method_end = mthd++; break; } - - /* isascii returns non-zero if it is ascii */ - if (isascii((int)*mthd) == 0) +#ifdef ENABLE_PAF + if ( !ScPafEnabled() ) { - /* Possible post data or something else strange... */ - method_end = mthd++; - non_ascii_mthd = 1; - break; +#endif + /* isascii returns non-zero if it is ascii */ + if (isascii((int)*mthd) == 0) + { + /* Possible post data or something else strange... */ + method_end = mthd++; + non_ascii_mthd = 1; + break; + } +#ifdef ENABLE_PAF } +#endif mthd++; } @@ -2694,23 +2712,30 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); } - sans_uri = 1; Client->request.method = HI_UNKNOWN_METHOD; } } else { #ifdef ENABLE_PAF - /* Might have gotten non-ascii characters, hence no method, but if - * PAF is in use, checking "!stream_ins" equates to PacketHasStartOfPDU() - * so we know we're looking for a method and not guessing that we're in - * the body or somewhere else because we found a non-ascii character */ - if (!stream_ins && hi_eo_generate_event(Session, HI_EO_CLIENT_UNKNOWN_METHOD)) - hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); + if( ScPafEnabled() ) + { + /* Might have gotten non-ascii characters, hence no method, but if + * PAF is in use, checking "!stream_ins" equates to PacketHasStartOfPDU() + * so we know we're looking for a method and not guessing that we're in + * the body or somewhere else because we found a non-ascii character */ + if (!stream_ins && hi_eo_generate_event(Session, HI_EO_CLIENT_UNKNOWN_METHOD)) + hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); + Client->request.method = HI_UNKNOWN_METHOD; + } + else #endif - - sans_uri = 1; - Client->request.method = HI_UNKNOWN_METHOD; + { + if (!stream_ins && hi_eo_generate_event(Session, HI_EO_CLIENT_UNKNOWN_METHOD)) + hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); + sans_uri = 1; + Client->request.method = HI_UNKNOWN_METHOD; + } } if (!sans_uri ) @@ -2735,8 +2760,7 @@ } if(iRet == URI_END && - !(ServerConf->uri_only) && - !(Client->request.method & HI_UNKNOWN_METHOD)) + !(ServerConf->uri_only)) { Client->request.method_raw = method_ptr.uri; Client->request.method_size = method_ptr.uri_end - method_ptr.uri;

@@ -80,8 +80,8 @@ /* ** Directory tracking */ - u_char *dir_track[MAX_DIRS]; u_int dir_count; + u_char *dir_track[MAX_DIRS]; } URI_NORM_STATE; @@ -977,9 +977,8 @@ if(!norm_state->param) { - norm_state->dir_track[norm_state->dir_count] = *ub_ptr; - if(norm_state->dir_count < MAX_DIRS) - norm_state->dir_count++; + if(norm_state->dir_count < (MAX_DIRS - 1)) + norm_state->dir_track[norm_state->dir_count++] = *ub_ptr; } (*ub_ptr)++;

@@ -749,7 +749,7 @@ const u_char *start = ptr; int iRet = HI_SUCCESS; const u_char *post_end = end; - uint32_t chunk_size = 0; + uint32_t updated_chunk_remainder = 0; uint32_t chunk_read = 0; int bytes_to_read = 0; ServerConf = Session->server_conf; @@ -790,10 +790,10 @@ if (sd->resp_state.last_pkt_chunked && CheckChunkEncoding(Session, start, end, &post_end, (u_char *)HttpDecodeBuf.data, sizeof(HttpDecodeBuf.data), - sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd->resp_state.chunk_remainder, &updated_chunk_remainder, &chunk_read, sd, HI_SI_SERVER_MODE) == 1) { - sd->resp_state.last_chunk_size = chunk_size; + sd->resp_state.chunk_remainder = updated_chunk_remainder; sd->resp_state.last_pkt_chunked = 1; result->uri = (u_char *)HttpDecodeBuf.data; result->uri_end = result->uri + chunk_read; @@ -959,8 +959,9 @@ int compr_bytes_read, decompr_bytes_read; int compr_avail, decompr_avail; int total_bytes_read = 0; - uint32_t chunk_size = 0; + uint32_t updated_chunk_remainder = 0; uint32_t chunk_read = 0; + uint32_t saved_chunk_size = 0; u_char *compr_buffer; u_char *decompr_buffer; @@ -970,6 +971,7 @@ decompr_bytes_read = sd->decomp_state->decompr_bytes_read; compr_buffer = sd->decomp_state->compr_buffer; decompr_buffer = sd->decomp_state->decompr_buffer; + saved_chunk_size = sd->resp_state.chunk_remainder; if(Session->server_conf->unlimited_decompress) { @@ -1024,10 +1026,10 @@ { if(sd->resp_state.last_pkt_chunked && CheckChunkEncoding(Session, start, end, NULL, compr_buffer, compr_avail, - sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd->resp_state.chunk_remainder, &updated_chunk_remainder, &chunk_read, sd, HI_SI_SERVER_MODE ) == 1) { - sd->resp_state.last_chunk_size = chunk_size; + sd->resp_state.chunk_remainder = updated_chunk_remainder; compr_avail = chunk_read; zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, &total_bytes_read, sd->decomp_state->compress_fmt); @@ -1052,11 +1054,11 @@ &total_bytes_read, sd->decomp_state->compress_fmt); } - sd->decomp_state->compr_bytes_read += compr_avail; - hi_stats.compr_bytes_read += compr_avail; if((zRet == HI_SUCCESS) || (zRet == HI_NONFATAL_ERR)) { + sd->decomp_state->compr_bytes_read += compr_avail; + hi_stats.compr_bytes_read += compr_avail; if(decompr_buffer) { result->uri = decompr_buffer; @@ -1078,15 +1080,24 @@ } else { + if(!sd->decomp_state->decompr_bytes_read) + { + sd->resp_state.chunk_remainder = saved_chunk_size; + iRet = HI_NONFATAL_ERR; + } + else + ResetRespState(&(sd->resp_state)); ResetGzipState(sd->decomp_state); - ResetRespState(&(sd->resp_state)); } if(zRet!=HI_SUCCESS) { - if(hi_eo_generate_event(Session, HI_EO_SERVER_DECOMPR_FAILED)) + if(sd->decomp_state->decompr_bytes_read) { - hi_eo_server_event_log(Session, HI_EO_SERVER_DECOMPR_FAILED, NULL, NULL); + if(hi_eo_generate_event(Session, HI_EO_SERVER_DECOMPR_FAILED)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_DECOMPR_FAILED, NULL, NULL); + } } } @@ -1119,6 +1130,13 @@ if((sd->decomp_state != NULL) && sd->decomp_state->decompress_data) { iRet = hi_server_decompress(Session, sd, ptr, end, result); + if(iRet == HI_NONFATAL_ERR) + { + sd->resp_state.inspect_body = 1; + result->uri = ptr; + result->uri_end = end; + iRet = hi_server_extract_body(Session, sd, ptr, end, result); + } } else #endif

@@ -85,6 +85,7 @@ return HI_INVALID_ARG; } + ServerResp = &Session->server.response; ServerResp->header_encode_type = 0; ServerResp->cookie_encode_type = 0; @@ -322,7 +323,7 @@ //Save before the <script> begins if(js_start > ptr) { - status = SafeMemcpy(HttpDecodeBuf.data+index, ptr, (js_start - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + status = SafeBoundsMemmove(HttpDecodeBuf.data+index, ptr, (js_start - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); if(status == SAFEMEM_SUCCESS) index += (js_start - ptr); else @@ -353,7 +354,7 @@ { if( ptr < end ) { - status = SafeMemcpy(HttpDecodeBuf.data+index, ptr, (end - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + status = SafeBoundsMemmove(HttpDecodeBuf.data+index, ptr, (end - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); if(status == SAFEMEM_SUCCESS) index += (end - ptr); }

@@ -236,6 +236,7 @@ #define S5_FT_EXTERNAL 1 // set by other preprocessor #define S5_FT_PAF_MAX 2 // paf_max + footprint fp +#define SLAM_MAX 4 /* Only track a maximum number of alerts per session */ #define MAX_SESSION_ALERTS 8 @@ -2810,8 +2811,6 @@ break; case STREAM_POLICY_FIRST: case STREAM_POLICY_LAST: - /* Uh, who knows */ - case STREAM_POLICY_BSD: case STREAM_POLICY_MACOS: case STREAM_POLICY_WINDOWS: case STREAM_POLICY_VISTA: @@ -2828,6 +2827,7 @@ "rst is not valid seq (next seq)!\n");); return 0; break; + case STREAM_POLICY_BSD: case STREAM_POLICY_LINUX: case STREAM_POLICY_OLD_LINUX: case STREAM_POLICY_SOLARIS: @@ -3081,7 +3081,7 @@ if ( right_ok ) { - if(SEQ_LT(tdb->seq, st->r_nxt_ack+Stream5GetWindow(st))) + if( SEQ_LT(tdb->seq, st->r_win_base+Stream5GetWindow(st)) ) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seq is within window!\n");); @@ -3143,9 +3143,7 @@ #endif // ** if we don't see a segment, we can't track seq at ** below // so we update the seq by the ack if it is beyond next expected - // FIXTHIS first test below is implied by second; verify test suite - // doesn't break - if(SEQ_GT(tdb->ack, rcv->l_unackd) && SEQ_GT(tdb->ack, rcv->l_nxt_seq)) + if(SEQ_GT(tdb->ack, rcv->l_unackd)) rcv->l_unackd = tdb->ack; // ** this is how we track the last seq number sent @@ -3416,7 +3414,12 @@ while ( seg && seg->buffered ) { - seq = seg->seq + seg->size; + uint32_t end = seg->seq + seg->size; + + if ( SEQ_GT(end, st->r_win_base) ) + break; + + seq = end; seg = seg->next; } if ( seq ) @@ -4819,7 +4822,7 @@ } #endif /* SUP_IP6 */ -#ifdef DEBUG +#ifdef SEG_TEST static void CheckSegments (const StreamTracker* a) { StreamSegment* ss = a->seglist; @@ -5561,18 +5564,23 @@ if(st->flush_mgr.flush_policy != STREAM_FLPOLICY_IGNORE) { + uint32_t seq = tdb->seq; + /* Check if we should not insert a large packet */ if (IgnoreLargePkt(st, p, tdb)) { return; } + if ( p->tcph->th_flags & TH_SYN ) + seq++; + /* new packet seq is below the last ack... */ - if(SEQ_GT(st->seglist_base_seq, tdb->seq)) + if ( SEQ_GT(st->r_win_base, seq) ) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "segment overlaps ack'd data...\n");); - overlap = st->seglist_base_seq - tdb->seq; + overlap = st->r_win_base - tdb->seq; if(overlap >= p->dsize) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -5582,7 +5590,7 @@ } } - AddStreamNode(st, p, tdb, tcpssn, p->dsize, 0, 0, tdb->seq, NULL, &ss); + AddStreamNode(st, p, tdb, tcpssn, p->dsize, overlap, 0, tdb->seq+overlap, NULL, &ss); STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Attached new queue to seglist, %d bytes queued, " @@ -5796,7 +5804,6 @@ break; case STREAM_POLICY_FIRST: case STREAM_POLICY_LAST: - /* Uh, who knows */ case STREAM_POLICY_BSD: case STREAM_POLICY_MACOS: case STREAM_POLICY_SOLARIS: @@ -5832,7 +5839,7 @@ st->seg_bytes_logical, SegsToFlush(st));); *retSeg = ss; -#ifdef DEBUG +#ifdef SEG_TEST CheckSegments(st); #endif return STREAM_INSERT_OK; @@ -6057,9 +6064,10 @@ */ if(left) { - /* - * check if the new segment overlaps on the left side - */ + // NOTE that left->seq is always less than seq, otherwise it would + // be a right based on the above determination of left and right + + /* check if the new segment overlaps on the left side */ overlap = left->seq + left->size - seq; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -6067,6 +6075,8 @@ if(overlap > 0) { + // NOTE that overlap will always be less than left->size since + // seq is always greater than left->seq s5stats.tcp_overlaps++; st->overlap_count++; switch(reassembly_policy) @@ -6143,22 +6153,12 @@ return STREAM_INSERT_ANOMALY; } } + /* Otherwise, trim the old data accordingly */ left->size -= (int16_t)overlap; st->seg_bytes_logical -= overlap; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring new data\n");); - if (left->size <= 0) - { - dump_me = left; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "retrans, dumping old TCP data (seq: %d " - "overlap: %d)\n", dump_me->seq, overlap);); - - left = left->prev; - Stream5SeglistDeleteNode(st, dump_me, 0); - } break; case REASSEMBLY_POLICY_LAST: /* True "Last" policy" */ @@ -6194,19 +6194,9 @@ left->size -= (int16_t)overlap; st->seg_bytes_logical -= overlap; } + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring new data\n");); - if (left->size <= 0) - { - dump_me = left; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "retrans, dumping old TCP data (seq: %d " - "overlap: %d)\n", dump_me->seq, overlap);); - - left = left->prev; - Stream5SeglistDeleteNode(st, dump_me, 0); - } break; } @@ -6361,7 +6351,6 @@ SEQ_LT(seq, right->seq)) { dump_me = right; - st->seg_bytes_logical -= right->size; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "retrans, dropping old data at seq %d, size %d\n", @@ -6672,7 +6661,26 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "queuing segment\n");); - StreamQueue(rcv, p, tdb, tcpssn); + + if ( SEQ_GT(rcv->r_win_base, tdb->seq) ) + { + uint32_t offset = rcv->r_win_base - tdb->seq; + + if ( offset < p->dsize ) + { + tdb->seq += offset; + p->data += offset; + p->dsize -= offset; + + StreamQueue(rcv, p, tdb, tcpssn); + + p->dsize += offset; + p->data -= offset; + tdb->seq -= offset; + } + } + else + StreamQueue(rcv, p, tdb, tcpssn); if ((rcv->tcp_policy->overlap_limit) && (rcv->overlap_count > rcv->tcp_policy->overlap_limit)) @@ -7487,7 +7495,6 @@ break; case STREAM_POLICY_FIRST: case STREAM_POLICY_LAST: - /* Uh, who knows */ case STREAM_POLICY_LINUX: case STREAM_POLICY_OLD_LINUX: case STREAM_POLICY_BSD: @@ -8209,6 +8216,16 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got RST, bailing\n");); + + if ( + listener->s_mgr.state == TCP_STATE_FIN_WAIT_1 || + listener->s_mgr.state == TCP_STATE_FIN_WAIT_2 || + listener->s_mgr.state == TCP_STATE_CLOSING + ) { + Stream5FlushTalker(p, lwssn); + Stream5FlushListener(p, lwssn); + FreeLWApplicationData(lwssn); + } lwssn->session_flags |= SSNFLAG_RESET; talker->s_mgr.state = TCP_STATE_CLOSED; talker->s_mgr.sub_state |= SUB_RST_SENT; @@ -8323,7 +8340,7 @@ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ACTION_BAD_PKT; } - else if ( !tdb->win && !talker->total_bytes_queued && + else if ( (tdb->win <= SLAM_MAX) && (tdb->ack == listener->isn + 1) && !(p->tcph->th_flags & (TH_FIN|TH_RST)) ) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -8425,8 +8442,17 @@ { talker->s_mgr.state = TCP_STATE_LAST_ACK; } - // FIXTHIS this should be handled below in fin section - // but midstream sessions fail the seq test + if ( lwssn->session_flags & SSNFLAG_MIDSTREAM ) + { + // FIXTHIS this should be handled below in fin section + // but midstream sessions fail the seq test + listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; + listener->s_mgr.transition_seq = tdb->end_seq; + listener->s_mgr.expected_flags = TH_ACK; + } + } + else if (listener->s_mgr.state_queue == TCP_STATE_CLOSING) + { listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; listener->s_mgr.transition_seq = tdb->end_seq; listener->s_mgr.expected_flags = TH_ACK; @@ -8616,6 +8642,31 @@ /* all other states stay where they are */ break; } + // need substate since we don't change state immediately + if ( !(talker->s_mgr.sub_state & SUB_FIN_SENT) ) + { + talker->l_nxt_seq++; + listener->r_nxt_ack++; + talker->s_mgr.sub_state |= SUB_FIN_SENT; + } + else if ( (talker->s_mgr.state == TCP_STATE_FIN_WAIT_1) || + (talker->s_mgr.state == TCP_STATE_LAST_ACK) ) + { + uint32_t end_seq = ( lwssn->session_flags & SSNFLAG_MIDSTREAM ) ? + tdb->end_seq-1 : tdb->end_seq; + + if ( (listener->s_mgr.expected_flags == TH_ACK) && + SEQ_GEQ(end_seq, listener->s_mgr.transition_seq) ) + { + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "FIN beyond previous, ignoring\n");); + eventcode |= EVENT_BAD_FIN; + LogTcpEvents(talker->tcp_policy, eventcode); + NormalDropPacketIf(p, NORM_TCP); + PREPROC_PROFILE_END(s5TcpStatePerfStats); + return ACTION_NOTHING | ACTION_BAD_PKT; + } + } switch ( listener->s_mgr.state ) { case TCP_STATE_ESTABLISHED: @@ -8636,28 +8687,6 @@ listener->s_mgr.expected_flags = TH_ACK; break; } - // need substate since we don't change state immediately - if ( !(talker->s_mgr.sub_state & SUB_FIN_SENT) ) - { - talker->l_nxt_seq++; - listener->r_nxt_ack++; - talker->s_mgr.sub_state |= SUB_FIN_SENT; - } - else if(SEQ_GEQ(tdb->end_seq,talker->l_nxt_seq)) - { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "FIN beyond l_nxt_seq, ignoring\n");); - switch(talker->s_mgr.state) - { - case TCP_STATE_FIN_WAIT_1: - case TCP_STATE_LAST_ACK: - eventcode |= EVENT_BAD_FIN; - LogTcpEvents(talker->tcp_policy, eventcode); - NormalDropPacketIf(p, NORM_TCP); - PREPROC_PROFILE_END(s5TcpStatePerfStats); - return ACTION_NOTHING | ACTION_BAD_PKT; - } - } } } @@ -8675,7 +8704,8 @@ * handle TIME_WAIT timer stuff */ if((talker->s_mgr.state == TCP_STATE_TIME_WAIT && listener->s_mgr.state == TCP_STATE_CLOSED) || - (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_CLOSED)) + (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_CLOSED) || + (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_TIME_WAIT)) { //dropssn: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -9295,6 +9325,7 @@ seg->seq = flush_seq; seg->size -= (uint16_t)delta; + st->seg_bytes_logical -= delta; return 0; } }

@@ -40,6 +40,7 @@ #include "snort_stream5_tcp.h" #include "snort_stream5_udp.h" #include "snort_stream5_icmp.h" +#include "snort_stream5_ip.h" #include "parser.h" #include "active.h" @@ -608,6 +609,12 @@ config->icmp_config = NULL; } + if (config->ip_config != NULL) + { + Stream5IpConfigFree(config->ip_config); + config->ip_config = NULL; + } + free(config); }

@@ -664,11 +664,11 @@ return -1; } - if(max_gzip_mem < GZIP_MEM_MIN || max_gzip_mem > GZIP_MEM_MAX) + if(max_gzip_mem < GZIP_MEM_MIN) { SnortSnprintf(ErrorString, ErrStrLen, - "Invalid argument to '%s'. Must be between %d and " - "%d.", MAX_GZIP_MEM, GZIP_MEM_MIN, GZIP_MEM_MAX); + "Invalid argument to '%s'. This value must be equal to or greater than %d bytes." + , MAX_GZIP_MEM, GZIP_MEM_MIN); return -1; }

@@ -66,7 +66,6 @@ #ifdef ZLIB #define DEFAULT_MAX_GZIP_MEM 838860 -#define GZIP_MEM_MAX 104857600 #define GZIP_MEM_MIN 3276 #define MAX_GZIP_DEPTH 65535 #define DEFAULT_COMP_DEPTH 1460 @@ -109,7 +108,7 @@ uint8_t last_pkt_contlen; uint8_t last_pkt_chunked; uint32_t next_seq; - uint32_t last_chunk_size; + uint32_t chunk_remainder; int flow_depth_read; uint32_t max_seq; int is_max_seq; @@ -296,7 +295,7 @@ ds->last_pkt_chunked = 0; ds->inspect_reassembled = 0; ds->next_seq = 0; - ds->last_chunk_size = 0; + ds->chunk_remainder = 0; ds->flow_depth_read = 0; ds->max_seq = 0; ds->is_max_seq = 0;

@@ -4093,7 +4093,7 @@ } #endif SnortEventqPush(); - ProcessPacket(NULL, dpkt->pkth, dpkt->pkt, ft); + ProcessPacket(dpkt, dpkt->pkth, dpkt->pkt, ft); SnortEventqPop(); DEBUG_WRAP(DebugMessage(DEBUG_FRAG,

@@ -137,7 +137,7 @@ sfPolicyUserDataSetCurrent(base_set, pc); AddFuncToPreprocList( - Preproc_Execute, PRIORITY_NETWORK, PP_NORMALIZE, PROTO_BITS); + Preproc_Execute, PRIORITY_NORMALIZE, PP_NORMALIZE, PROTO_BITS); } return pc; } @@ -732,7 +732,7 @@ sfPolicyUserDataSetCurrent(swap_set, pc); AddFuncToPreprocList( - Preproc_Execute, PRIORITY_NETWORK, PP_NORMALIZE, PROTO_BITS); + Preproc_Execute, PRIORITY_NORMALIZE, PP_NORMALIZE, PROTO_BITS); } return pc; }

@@ -121,6 +121,23 @@ return 0; } +DAQ_Mode DAQ_GetInterfaceMode(const DAQ_PktHdr_t *h) +{ +#ifdef DAQ_PKT_FLAG_NOT_FORWARDING + // interface is not inline, so return passive + if (h->flags & DAQ_PKT_FLAG_NOT_FORWARDING) + return DAQ_MODE_PASSIVE; +#endif + // interface is inline + if ( ScAdapterInlineMode() ) + { + return DAQ_MODE_INLINE; + } + + // interface is passive or readback + return DAQ_MODE_PASSIVE; +} + DAQ_Mode DAQ_GetMode (const SnortConfig* sc) { if ( sc->daq_mode )

@@ -70,6 +70,7 @@ #ifdef HAVE_DAQ_ACQUIRE_WITH_META void DAQ_Set_MetaCallback(DAQ_Meta_Func_t meta_callback); #endif +DAQ_Mode DAQ_GetInterfaceMode(const DAQ_PktHdr_t *h); int DAQ_ModifyFlow(const void* h, uint32_t id);

@@ -282,7 +282,9 @@ PluginSignalFuncNode *plugin_shutdown_funcs = NULL; PluginSignalFuncNode *plugin_clean_exit_funcs = NULL; -PluginSignalFuncNode *plugin_restart_funcs = NULL; +#ifdef SNORT_RELOAD +PluginSignalFuncNode *plugin_reload_funcs = NULL; +#endif OutputFuncNode *AlertList = NULL; /* Alert function list */ OutputFuncNode *LogList = NULL; /* Log function list */ @@ -462,7 +464,7 @@ /* Private function prototypes ************************************************/ static void InitNetmasks(void); static void InitProtoNames(void); -static const char* GetPacketSource(void); +static const char* GetPacketSource(char**); static void CleanExit(int); static void SnortInit(int, char **); @@ -548,11 +550,11 @@ /* inline FUNCTION ************************************************************/ static inline void CheckForReload(void) { - #if defined(SNORT_RELOAD) && !defined(WIN32) /* Check for a new configuration */ if (snort_reload) { + PluginSignalFuncNode *idxPlugin = NULL; snort_reload = 0; /* There was an error reloading. A non-reloadable configuration @@ -583,6 +585,14 @@ #endif snort_swapped = 1; + + /* Do any reload for plugin data */ + idxPlugin = plugin_reload_funcs; + while(idxPlugin) + { + idxPlugin->func(SIGHUP, idxPlugin->arg); + idxPlugin = idxPlugin->next; + } } #endif } @@ -701,6 +711,7 @@ */ int SnortMain(int argc, char *argv[]) { + char* tmp_ptr = NULL; const char* intf; int daqInit; @@ -712,7 +723,7 @@ SnortInit(argc, argv); - intf = GetPacketSource(); + intf = GetPacketSource(&tmp_ptr); daqInit = intf || snort_conf->daq_type; if ( daqInit ) @@ -720,6 +731,9 @@ DAQ_Init(snort_conf); DAQ_New(snort_conf, intf); } + if ( tmp_ptr ) + free(tmp_ptr); + if ( ScDaemonMode() ) { GoDaemon(); @@ -1139,7 +1153,7 @@ return iface; } -static const char* GetPacketSource (void) +static const char* GetPacketSource (char** sptr) { const char* intf = "other"; @@ -1165,8 +1179,10 @@ !strcasecmp(snort_conf->daq_type, "afpacket") || !strcasecmp(snort_conf->daq_type, "pcap") || !strcasecmp(snort_conf->daq_type, "dump")) ) - + { intf = GetFirstInterface(); + *sptr = (char*)intf; + } } return intf; } @@ -1426,6 +1442,8 @@ static DAQ_Verdict PacketCallback( void* user, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt) { + Packet p; + int inject = 0; DAQ_Verdict verdict = DAQ_VERDICT_PASS; PROFILE_VARS; @@ -1483,10 +1501,61 @@ BsdPseudoPacket = NULL; #endif - verdict = ProcessPacket(user, pkthdr, pkt, NULL); + verdict = ProcessPacket(&p, pkthdr, pkt, NULL); - checkLWSessionTimeout(4, pkthdr->ts.tv_sec); +#ifdef ACTIVE_RESPONSE + if ( Active_ResponseQueued() ) + { + Active_SendResponses(&p); + } +#endif + if ( Active_PacketWasDropped() ) + { + if ( verdict == DAQ_VERDICT_PASS ) + verdict = DAQ_VERDICT_BLOCK; + } + else + { + Replace_ModifyPacket(&p); + if ( p.packet_flags & PKT_MODIFIED ) + { + // this packet was normalized and/or has replacements + Encode_Update(&p); + verdict = DAQ_VERDICT_REPLACE; + } +#ifdef NORMALIZER + else if ( p.packet_flags & PKT_RESIZED ) + { + // we never increase, only trim, but + // daq doesn't support resizing wire packet + if ( !DAQ_Inject(p.pkth, 0, p.pkt, p.pkth->pktlen) ) + { + verdict = DAQ_VERDICT_BLOCK; + inject = 1; + } + } +#endif + else + { + if ((p.packet_flags & PKT_IGNORE_PORT) || + (stream_api && (stream_api->get_ignore_direction(p.ssnptr) == SSN_DIR_BOTH))) + { + verdict = DAQ_VERDICT_WHITELIST; + } + else + { + verdict = DAQ_VERDICT_PASS; + } + } + } + + /* Collect some "on the wire" stats about packet size, etc */ + UpdateWireStats(&sfBase, pkthdr->caplen, Active_PacketWasDropped(), inject); + Active_Reset(); + Encode_Reset(); + + checkLWSessionTimeout(4, pkthdr->ts.tv_sec); ControlSocketDoWork(0); PREPROC_PROFILE_END(totalPerfStats); @@ -1516,40 +1585,39 @@ } DAQ_Verdict ProcessPacket( - void* user, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt, void* ft) + Packet* p, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt, void* ft) { - Packet p; DAQ_Verdict verdict = DAQ_VERDICT_PASS; - int inject = 0; setRuntimePolicy(getDefaultPolicy()); /* call the packet decoder */ - (*grinder) (&p, pkthdr, pkt); + (*grinder) (p, pkthdr, pkt); - if(!p.pkth || !p.pkt) + if(!p->pkth || !p->pkt) { return verdict; } /* Make sure this packet skips the rest of the preprocessors */ /* Remove once the IPv6 frag code is moved into frag 3 */ - if(p.packet_flags & PKT_NO_DETECT) + if(p->packet_flags & PKT_NO_DETECT) { - DisableAllDetect(&p); + DisableAllDetect(p); } if (ft) { - p.packet_flags |= (PKT_PSEUDO | PKT_REBUILT_FRAG); - p.pseudo_type = PSEUDO_PKT_IP; - p.fragtracker = ft; + p->packet_flags |= (PKT_PSEUDO | PKT_REBUILT_FRAG); + p->pseudo_type = PSEUDO_PKT_IP; + p->fragtracker = ft; + Encode_SetPkt(p); } { - int vlanId = (p.vh) ? VTH_VLAN(p.vh) : -1; - snort_ip_p srcIp = (p.iph) ? GET_SRC_IP((&p)) : (snort_ip_p)0; - snort_ip_p dstIp = (p.iph) ? GET_DST_IP((&p)) : (snort_ip_p)0; + int vlanId = (p->vh) ? VTH_VLAN(p->vh) : -1; + snort_ip_p srcIp = (p->iph) ? GET_SRC_IP((p)) : (snort_ip_p)0; + snort_ip_p dstIp = (p->iph) ? GET_DST_IP((p)) : (snort_ip_p)0; //set policy id for this packet setRuntimePolicy(sfGetApplicablePolicyId( @@ -1557,11 +1625,11 @@ } /***** Policy specific decoding should into this function *****/ - p.configPolicyId = + p->configPolicyId = snort_conf->targeted_policies[getRuntimePolicy()]->configPolicyId; // FIXTHIS ideally this would be done ... - DecodePolicySpecific(&p); + DecodePolicySpecific(p); //actions are queued only for IDS case sfActionQueueExecAll(decoderActionQ); @@ -1570,80 +1638,23 @@ // the purpose of which is just to wait until we know the policy /* just throw away the packet if we are configured to ignore this port */ - if ( !(p.packet_flags & PKT_IGNORE_PORT) ) + if ( !(p->packet_flags & PKT_IGNORE_PORT) ) { /* start calling the detection processes */ - Preprocess(&p); - log_func(&p); + Preprocess(p); + log_func(p); } if ( Active_SessionWasDropped() ) { - Active_DropAction(&p); + Active_DropAction(p); if ( ScInlineMode() || Active_PacketForceDropped() ) verdict = DAQ_VERDICT_BLACKLIST; else verdict = DAQ_VERDICT_IGNORE; } - if ( ft ) - { - // we don't block, modify, pass, or count defrags - // if the defrag trigged a block, this verdict will - // be applied to the raw packet. - return verdict; - } - -#ifdef ACTIVE_RESPONSE - if ( Active_ResponseQueued() ) - { - Active_SendResponses(&p); - } -#endif - if ( Active_PacketWasDropped() ) - { - if ( verdict == DAQ_VERDICT_PASS ) - verdict = DAQ_VERDICT_BLOCK; - } - else - { - Replace_ModifyPacket(&p); - - if ( p.packet_flags & PKT_MODIFIED ) - { - // this packet was normalized and/or has replacements - Encode_Update(&p); - verdict = DAQ_VERDICT_REPLACE; - } -#ifdef NORMALIZER - else if ( p.packet_flags & PKT_RESIZED ) - { - // we never increase, only trim, but - // daq doesn't support resizing wire packet - if ( !DAQ_Inject(p.pkth, 0, p.pkt, p.pkth->pktlen) ) - { - verdict = DAQ_VERDICT_BLOCK; - inject = 1; - } - } -#endif - else - { - if ((p.packet_flags & PKT_IGNORE_PORT) || - (stream_api && (stream_api->get_ignore_direction(p.ssnptr) == SSN_DIR_BOTH))) - { - verdict = DAQ_VERDICT_WHITELIST; - } - else - { - verdict = DAQ_VERDICT_PASS; - } - } - } - /* Collect some "on the wire" stats about packet size, etc */ - UpdateWireStats(&sfBase, pkthdr->caplen, Active_PacketWasDropped(), inject); - Active_Reset(); return verdict; } @@ -3105,6 +3116,34 @@ } #endif +static void PrintStatistics (void) +{ + if ( ScTestMode() || ScVersionMode() +#ifdef DYNAMIC_PLUGIN + || ScRuleDumpMode() +#endif + ) + return; + + fpShowEventStats(snort_conf); + +#ifdef PERF_PROFILING + { + int save_quiet_flag = snort_conf->logging_flags & LOGGING_FLAG__QUIET; + + snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET; + + ShowPreprocProfiles(); + ShowRuleProfiles(); + + snort_conf->logging_flags |= save_quiet_flag; + } +#endif + + DropStats(2); + print_thresholding(snort_conf->threshold_config, 1); +} + /**************************************************************************** * * Function: CleanExit() @@ -3191,7 +3230,7 @@ { DAQ_Delete(); DAQ_Term(); - DropStats(2); + PrintStatistics(); return; } #if defined(SNORT_RELOAD) && !defined(WIN32) @@ -3277,32 +3316,7 @@ DAQ_Delete(); DAQ_Term(); - - /* Print Statistics */ - if (!ScTestMode() && !ScVersionMode() -#ifdef DYNAMIC_PLUGIN - && !ScRuleDumpMode() -#endif - ) - { - fpShowEventStats(snort_conf); - -#ifdef PERF_PROFILING - { - int save_quiet_flag = snort_conf->logging_flags & LOGGING_FLAG__QUIET; - - snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET; - - ShowPreprocProfiles(); - ShowRuleProfiles(); - - snort_conf->logging_flags |= save_quiet_flag; - } -#endif - - DropStats(2); - print_thresholding(snort_conf->threshold_config, 1); - } + PrintStatistics(); #ifdef ACTIVE_RESPONSE Active_Term(); @@ -3421,8 +3435,10 @@ FreePluginSigFuncs(plugin_clean_exit_funcs); plugin_clean_exit_funcs = NULL; - FreePluginSigFuncs(plugin_restart_funcs); - plugin_restart_funcs = NULL; +#ifdef SNORT_RELOAD + FreePluginSigFuncs(plugin_reload_funcs); + plugin_reload_funcs = NULL; +#endif FreePeriodicFuncs(periodic_check_funcs); periodic_check_funcs = NULL;

@@ -1020,7 +1020,7 @@ /* P R O T O T Y P E S ******************************************************/ int SnortMain(int argc, char *argv[]); -DAQ_Verdict ProcessPacket(void*, const DAQ_PktHdr_t*, const uint8_t*, void*); +DAQ_Verdict ProcessPacket(Packet*, const DAQ_PktHdr_t*, const uint8_t*, void*); void SetupMetadataCallback(void); int InMainThread(void);

@@ -125,6 +125,48 @@ } /** + * A Safer Memmove + * dst and src can be in the same buffer + * + * @param dst where to copy to + * @param src where to copy from + * @param n number of bytes to copy + * @param start start of the dest buffer + * @param end end of the dst buffer + * + * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success + */ +static inline int SafeBoundsMemmove(void *dst, const void *src, size_t n, const void *start, const void *end) +{ + size_t overlap = 0; + if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) + ERRORRET; + if (src == NULL) + ERRORRET; + + if( src == dst ) + { + return SAFEMEM_SUCCESS; + } + else if(inBounds(dst, ((uint8_t *)dst + n), src)) + { + overlap = (uint8_t *)src - (uint8_t *)dst; + memcpy(dst, src , overlap); + memmove(((uint8_t *)dst + overlap), ((uint8_t *)src + overlap), (n - overlap)); + } + else if(inBounds(src, ((uint8_t *)src + n), dst)) + { + overlap = (uint8_t *)dst - (uint8_t *)src; + memcpy(((uint8_t *)dst + overlap), ((uint8_t *)src + overlap), (n - overlap)); + memmove(dst, src, overlap); + } + else + { + memcpy(dst, src, n); + } + return SAFEMEM_SUCCESS; +} +/** * A Safer Memset * dst and src can be in the same buffer *

@@ -77,6 +77,7 @@ #include "mpse.h" #include "ppm.h" #include "active.h" +#include "packet_time.h" #ifdef TARGET_BASED #include "sftarget_reader.h" @@ -448,6 +449,56 @@ } /* + * Function: ErrorMessageThrottled(ThrottleInfo *,const char *, ...) + * + * Purpose: Print a message to stderr, and throttle when + * too many messages are printed. + * + * Arguments: throttleInfo => point to the saved throttle state information + * format => the formatted error string to print out + * ... => format commands/fillers + * + * Returns: void function + */ + +void ErrorMessageThrottled(ThrottleInfo *throttleInfo, const char *format,...) +{ + char buf[STD_BUF+1]; + va_list ap; + time_t current_time = packet_timeofday(); + + if ((snort_conf == NULL)||(!throttleInfo)) + return; + + throttleInfo->count++; + DEBUG_WRAP(DebugMessage(DEBUG_INIT,"current_time: %d, throttle (%p): count "STDu64", last update: %d\n", + (int)current_time, throttleInfo, throttleInfo->count, (int)throttleInfo->lastUpdate );) + /*Note: we only output the first error message, + * and the statistics after at least duration_to_log seconds + * when the same type of error message is printed out again */ + if (current_time - throttleInfo->duration_to_log > throttleInfo->lastUpdate) + { + int index; + va_start(ap, format); + index = vsnprintf(buf, STD_BUF, format, ap); + va_end(ap); + + if (index && (throttleInfo->count > 1)) + { + snprintf(&buf[index - 1], STD_BUF-index, + " (suppressed "STDu64" times in the last %d seconds).\n", + throttleInfo->count, (int) (current_time - throttleInfo->lastUpdate)); + } + + ErrorMessage("%s",buf); + throttleInfo->lastUpdate = current_time; + throttleInfo->count = 0; + } + +} + + +/* * Function: LogMessage(const char *, ...) * * Purpose: Print a message to stderr or with logfacility.

@@ -204,6 +204,15 @@ void LogMessage(const char *, ...) __attribute__((format (printf, 1, 2))); void WarningMessage(const char *, ...) __attribute__((format (printf, 1, 2))); void ErrorMessage(const char *, ...) __attribute__((format (printf, 1, 2))); +typedef struct _ThrottleInfo +{ + time_t lastUpdate; + /*Within this duration (in seconds), maximal one distinct message is logged*/ + uint32_t duration_to_log; + uint64_t count; +}ThrottleInfo; +void ErrorMessageThrottled(ThrottleInfo*,const char *, ...) __attribute__((format (printf, 2, 3))); + NORETURN void FatalError(const char *, ...) __attribute__((format (printf, 1, 2))); int SnortSnprintf(char *, size_t, const char *, ...) __attribute__((format (printf, 3, 4))); int SnortSnprintfAppend(char *, size_t, const char *, ...) __attribute__((format (printf, 3, 4))); @@ -274,6 +283,65 @@ return iRet; } +// Checks to make sure we're not going to evaluate a negative number for which +// strtoul() gladly accepts and parses returning an underflowed wrapped unsigned +// long without error. +// +// Buffer passed in MUST be NULL terminated. +// +// Returns +// int +// -1 if buffer is nothing but spaces or first non-space character is a +// negative sign. Also if errno is EINVAL (which may be due to a bad +// base) or there was nothing to convert. +// 0 on success +// +// Populates pointer to uint32_t value passed in which should +// only be used on a successful return from this function. +// +// Also will set errno to ERANGE on a value returned from strtoul that is +// greater than UINT32_MAX, but still return success. +// +static inline int SnortStrToU32(const char *buffer, char **endptr, + uint32_t *value, int base) +{ + unsigned long int tmp; + + if ((buffer == NULL) || (endptr == NULL) || (value == NULL)) + return -1; + + // Only positive numbers should be processed and strtoul will + // eat up white space and process '-' and '+' so move past + // white space and check for a negative sign. + while (isspace((int)*buffer)) + buffer++; + + // If all spaces or a negative sign is found, return error. + // XXX May also want to exclude '+' as well. + if ((*buffer == '\0') || (*buffer == '-')) + return -1; + + tmp = SnortStrtoul(buffer, endptr, base); + + // The user of the function should check for ERANGE in errno since this + // function can be used such that an ERANGE error is acceptable and + // value gets truncated to UINT32_MAX. + if ((errno == EINVAL) || (*endptr == buffer)) + return -1; + + // If value is greater than a UINT32_MAX set value to UINT32_MAX + // and errno to ERANGE + if (tmp > UINT32_MAX) + { + tmp = UINT32_MAX; + errno = ERANGE; + } + + *value = (uint32_t)tmp; + + return 0; +} + static inline long SnortStrtolRange(const char *nptr, char **endptr, int base, long lo, long hi) { long iRet = SnortStrtol(nptr, endptr, base);

@@ -125,7 +125,7 @@ * should both match the ones specified in the * AM_INIT_AUTOMAKE() macro of configure.in */ -#define VERSION "2.9.2.1"VERSION_ENABLE_ODBC""VERSION_ENABLE_MYSQL""VERSION_ENABLE_MSSQL""VERSION_ENABLE_ORACLE""VERSION_ENABLE_RESPONSE"-WIN32"VERSION_DEBUG +#define VERSION "2.9.2.2"VERSION_ENABLE_ODBC""VERSION_ENABLE_MYSQL""VERSION_ENABLE_MSSQL""VERSION_ENABLE_ORACLE""VERSION_ENABLE_RESPONSE"-WIN32"VERSION_DEBUG #define PACKAGE "snort" #define IFNAMSIZ 255

@@ -11,7 +11,7 @@ ; Note that this NSIS script is designed for NSIS version 2.09. ; -Name "Snort 2.9.2.1" +Name "Snort 2.9.2.2" CRCCheck On @@ -23,7 +23,7 @@ ;Configuration ;General - OutFile "Snort_2_9_2_1_Installer.exe" ; The name of the installer executable + OutFile "Snort_2_9_2_2_Installer.exe" ; The name of the installer executable ;Folder selection page InstallDir "C:\Snort"

@@ -124,6 +124,8 @@ u2record current; } u2iterator; +static long s_pos = 0, s_off = 0; + #define TO_IP(x) x >> 24, (x >> 16) & 0xff, (x >> 8) & 0xff, x & 0xff u2iterator *new_iterator(char *filename) { @@ -166,6 +168,12 @@ return FAILURE; } + if ( s_off ) + { + fseek(it->file, s_pos+s_off, SEEK_SET); + s_off = 0; + } + /* read type and length */ bytes_read = fread(record, 1, sizeof(uint32_t) * 2, it->file); /* But they're in network order! */ @@ -184,13 +192,21 @@ return FAILURE; } + s_pos = ftell(it->file); + record->data = (uint8_t *)realloc(record->data, record->length); bytes_read = fread(record->data, 1, record->length, it->file); if(bytes_read != record->length) { puts("get_record: (2) Failed to read all of record data."); printf("\tRead %u of %u bytes\n", bytes_read, record->length); - return FAILURE; + + if ( record->type != UNIFIED2_PACKET || + bytes_read < ntohl(((Serial_Unified2Packet*)record->data)->packet_length) + ) + return FAILURE; + + clearerr(it->file); } return SUCCESS; @@ -705,6 +721,10 @@ void packet_dump(u2record *record) { uint32_t counter; uint8_t *field; + + unsigned offset = sizeof(Serial_Unified2Packet)-4; + unsigned reclen = record->length - offset; + Serial_Unified2Packet packet; memcpy(&packet, record->data, sizeof(Serial_Unified2Packet)); @@ -724,7 +744,22 @@ packet.packet_second, packet.packet_microsecond, packet.linktype, packet.packet_length); - LogBuffer(record->data+sizeof(Serial_Unified2Packet)-4, packet.packet_length); + + if ( record->length <= offset ) + return; + + if ( packet.packet_length != reclen ) + { + printf("ERROR: logged %u but packet_length = %u\n", + record->length-offset, packet.packet_length); + + if ( packet.packet_length < reclen ) + { + reclen = packet.packet_length; + s_off = reclen + offset; + } + } + LogBuffer(record->data+offset, reclen); } int u2dump(char *file) {

[-] [+]	Changed	snort.spec
@@ -102,7 +102,7 @@ Name: %{realname}%{inlinetext} %{?_with_inline:%define Name: %{realname}-inline } -Version: 2.9.2.1 +Version: 2.9.2.2 Epoch: 1 Release: %{release} Summary: An open source Network Intrusion Detection System (NIDS) @@ -643,6 +643,9 @@ # Vlatko Kosturjak <kost@linux.hr> %changelog +* Thu Mar 29 2012 Carsten Schoene <cs@linux-administrator.com> - 2.9.2.2-1 +- update to release 2.9.2.2 + * Sat Dec 17 2011 Carsten Schoene <cs@linux-administrator.com> - 2.9.2-1 - update to release 2.9.2
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/ChangeLog ^
@@ -1,3 +1,198 @@ +2012-3-17 Steven Sturges <ssturges@sourcefire.com> +Snort 2.9.2.2 + * src/build.h: + Updated to build 121. + + * src/preprocessors/HttpInspect/normalization/hi_norm.c: + Fix HTTP URI normalization when URI has more than 2k slashes. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fixed split fin-ack tracking and flush/free app data on reset + when listener is in fin-wait-1, fin-wait-2, or closing state. + + * src/: encode.c, encode.h, snort.c, snort.h, + Fix generation of response packets on fragmented IPv6 packet + by using the frag reassembled packet to encode. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix logical byte count and remove unreachable code + + * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: + Update to handle IPv6 traffic for processing of IP header + options within .so rules. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Expand slam threshold to <= 4 and fix for non-reassembled + sessions. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Check seq within window relative to window base. + + * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: + Fix flow flags for single segment PDUs from PAF. + + * doc/: faq.pdf, faq.tex, snort_manual.pdf, snort_manual.tex: + Remove references to deprecated servers. + + * src/dynamic-preprocessors/sip/sip_parser.c: + Unknown method alert is generated only after verifying the + packet is SIP. Don't generate alerts for a. multiple SIP + messages within one UDP packet (140:17) and b. mismatched + content length (140:18) simultaneously. + + * doc/: INSTALL, snort_manual.pdf, snort_manual.tex: + Updates to the manual to fix formatting, clarify detection_filter, + and remove obsolete configure options. Thanks to Larry Hughes, + Eoin Miller, Beenph and Joshua Kinard for reading it! + + * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, + src/dynamic-preprocessors/sip/sip_config.c, + src/dynamic-preprocessors/sip/sip_config.h, + src/dynamic-preprocessors/sip/sip_dialog.c, + src/dynamic-preprocessors/sip/sip_dialog.h, + src/dynamic-preprocessors/sip/spp_sip.c, + src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map: + Limit number of dialogs within a stream session. Thanks + to Filip Valder for providing the information. + + * src/active.c: + Allow repeated responses to non-TCP/UDP traffic. + + * src/: sfdaq.c, sfdaq.h, output-plugins/spo_unified2.c: + Correctly log blocked flag in unified2 events when an interface + is passive. + + * doc/: README.filters, snort_manual.pdf, snort_manual.tex: + Update README & manual to document -1 as acceptable value for + event_filter. + + * src/: snort.c: + Add stats output to dirty pig shutdown. + + * src/: preprocessors/Stream5/stream5_common.c: + Update initialization for stream_ip. + + * doc/snort_manual.pdf, src/byte_extract.c, src/util.h, + src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: + Make byte extraction of strings only allow for positive values. + + * src/preprocessors/HttpInspect/client/hi_client.c: + Check for paf_max before marking a packet as request body. + + * doc/: README.SMTP, snort_manual.pdf, snort_manual.tex, + preproc_rules/preprocessor.rules, src/generators.h, + src/dynamic-preprocessors/smtp/smtp_config.h, + src/dynamic-preprocessors/smtp/smtp_util.c, + src/dynamic-preprocessors/smtp/snort_smtp.c, + src/dynamic-preprocessors/smtp/spp_smtp.c: + Added SMTP preproc shutdown stats. Remove the decoding memcap + exceeded alert and displaying this info instead. + + * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, + spp_ftptelnet.c: + Update parsing for ftptelnet config. + + * src/dynamic-preprocessors/modbus/spp_modbus.c: + Update to free the modbus session data. + + * src/: snort_bounds.h, + preprocessors/HttpInspect/server/hi_server_norm.c: + Update javascript normalization to call a safeboundsmemmove + function when the src and dst buffers overlap. + + * src/preprocessors/HttpInspect/client/hi_client.c: + Change the code to not look for POST data (while parsing method) + when PAF is enabled and process request packets when the + method is undefined. + + * src/dynamic-preprocessors/pop/: snort_pop.c, snort_pop.h: + Decode data following +OK response without the octets string. + + * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: + Made macro in dcerpc2 preprocessor used for progressing through + data more robust. + + * src/preprocessors/: snort_httpinspect.h, + HttpInspect/client/hi_client.c, HttpInspect/server/hi_server.c: + Eliminate false positives (no content-length or transfer-encoding) + when chunk size spans across multiple packets. Thanks to Daniel + Dallmann for reporting the issue. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Update handling of retransmitted segments overlapping the + window on the left + + * src/preprocessors/HttpInspect/server/hi_server.c: + Set the file_data to the raw HTTP response body (de-chunked/ + normalized) when decompression fails due to false GZIP headers. + Set the inspect_body flag after resetting the decompress_data + flag to allow extraction of HTTP response body across packets + when decompression fails entirely. Thanks to Eoin Miller for + reporting this issue. + + * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex, + src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h: + Remove the Max on the gzip memcap. Thanks to Eoin Miller for + the request. + + * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_paf.c, + dce2_session.h, dce2_smb.c, dce2_smb.h, snort_dce2.c, + snort_dce2.h: + State tracking improvements to SMB processing in the dcerpc2 + preprocessor when missing packets on a session. + + * tools/u2spewfoo/u2spewfoo.c: + Tweaks to dump u2 files in the presence of certain errors. + + * src/encode.c: + Fix overhead calculation to ensure sufficient buffer space for + defragging a maximum length IP datagram regardless of encapsulations. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix false positives on 129:16. + + * src/preprocessors/Stream5/snort_stream5_tcp.c: + Fix stream5 to not purge too early when normalizing streams. + + * src/decode.c: + Remove redundant clearing of pointer in error case. Thanks + to Josh Kinard for pointing out the error. + + * src/preprocessors/spp_normalize.c: + Change normalizer priority to ensure ahead of frag3 regardless + of conf ordering. + + * src/detection-plugins/sp_react.c, doc/README.active, + doc/snort_manual.pdf, doc/snort_manual.tex: + Don't allow more than one % in a user-defined HTML page used + for react rule options. Thanks to Cleber S. Brandão for + reporting the issue. + + * configure.in: + Update configure script to correctly display 'Disable' help + verbage for the --disable-xxx options. Thanks to Kungu Panda for + pointing it out. + + * src/: plugbase.c, plugbase.h, snort.c, + output-plugins/spo_alert_arubaaction.c, + output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c, + output-plugins/spo_alert_prelude.c, + output-plugins/spo_alert_syslog.c, + output-plugins/spo_alert_test.c, + output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c, + output-plugins/spo_database.c, output-plugins/spo_log_ascii.c, + output-plugins/spo_log_null.c, output-plugins/spo_log_tcpdump.c, + output-plugins/spo_unified.c, output-plugins/spo_unified2.c: + Update unified2 output to rotate the unified2 file on reload. + + * src/dynamic-preprocessors/smtp/smtp_util.c: + Truncate the trailing end of the email id when the + rcpt to or mail from addresses are too long. + + * doc/snort_manual.tex, doc/README.GTP, src/: + dynamic-plugins/sf_dynamic_plugins.c, util.c, util.h: + Throttle the so rules memcap error message. + 2012-1-17 16:16 Hui Cao <hcao@sourcefire.com> Snort 2.9.2.1 All files: updated copyright to 2012 @@ -81,7 +276,7 @@ * src/: generators.h, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/event_output/hi_eo_log.c, - preprocessors/HttpInspect/include/hi_eo_events.h: Bugs + preprocessors/HttpInspect/include/hi_eo_events.h: Added a preprocessor alert to alert when a HTTP method being parsed is not a GET or a POST or not defined by the user.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/RELEASE.NOTES ^
@@ -1,4 +1,28 @@ -2012-1-17 - Snort 2.9.2.1 +2012-03-26 - Snort 2.9.2.2 +[] Improvements + Updates to HTTP Inspect to handle normalization with large + number of directories, eliminate false positives when chunks + span multiple packets, and remove the upper limit on the + gzip memcap. + + * Update stream handling for TCP session cleanup with RSTs and + other TCP state tracking. + + * Update for responses to fragmented IPv6 traffic and to the + react page configuration. + + * Updates SIP preprocessor to limit false positives. + + * Update for correct logging in unified2 when interface is passive. + + * Add stats for SMTP preprocessor at termination. + + * State tracking improvements to SMB processing in the dcerpc2 + preprocessor when missing packets on a session. + + * + +2012-01-17 - Snort 2.9.2.1 [] New Additions Added new alerts for HTTP (undefined methods & HTTP 0.9 simple requests).
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/configure ^
@@ -1495,41 +1495,41 @@ optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9 and 10). - --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries) + --disable-dynamicplugin Disable Ability to dynamically load preprocessors, detection engine, and rules lib --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library --enable-control-socket Enable the control socket - --disable-static-daq Link static DAQ modules. + --disable-static-daq Link static DAQ modules. --enable-build-dynamic-examples Enable building of example dynamically loaded preprocessor and rule (off by default) - --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. - --disable-ipv6 Disable IPv6 support - --disable-zlib Enable Http Response Decompression - --disable-gre Enable GRE and IP in IP encapsulation support - --disable-mpls Enable MPLS support - --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) - --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events - --disable-ppm Enable packet/rule performance monitor - --disable-perfprofiling Enable preprocessor and rule performance profiling - --enable-linux-smp-stats Enable statistics reporting through proc + --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default. + --disable-ipv6 Disable IPv6 support + --disable-zlib Disable Http Response Decompression + --disable-gre Disable GRE and IP in IP encapsulation support + --disable-mpls Disable MPLS support + --disable-targetbased Disable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) + --disable-decoder-preprocessor-rules Disable rule actions for decoder and preprocessor events + --disable-ppm Disable packet/rule performance monitor + --disable-perfprofiling Disable preprocessor and rule performance profiling + --enable-linux-smp-stats Enable statistics reporting through proc --enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly) --enable-prelude Enable Prelude Hybrid IDS support - --disable-pthread Disable pthread support + --disable-pthread Disable pthread support --enable-debug-msgs Enable debug printing options (bugreports and developers only) --enable-debug Enable debugging options (bugreports and developers only) - --enable-gdb Enable gdb debugging information + --enable-gdb Enable gdb debugging information --enable-profile Enable profiling options (developers only) - --disable-ppm-test Enable packet/rule performance monitor + --disable-ppm-test Disable packet/rule performance monitor --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling,--enable-decoder-preprocessor-rules, --enable-ppm --disable-corefiles Prevent Snort from generating core files - --disable-active-response Enable reject injection - --disable-normalizer Enable packet/stream normalizations - --disable-reload Enable reloading a configuration without restarting - --disable-reload-error-restart Enable restarting on reload error - --disable-paf disable protocol aware flushing - --disable-react Intercept and terminate offending HTTP accesses - --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts + --disable-active-response Disable reject injection + --disable-normalizer Disable packet/stream normalizations + --disable-reload Disable reloading a configuration without restarting + --disable-reload-error-restart Disable restarting on reload error + --disable-paf Disable protocol aware flushing + --disable-react Disable interception and termination of offending HTTP accesses + --disable-flexresp3 Disable flexible responses (v3) on hostile connection attempts --enable-aruba Enable Aruba output plugin --enable-intel-soft-cpm Enable Intel Soft CPM support - --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only) + --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only) --enable-rzb-saac Enable Razorback SaaC support --enable-large-pcap Enable support for pcaps larger than 2 GB @@ -3075,7 +3075,7 @@ # Define the identity of the package. PACKAGE=snort - VERSION=2.9.2.1 + VERSION=2.9.2.2 cat >>confdefs.h <<_ACEOF
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/configure.in ^
@@ -6,7 +6,7 @@ AM_CONFIG_HEADER(config.h) # When changing the snort version, please also update the VERSION # definition in "src/win32/WIN32-Includes/config.h" -AM_INIT_AUTOMAKE(snort,2.9.2.1) +AM_INIT_AUTOMAKE(snort,2.9.2.2) NO_OPTIMIZE="no" ADD_WERROR="no" @@ -533,7 +533,7 @@ fi AC_ARG_ENABLE(dynamicplugin, -[ --disable-dynamicplugin Enable Ability to dynamically load preprocessors, detection engine, and rules lib (on by default, use --disable to not use dynamic libraries)], +[ --disable-dynamicplugin Disable Ability to dynamically load preprocessors, detection engine, and rules lib], enable_dynamicplugin="$enableval", enable_dynamicplugin="yes") AM_CONDITIONAL(HAVE_DYNAMIC_PLUGINS, test "x$enable_dynamicplugin" = "xyes") @@ -621,7 +621,7 @@ fi AC_ARG_ENABLE(static_daq, -[ --disable-static-daq Link static DAQ modules.], +[ --disable-static-daq Link static DAQ modules.], enable_static_daq="$enableval", enable_static_daq="yes") if test "x$enable_static_daq" = "xyes" \ @@ -751,14 +751,14 @@ fi AC_ARG_ENABLE(dlclose, -[ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], +[ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], enable_dlclose="$enableval", enable_dlclose="yes") if test "x$enable_dlclose" = "xno"; then AC_DEFINE([DISABLE_DLCLOSE_FOR_VALGRIND_TESTING],[1],[Don't close opened shared objects for valgrind leak testing of dynamic libraries]) fi AC_ARG_ENABLE(ipv6, -[ --disable-ipv6 Disable IPv6 support], +[ --disable-ipv6 Disable IPv6 support], enable_ipv6="$enableval", enable_ipv6="yes") if test "x$enable_ipv6" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DSUP_IP6" @@ -766,7 +766,7 @@ AM_CONDITIONAL(HAVE_SUP_IP6, test "x$enable_ipv6" = "xyes") AC_ARG_ENABLE(zlib, -[ --disable-zlib Enable Http Response Decompression], +[ --disable-zlib Disable Http Response Decompression], enable_zlib="$enableval", enable_zlib="yes") AM_CONDITIONAL(HAVE_ZLIB, test "x$enable_zlib" = "xyes") if test "x$enable_zlib" = "xyes"; then @@ -792,21 +792,21 @@ fi AC_ARG_ENABLE(gre, -[ --disable-gre Enable GRE and IP in IP encapsulation support], +[ --disable-gre Disable GRE and IP in IP encapsulation support], enable_gre="$enableval", enable_gre="yes") if test "x$enable_gre" = "xyes"; then CPPFLAGS="$CPPFLAGS -DGRE" fi AC_ARG_ENABLE(mpls, -[ --disable-mpls Enable MPLS support], +[ --disable-mpls Disable MPLS support], enable_mpls="$enableval", enable_mpls="yes") if test "x$enable_mpls" = "xyes"; then CPPFLAGS="$CPPFLAGS -DMPLS" fi AC_ARG_ENABLE(targetbased, -[ --disable-targetbased Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], +[ --disable-targetbased Disable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], enable_targetbased="$enableval", enable_targetbased="yes") AM_CONDITIONAL(HAVE_TARGET_BASED, test "x$enable_targetbased" = "xyes") @@ -832,28 +832,28 @@ fi AC_ARG_ENABLE(decoder-preprocessor-rules, -[ --disable-decoder-preprocessor-rules Enable rule actions for decoder and preprocessor events], +[ --disable-decoder-preprocessor-rules Disable rule actions for decoder and preprocessor events], enable_decoder_preprocessor_rules="$enableval", enable_decoder_preprocessor_rules="yes") if test "x$enable_decoder_preprocessor_rules" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS" fi AC_ARG_ENABLE(ppm, -[ --disable-ppm Enable packet/rule performance monitor], +[ --disable-ppm Disable packet/rule performance monitor], enable_ppm="$enableval", enable_ppm="yes") if test "x$enable_ppm" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_MGR" fi AC_ARG_ENABLE(perfprofiling, -[ --disable-perfprofiling Enable preprocessor and rule performance profiling], +[ --disable-perfprofiling Disable preprocessor and rule performance profiling], enable_perfprofiling="$enableval", enable_perfprofiling="yes") if test "x$enable_perfprofiling" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(linux-smp-stats, -[ --enable-linux-smp-stats Enable statistics reporting through proc], +[ --enable-linux-smp-stats Enable statistics reporting through proc], enable_linux_smp_stats="$enableval", enable_linux_smp_stats="no") AM_CONDITIONAL(BUILD_PROCPIDSTATS, test "x$enable_linux_smp_stats" = "xyes") if test "x$enable_linux_smp_stats" = "xyes"; then @@ -884,7 +884,7 @@ fi AC_ARG_ENABLE(pthread, -[ --disable-pthread Disable pthread support], +[ --disable-pthread Disable pthread support], enable_pthread="$enableval", enable_pthread="yes") if test "x$enable_pthread" = "xyes"; then @@ -914,7 +914,7 @@ fi AC_ARG_ENABLE(gdb, -[ --enable-gdb Enable gdb debugging information], +[ --enable-gdb Enable gdb debugging information], enable_gdb="$enableval", enable_gdb="no") if test "x$enable_gdb" = "xyes"; then @@ -935,7 +935,7 @@ fi AC_ARG_ENABLE(ppm-test, -[ --disable-ppm-test Enable packet/rule performance monitor], +[ --disable-ppm-test Disable packet/rule performance monitor], enable_ppm_test="$enableval", enable_ppm_test="no") if test "x$enable_ppm_test" = "xyes"; then @@ -960,19 +960,19 @@ fi AC_ARG_ENABLE(active-response, -[ --disable-active-response Enable reject injection], +[ --disable-active-response Disable reject injection], enable_active_response="$enableval", enable_active_response="yes") AC_ARG_ENABLE(normalizer, -[ --disable-normalizer Enable packet/stream normalizations], +[ --disable-normalizer Disable packet/stream normalizations], enable_normalizer="$enableval", enable_normalizer="yes") AC_ARG_ENABLE(reload, -[ --disable-reload Enable reloading a configuration without restarting], +[ --disable-reload Disable reloading a configuration without restarting], enable_reload="$enableval", enable_reload="yes") AC_ARG_ENABLE(reload-error-restart, -[ --disable-reload-error-restart Enable restarting on reload error], +[ --disable-reload-error-restart Disable restarting on reload error], enable_reload_error_restart="$enableval", enable_reload_error_restart="yes") if test "x$enable_reload" = "xyes"; then @@ -1423,7 +1423,7 @@ fi AC_ARG_ENABLE(paf, -[ --disable-paf disable protocol aware flushing], +[ --disable-paf Disable protocol aware flushing], enable_paf="$enableval", enable_paf="yes") if test "x$enable_paf" = "xyes"; then @@ -1431,11 +1431,11 @@ fi AC_ARG_ENABLE(react, -[ --disable-react Intercept and terminate offending HTTP accesses], +[ --disable-react Disable interception and termination of offending HTTP accesses], enable_react="$enableval", enable_react="yes") AC_ARG_ENABLE(flexresp3, -[ --disable-flexresp3 Flexible Responses (v3) on hostile connection attempts], +[ --disable-flexresp3 Disable flexible responses (v3) on hostile connection attempts], enable_flexresp3="$enableval", enable_flexresp3="yes") AC_ARG_ENABLE(aruba, @@ -1508,7 +1508,7 @@ fi AC_ARG_ENABLE(shared_rep, - [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], + [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], enable_shared_rep="$enableval", enable_shared_rep="no") if test "x$enable_shared_rep" = "xyes"; then
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/INSTALL ^
@@ -65,9 +65,6 @@ Enable linking of dynamically loaded preprocessors with a static preprocessor library. -`--enable-timestats' - Enable real-time performance statistics. - `--enable-perfprofiling' Enable performance profiling of individual rules and preprocessors. @@ -518,5 +515,5 @@ autoconf Then run configure with any desired options (--enable-dynamicplugin, ---enable-inline, etc). +etc).
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/README.GTP ^
@@ -68,7 +68,7 @@ Different from GTP decoder, GTP preprocessor examines all signaling messages. The preprocessor configuration name is "gtp". -preprocessor sip +preprocessor gtp Option Argument Required Default ports <ports> No ports { 2123 3386 } @@ -90,10 +90,10 @@ Configuration examples preprocessor gtp - preprocessor sip: ports { 2123 3386 2152 } + preprocessor gtp: ports { 2123 3386 2152 } Default configuration - preprocessor sip + preprocessor gtp GTP Decoder Events ================================================================================
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/README.SMTP ^
@@ -234,9 +234,6 @@ default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable SMTP preprocessor in a config). -When the memcap for decoding (max_mime_mem) is exceeded the SMTP preprocessor alert with sid 9 is -generated (when enabled). - * log_mailfrom * This option enables SMTP preprocessor to parse and log the sender's email address extracted from the "MAIL FROM" command along with all the generated events for that session. The maximum
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/README.active ^
@@ -139,6 +139,10 @@ "You are attempting to access a forbidden site.<br />" \ "Consult your system administrator for details."; +Additional formatting operators beyond a single %s are prohibited, including +%d, %x, %s, as well as any URL encodings such as as %20 (space) that may be +within a reference URL. + This is an example rule: drop tcp any any -> any $HTTP_PORTS ( \
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/README.filters ^
@@ -190,7 +190,8 @@ source IP addresses, or unique destination IP addresses. * count c: number of rule matching in s seconds that will cause event filter - limit to exceed. C must be nonzero value. + limit to exceed. C must be nonzero value. A count of -1 disables the + event filter and can be used to override the global event_filter. * seconds s: time period over which count is accrued. S must be nonzero value.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/README.http_inspect ^
@@ -77,7 +77,7 @@ * max_gzip_mem * This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor -will use for decompression. This value can be set from 3276 bytes to 100MB. This option +will use for decompression. The minimum allowed value for this option is 3276 bytes. This option along with compress and decompress depth determines the gzip sessions that will be decompressed at any given instant. The default value for this option is 838860.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/README.sip ^
@@ -39,6 +39,7 @@ Option Argument Required Default disabled None No OFF max_sessions <max_sessions> No max_sessions 10000 +max_dialogs <max_dialogs> No max_dialogs 4 ports <ports> No ports { 5060 5061 } methods <methods> No methods { invite cancel ack bye register options } @@ -53,6 +54,7 @@ ignore_call_channel None No OFF max_sessions = 1024 - 4194303 +max_dialogs = 1 - 4194303 methods = "invite" \| "cancel" \| "ack" \| "bye" \| "register" \| "options" \| "refer" \| "subscribe" \| "update" \| "join" \| "info" \| "message" \| "notify" \| "prack" @@ -77,6 +79,10 @@ Those sessions are stream sessions, so they are bounded by maximum number of stream sessions. Default is 10000. + max_dialogs + This specifies the maximum number of dialogs within one stream session. If exceeded, + the oldest dialog will be dropped. Default is 4. + ports This specifies on what ports to check for SIP messages. Typically, this will include 5060, 5061. @@ -228,6 +234,7 @@ 24 SIP version other than 2.0, 1.0, and 1.1 is invalid 25 Mismatch in Method of request and the CSEQ header 26 The method is unknown + 27 The number of dialogs in the stream session exceeds the maximal value. Rule Options ================================================================================
	Changed	snort-2.9.2.2.tar.bz2/doc/faq.pdf ^
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/faq.tex ^
@@ -1420,22 +1420,6 @@ #EOF \end{verbatim} -\subsection{How do you get the latest Snort via cvs?} \label{cvs} - -Snort can be checked out through anonymous (pserver) CVS with the -following instruction set. The module you wish to check out must be -specified as the modulename. When prompted for a password for anonymous, -simply press the Enter key. -\begin{verbatim} - cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login - - cvs -z3 -d:pserver:anonymous@cvs.snort.org:/cvsroot co snort -\end{verbatim} -Updates from within the module's directory do not need the -d parameter. - -You will need to issue the command ``sh ./autojunk.sh'' before starting -./configure. - \subsection{How do I use a remote syslog machine?} Add the syslog switch, -s, and put this statement syslog.conf:
	Changed	snort-2.9.2.2.tar.bz2/doc/snort_manual.pdf ^
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/doc/snort_manual.tex ^
@@ -125,8 +125,9 @@ have a better way to say something or find that something in the documentation is outdated, drop us a line and we will update it. If you would like to submit patches for this document, you can find the latest version of the documentation -in \LaTeX\ format in the Snort CVS repository at \verb!/doc/snort_manual.tex!. -Small documentation updates are the easiest way to help out the Snort Project. +in \LaTeX\ format in the most recent source tarball under +\verb!/doc/snort_manual.tex!. Small documentation updates are the easiest way +to help out the Snort Project. \section{Getting Started} @@ -567,29 +568,6 @@ Note that the pcap DAQ does not count filtered packets. -\subsubsection{MMAPed pcap} - -On Linux, a modified version of libpcap is available that implements a shared -memory ring buffer. Phil Woods (cpw@lanl.gov) is the current maintainer of the -libpcap implementation of the shared memory ring buffer. The shared memory -ring buffer libpcap can be downloaded from his website at -\url{http://public.lanl.gov/cpw/}. - -Instead of the normal mechanism of copying the packets from kernel memory into -userland memory, by using a shared memory ring buffer, libpcap is able to queue -packets into a shared buffer that Snort is able to read directly. This change -speeds up Snort by limiting the number of times the packet is copied before -Snort gets to perform its detection upon it. - -Once Snort linked against the shared memory libpcap, enabling the ring buffer -is done via setting the environment variable \emph{PCAP\_FRAMES}. -\emph{PCAP\_FRAMES} is the size of the ring buffer. According to Phil, the -maximum size is 32768, as this appears to be the maximum number of iovecs the -kernel can handle. By using \emph{PCAP\_FRAMES=max}, libpcap will -automatically use the most frames possible. On Ethernet, this ends up being -1530 bytes per frame, for a total of around 52 Mbytes of memory for the ring -buffer alone. - \subsection{AFPACKET} afpacket functions similar to the memory mapped pcap DAQ but no external @@ -661,7 +639,7 @@ <qlen> ::= 0..65535; default is 0 \end{verbatim} -Notes on iptables are given below. +Notes on iptables can be found in the DAQ distro README. \subsection{IPQ} @@ -683,8 +661,6 @@ <proto> ::= ip4 \| ip6; default is ip4 \end{verbatim} -Notes on iptables are given below. - \subsection{IPFW} IPFW is available for BSD systems. It replaces the inline version available in @@ -2387,14 +2363,6 @@ Use config event\_filter instead.)\\ \hline -\texttt{config timestats\_interval: <secs>} & - -Set the amount of time in seconds between logging time stats. Default is 3600 -(1 hour). Note this option is only available if Snort was built to use time -stats with \texttt{--enable-timestats}. \\ - - -\hline \texttt{config umask: <umask>} & Sets umask when running (\texttt{snort -m}). \\ \hline @@ -3367,7 +3335,7 @@ \begin{itemize} \item \texttt{TCP} \item \texttt{UDP} -\item \texttt{IGMP} +\item \texttt{ICMP} \item \texttt{ip\_proto} \item \texttt{all} \end{itemize} @@ -4039,8 +4007,8 @@ \item \texttt{max\_gzip\_mem $<$integer$>$} This option determines (in bytes) the maximum amount of memory the HTTP Inspect -preprocessor will use for decompression. This value can be set from 3276 bytes -to 100MB. This option along with \texttt{compress\_depth} and \texttt{decompress\_depth} +preprocessor will use for decompression. The minimum allowed value for this option +is 3276 bytes. This option along with \texttt{compress\_depth} and \texttt{decompress\_depth} determines the gzip sessions that will be decompressed at any given instant. The default value for this option is 838860. @@ -4540,8 +4508,8 @@ This option enables the normalization of Javascript within the HTTP response body. You should select the config option \texttt{extended\_response\_inspection} before configuring this option. When this option is turned on, Http Inspect searches for a Javascript within the -HTTP response body by searching for the <script> tags and starts normalizing it. -When Http Inspect sees the <script> tag without a type, it is considered as a javascript. +HTTP response body by searching for the $<$script$>$ tags and starts normalizing it. +When Http Inspect sees the $<$script$>$ tag without a type, it is considered as a javascript. The obfuscated data within the javascript functions such as unescape, String.fromCharCode, decodeURI, decodeURIComponent will be normalized. The different encodings handled within the unescape/ decodeURI/decodeURIComponent are \texttt{\%XX}, \texttt{\%uXXXX}, \texttt{\\XX} and \texttt{\\uXXXXi}. @@ -5321,9 +5289,6 @@ default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable SMTP preprocessor in a config). -When the memcap for decoding (\texttt{max\_mime\_mem}) is exceeded the SMTP preprocessor alert with sid 9 is -generated (when enabled) - \item \texttt{log\_mailfrom} This option enables SMTP preprocessor to parse and log the sender's email address extracted from the "MAIL FROM" command along with all the generated events for that session. The maximum @@ -8284,10 +8249,6 @@ \begin{itemize} \item -Truncate packets with excess payload to the datagram length specified in the -IP header. - -\item TTL normalization if enabled (explained below). \item @@ -8378,8 +8339,6 @@ Base normalizations enabled with "preprocessor \texttt{normalize\_tcp}" include: \begin{itemize} -\item -Remove data on SYN. \item Clear the reserved bits in the TCP header. @@ -8391,23 +8350,11 @@ Clear the urgent pointer and the urgent flag if there is no payload. \item -Set the urgent pointer to the payload length if it is greater than the -payload length. - -\item Clear the urgent flag if the urgent pointer is not set. \item Clear any option padding bytes. -\item -Remove any data from RST packet. - -\item -Trim data to window. - -\item -Trim data to MSS. \end{itemize} Optional normalizations include: @@ -8482,8 +8429,8 @@ <new_ttl> ::= (<min_ttl>+1..255) \end{verbatim} -If \texttt{new\_ttl }> \texttt{min\_ttl}, then if a packet is received with a -TTL < \texttt{min\_ttl}, the TTL will be set to \texttt{new\_ttl}. +If \texttt{new\_ttl }$>$ \texttt{min\_ttl}, then if a packet is received with a +TTL $<$ \texttt{min\_ttl}, the TTL will be set to \texttt{new\_ttl}. Note that this configuration item was deprecated in 2.8.6: @@ -8538,6 +8485,8 @@ \hline \texttt{max\_sessions} & \texttt{<max\_sessions>} & NO & \texttt{max\_sessions 10000}\\ \hline +\texttt{max\_dialogs} & \texttt{<max\_dialogs>} & NO & \texttt{max\_dialogs 4}\\ +\hline \texttt{ports} & \texttt{<ports>} & NO & \texttt{ports \{ 5060 5061 \} }\\ \hline \texttt{methods} & \texttt{<methods>} & NO & \texttt{methods \{ invite cancel ack bye @@ -8566,6 +8515,7 @@ \footnotesize \begin{verbatim} max_sessions = 1024-4194303 + max_dialogs = 1-4194303 methods = "invite"\|"cancel"\|"ack"\|"bye"\|"register"\| "options"\ \|"refer" \|"subscribe"\|"update"\|"join"\|"info"\|"message"\ \|"notify"\|"prack" @@ -8593,6 +8543,11 @@ Those sessions are stream sessions, so they are bounded by maximum number of stream sessions. Default is 10000. \end{itemize} +\item[] \texttt{max\_dialogs} +\begin{itemize} +\item[] This specifies the maximum number of dialogs within one stream session. If exceeded, + the oldest dialog will be dropped. Default is 4. +\end{itemize} \item[] \texttt{ports} \begin{itemize} \item[] This specifies on what ports to check for SIP messages. Typically, this will @@ -8802,6 +8757,8 @@ \hline 26 & The method is unknown \\ \hline + 27 & The number of dialogs in the stream session exceeds the maximal value. \\ +\hline \end{longtable} \subsubsection{Rule Options} New rule options are supported by enabling the \texttt{sip} preprocessor: @@ -9337,7 +9294,7 @@ Different from GTP decoder, GTP preprocessor examines all signaling messages. The preprocessor configuration name is \texttt{gtp}. \begin{verbatim} -preprocessor sip +preprocessor gtp \end{verbatim} \textit{Option syntax} \begin{itemize} @@ -9356,7 +9313,7 @@ \begin{itemize} \item[] \texttt{ports} \begin{itemize} -\item[] This specifies on what ports to check for SIP messages. Typically, +\item[] This specifies on what ports to check for GTP messages. Typically, this will include 5060, 5061. \item[] \textit{Syntax} \begin{verbatim} @@ -11050,7 +11007,8 @@ \texttt{count c} & number of rule matching in s seconds that will cause \texttt{event\_filter} -limit to be exceeded. \texttt{c} must be nonzero value.\\ +limit to be exceeded. \texttt{c} must be nonzero value. A value of -1 disables +the event filter and can be used to override the global \texttt{event\_filter}.\\ \hline \texttt{seconds s} & @@ -11172,7 +11130,7 @@ \begin{verbatim} suppress \ - gen_id <gid>, sig_id <sid>, \ + gen_id <gid>, sig_id <sid> \end{verbatim} \begin{verbatim} @@ -11211,7 +11169,7 @@ \texttt{ip <list>} & Restrict the suppression to only source or destination IP addresses (indicated -by \texttt{track} parameter) determined by <list>. If track is provided, ip +by \texttt{track} parameter) determined by $<$list$>$. If track is provided, ip must be provided as well.\\ \hline @@ -11933,7 +11891,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/alert. You may specify "stdout" for terminal output. The name may +$<$logdir$>$/alert. You may specify "stdout" for terminal output. The name may include an absolute or relative path. \item \texttt{packet}: this option will cause multiline entries with full @@ -11970,7 +11928,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/alert. You may specify "stdout" for terminal output. The name may +$<$logdir$>$/alert. You may specify "stdout" for terminal output. The name may include an absolute or relative path. \item \texttt{limit}: an optional limit on file size which defaults to 128 MB. @@ -12016,7 +11974,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/snort.log. The name may include an absolute or relative path. A +$<$logdir$>$/snort.log. The name may include an absolute or relative path. A UNIX timestamp is appended to the filename. \item \texttt{limit}: an optional limit on file size which defaults to 128 MB. @@ -12180,7 +12138,7 @@ \begin{itemize} \item \texttt{filename}: the name of the log file. The default name is -<logdir>/alert.csv. You may specify "stdout" for terminal output. The name +$<$logdir$>$/alert.csv. You may specify "stdout" for terminal output. The name may include an absolute or relative path. \item \texttt{format}: The list of formatting options is below. If the @@ -13162,7 +13120,7 @@ Each attempt (sent in rapid succession) has a different sequence number. Each active response will actually cause this number of TCP resets to be sent. TCP data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is -sent, if and only if attempts > 0. +sent, if and only if attempts $>$ 0. \begin{verbatim} ./configure --enable-active-response @@ -13278,6 +13236,10 @@ "Consult your system administrator for details."; \end{verbatim} +Additional formatting operators beyond a single %s are prohibited, including +%d, %x, %s, as well as any URL encodings such as as %20 (space) that may be +within a reference URL. + This is an example rule: \begin{verbatim} @@ -15260,13 +15222,19 @@ \subsubsection{Example} -This example performs a case-insensitive search for the string BLAH in the payload. +This example performs a case-insensitive search for the HTTP URI \texttt{foo.php?id=<some numbers>} \begin{verbatim} - alert ip any any -> any any (pcre:"/BLAH/i";) + alert tcp any any -> any 80 (content:"/foo.php?id="; pcre:"/\/foo.php?id=[0-9]{1,10}/iU";) \end{verbatim} \begin{note} +It is wise to have at least one \texttt{content} keyword in a rule that uses \texttt{pcre}. This +allows the fast-pattern matcher to filter out non-matching packets so that the pcre evaluation is +not performed on each and every packet coming across the wire. +\end{note} + +\begin{note} Snort's handling of multiple URIs with PCRE does not work as expected. PCRE when used without a \texttt{uricontent} only evaluates the first URI. In order @@ -17212,6 +17180,11 @@ would normally be used in conjunction with an \texttt{event\_filter} to reduce the number of logged events. +\begin{note} +As mentioned above, Snort evaluates \texttt{detection\_filter} as the last step of +the detection and not in post-detection. +\end{note} + \subsection{Post-Detection Quick Reference} \begin{center} @@ -18183,7 +18156,7 @@ \item {OptionType: Protocol Header \& Structure: {\em HdrOptCheck}} The {\em HdrOptCheck} structure defines an option to check a protocol header -for a specific value. It includes the header field, the operation (<,>,=,etc), +for a specific value. It includes the header field, the operation ($<$,$>$,=,etc), a value, a mask to ignore that part of the header field, and flags. \begin{verbatim} @@ -18223,7 +18196,7 @@ The {\em ByteData} structure defines the information for both ByteTest and ByteJump operations. It includes the number of bytes, an operation (for -ByteTest, <,>,=,etc), a value, an offset, multiplier, and flags. The flags +ByteTest, $<$,$>$,=,etc), a value, an offset, multiplier, and flags. The flags must specify the buffer. \begin{verbatim}
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/etc/gen-msg.map ^
@@ -456,6 +456,7 @@ 140 \|\| 24 \|\| sip: SIP version other than 2.0, 1.0, and 1.1 are invalid 140 \|\| 25 \|\| sip: Mismatch in Method of request and the CSEQ header 140 \|\| 26 \|\| sip: The method is unknown +140 \|\| 27 \|\| sip: Maximum dialogs in a session reached 141 \|\| 1 \|\| imap: Unknown IMAP4 command 141 \|\| 2 \|\| imap: Unknown IMAP4 response 141 \|\| 3 \|\| imap: No memory available for decoding. Memcap exceeded.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/etc/snort.conf ^
@@ -10,7 +10,7 @@ # Snort bugs: bugs@snort.org # # Compatible with Snort Versions: -# VERSIONS : 2.9.2.1 +# VERSIONS : 2.9.2.2 # # Snort build options: # OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 @@ -72,7 +72,7 @@ ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on -portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8181,8243,8280,8888,9090,9091,9443,9999,11371] +portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 @@ -89,6 +89,12 @@ # List of ports you run SIP servers on portvar SIP_PORTS [5060,5061,5600] +# List of file data ports for file inspection +portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] + +# List of GTP ports for GTP preprocessor +portvar GTP_PORTS [2123,2152,3386] + # other variables, these should not be modified ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] @@ -99,6 +105,14 @@ var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules +# If you are using reputation preprocessor set these +# Currently there is a bug with relative paths, they are relative to where snort is +# not relative to snort.conf like the above variables +# This is completely inconsistent with how other vars work, BUG 89986 +# Set the absolute path appropriately +var WHITE_LIST_PATH ../rules +var BLACK_LIST_PATH ../rules + ################################################### # Step #2: Configure the decoder. For more information, see README.decode ################################################### @@ -187,6 +201,13 @@ config event_queue: max_queue 8 log 3 order_events content_length ################################################### +## Configure GTP if it is to be used. +## For more information, see README.GTP +#################################################### + +# config enable_gtp + +################################################### # Per packet and rule latency enforcement # For more information see README.ppm ################################################### @@ -212,6 +233,12 @@ #config profile_preprocs: print all, sort avg_ticks ################################################### +# Configure protocol aware flushing +# For more information see README.stream5 +################################################### +config paf_max: 16000 + +################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### @@ -230,6 +257,9 @@ # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### +# GTP Control Channle Preprocessor. For more information, see README.GTP +# preprocessor gtp: ports { 2123 3386 2152 } + # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode preprocessor normalize_ip4 @@ -255,9 +285,9 @@ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \ 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ - ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 7907 7001 7802 7777 7779 \ + ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ - 7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 + 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 preprocessor stream5_udp: timeout 180 # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor @@ -266,6 +296,7 @@ # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ + http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ @@ -273,13 +304,16 @@ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ - ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 } \ + max_spaces 0 \ + small_chunk_length { 10 5 } \ + ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ + normalize_javascript \ apache_whitespace no \ ascii no \ bare_byte no \ @@ -289,7 +323,7 @@ iis_delimiter no \ iis_unicode no \ multi_slash no \ - utf_8 no \ + utf_8 no \ u_encode yes \ webroot no @@ -412,7 +446,7 @@ preprocessor sensitive_data: alert_threshold 25 # SIP Session Initiation Protocol preprocessor. For more information see README.sip -preprocessor sip: max_sessions 10000, \ +preprocessor sip: max_sessions 40000, \ ports { 5060 5061 5600 }, \ methods { invite \ cancel \ @@ -442,7 +476,7 @@ max_to_len 256, \ max_via_len 1024, \ max_contact_len 512, \ - max_content_len 1024 + max_content_len 2048 # IMAP preprocessor. For more information see README.imap preprocessor imap: \ @@ -460,6 +494,22 @@ bitenc_decode_depth 0 \ uu_decode_depth 0 +# Modbus preprocessor. For more information see README.modbus +preprocessor modbus: ports { 502 } + +# DNP3 preprocessor. For more information see README.dnp3 +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +# Reputation preprocessor. For more information see README.reputation +preprocessor reputation: \ + memcap 500, \ + priority whitelist, \ + nested_ip inner, \ + whitelist $WHITE_LIST_PATH/white_list.rules, \ + blacklist $BLACK_LIST_PATH/black_list.rules + ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules @@ -512,6 +562,7 @@ include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/exploit.rules +include $RULE_PATH/file-identify.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp.rules @@ -581,12 +632,10 @@ # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules -# include $SO_RULE_PATH/pop3.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/snmp.rules # include $SO_RULE_PATH/specific-threats.rules -# include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-iis.rules
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/preproc_rules/preprocessor.rules ^
@@ -102,7 +102,6 @@ alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; ) alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) -alert ( msg: "SMTP_DECODE_MEMCAP_EXCEEDED"; sid: 9; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_QP_DECODING_FAILED"; sid: 11; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) @@ -227,6 +226,7 @@ alert ( msg: "SIP_EVENT_INVALID_VERSION"; sid: 24; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) +alert ( msg: "SIP_EVENT_MAX_DIALOGS_IN_A_SESSION"; sid: 27; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) alert ( msg: "IMAP_MEMCAP_EXCEEDED"; sid: 3; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/rpm/snort.spec ^
@@ -91,7 +91,7 @@ Name: %{realname}%{inlinetext} %{?_with_inline:%define Name: %{realname}-inline } -Version: 2.9.2.1 +Version: 2.9.2.2 Epoch: 1 Release: %{release} Summary: An open source Network Intrusion Detection System (NIDS)
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/active.c ^
@@ -375,7 +375,12 @@ // explicitly drop packet Active_ForceDropPacket(); - _Active_DoIgnoreSession(p); + switch ( GET_IPH_PROTO(p) ) + { + case IPPROTO_TCP: + case IPPROTO_UDP: + _Active_DoIgnoreSession(p); + } return 0; }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/build.h ^
@@ -1 +1 @@ -#define BUILD "107" +#define BUILD "121"
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/byte_extract.c ^
@@ -26,6 +26,7 @@ #endif #include "snort.h" +#include "util.h" #include <sys/types.h> #include <stdlib.h> @@ -179,12 +180,8 @@ byte_array[bytes_to_grab] = '\0'; - *value = strtoul(byte_array, &parse_helper, base); - - if(byte_array == parse_helper) - { + if (SnortStrToU32(byte_array, &parse_helper, value, base) != 0) return -1; - } #ifdef TEST_BYTE_EXTRACT printf("[----]\n");
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/decode.c ^
@@ -753,7 +753,6 @@ if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) ) DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1); - p->iph = NULL; pc.discards++; pc.ethdisc++; PREPROC_PROFILE_END(decodePerfStats);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/detection-plugins/sp_react.c ^
@@ -81,6 +81,7 @@ extern SnortConfig* snort_conf_for_parsing; static const char* MSG_KEY = "<>"; +static const char* MSG_PERCENT = "%"; static const char* DEFAULT_HTTP = "HTTP/1.1 403 Forbidden\r\n" @@ -312,6 +313,7 @@ static void React_GetPage (void) { char* msg; + char* percent_s; struct stat fs; FILE* fd; size_t n; @@ -345,6 +347,21 @@ s_page[n] = '\0'; msg = strstr(s_page, MSG_KEY); if ( msg ) strncpy(msg, "%s", 2); + + // search for % + percent_s = strstr(s_page, MSG_PERCENT); + if (percent_s) + { + percent_s += strlen(MSG_PERCENT); // move past current + // search for % again + percent_s = strstr(percent_s, MSG_PERCENT); + if (percent_s) + { + FatalError("react: %s(%d) can't specify more than one %%s or other " + "printf style formatting characters in react page '%s'.\n", + file_name, file_line, sc->react_page); + } + } } //--------------------------------------------------------------------
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-plugins/sf_dynamic_plugins.c ^
@@ -1061,6 +1061,8 @@ } DynamicRuleSessionData; static uint32_t so_rule_memory = 0; +/Only only message will be logged within 60 seconds/ +static ThrottleInfo error_throttleInfo = {0,60,0}; static void * DynamicRuleDataAlloc(size_t size) { @@ -1070,7 +1072,7 @@ if ((ScSoRuleMemcap() > 0) && (so_rule_memory + alloc_size) > ScSoRuleMemcap()) { - ErrorMessage("SO rule memcap exceeded: Wanted to allocate " + ErrorMessageThrottled(&error_throttleInfo,"SO rule memcap exceeded: Wanted to allocate " "%u bytes (and %d overhead) with memcap: %u and " "current memory: %u\n", (uint32_t)size, (int)sizeof(size_t), ScSoRuleMemcap(), so_rule_memory);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c ^
@@ -430,10 +430,15 @@ return RULE_NOMATCH; /* check if this rule only applies to reassembled / - if ((flowFlags->flags & FLOW_ONLY_REASSEMBLED) && - !(sp->flags & FLAG_REBUILT_STREAM)) - return RULE_NOMATCH; - + if (flowFlags->flags & FLOW_ONLY_REASSEMBLED) + { + if ( !(sp->flags & FLAG_REBUILT_STREAM) +#ifdef ENABLE_PAF + && !PacketHasFullPDU(sp) +#endif + ) + return RULE_NOMATCH; + } / check if this rule only applies to non-reassembled */ if ((flowFlags->flags & FLOW_IGNORE_REASSEMBLED) && (sp->flags & FLAG_REBUILT_STREAM))
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c ^
@@ -171,12 +171,26 @@ } else if (byteData->flags & EXTRACT_AS_STRING) { + const uint8_t space_ptr = cursor + byteData->offset; + if (byteData->bytes < 1 \|\| byteData->bytes > (BYTE_STRING_LEN - 1)) { / Log Error message / return -2; } + // Only positive numbers should be processed and strtoul will + // eat up white space and process '-' and '+' so move past + // white space and check for a negative sign. + while ((space_ptr < (cursor + byteData->offset + byteData->bytes)) + && isspace((int)space_ptr)) + space_ptr++; + + // If all spaces or a negative sign is found, return error. + if ((space_ptr == (cursor + byteData->offset + byteData->bytes)) + \|\| (*space_ptr == '-')) + return -2; + if (byteData->flags & EXTRACT_AS_DEC) base = 10; else if (byteData->flags & EXTRACT_AS_HEX)
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c ^
@@ -216,7 +216,8 @@ value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((uint16_t)GET_IPH_ID(pkt)); break; case IP_HDR_PROTO: - value = pkt->ip4_header->proto; + //value = pkt->ip4_header->proto; + value = GET_IPH_PROTO(pkt); break; case IP_HDR_FRAGBITS: return checkBits(optData->value, optData->op, ((ntohs(GET_IPH_OFF(pkt)) & 0xe000) & ~optData->mask_value)); @@ -225,10 +226,12 @@ value = ntohs(GET_IPH_OFF((pkt))) & 0x1FFF; break; case IP_HDR_TOS: - value = pkt->ip4_header->type_service; + //value = pkt->ip4_header->type_service; + value = GET_IPH_TOS(pkt); break; case IP_HDR_TTL: - value = pkt->ip4_header->time_to_live; + //value = pkt->ip4_header->time_to_live; + value = GET_IPH_TTL(pkt); break; case IP_HDR_OPTIONS: return checkOptions(optData->value, optData->op, pkt->ip_options, pkt->num_ip_options);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/dce2_co.c ^
@@ -287,8 +287,8 @@ /* Reset tracker missed packets, since we've just * dealt with it */ - if (cot->missed_pkts) - cot->missed_pkts = 0; + cot->missed_pkts = 0; + DCE2_SsnClearMissedPkts(sd); } while (data_len > 0)
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/dce2_paf.c ^
@@ -86,12 +86,43 @@ // Local function prototypes -static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t, bool); +static inline bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t, bool); +static inline bool DCE2_PafAbort(void , uint32_t); static PAF_Status DCE2_SmbPaf(void , void *, const uint8_t , uint32_t, uint32_t, uint32_t ); static PAF_Status DCE2_TcpPaf(void , void *, const uint8_t , uint32_t, uint32_t, uint32_t ); /******************************************************************** + * Function: DCE2_PafAbort() + * + * Purpose: Queries the dcerpc2 session data to see if paf abort + * flag is set. + * + * Arguments: + * void * - stream session pointer + * uint32_t - flags passed in to callback. + * Should have PKT_FROM_CLIENT or PKT_FROM_SERVER set. + * + * Returns: + * bool - true if missed packets, false if not + * + ********************************************************************/ +static inline bool DCE2_PafAbort(void ssn, uint32_t flags) +{ + DCE2_SsnData sd = (DCE2_SsnData )_dpd.streamAPI->get_application_data(ssn, PP_DCE2); + + if (sd != NULL) + { + if (DCE2_SsnPafAbort(sd)) + return true; + else if (!DCE2_SsnSeenClient(sd) && (flags & FLAG_FROM_SERVER)) + return true; + } + + return false; +} + +/********************************************************************* * Function: DCE2_PafSmbIsValidNetbiosHdr() * * Purpose: Validates that the NetBIOS header is valid. If in @@ -105,7 +136,7 @@ * bool - true if valid, false if not * *********************************************************************/ -static bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t nb_hdr, bool junk) +static inline bool DCE2_PafSmbIsValidNetbiosHdr(uint32_t nb_hdr, bool junk) { uint8_t type = (uint8_t)(nb_hdr >> 24); uint8_t bit = (uint8_t)((nb_hdr & 0x00ff0000) >> 16); @@ -195,6 +226,12 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ss->state)); + if (DCE2_PafAbort(ssn, flags)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Aborting PAF\n")); + return PAF_ABORT; + } + while (n < len) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n])); @@ -240,7 +277,8 @@ "staying in State 7.\n")); break; } - if ((uint32_t)ss->nb_hdr != DCE2_SMB_ID) + if (((uint32_t)ss->nb_hdr != DCE2_SMB_ID) + && ((uint32_t)ss->nb_hdr != DCE2_SMB2_ID)) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Invalid SMB ID - " "staying in State 7.\n")); @@ -378,6 +416,12 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Start state: %u\n", ds->state)); start_state = (uint8_t)ds->state; // determines how many bytes already looked at + if (DCE2_PafAbort(ssn, flags)) + { + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Aborting PAF\n")); + return PAF_ABORT; + } + while (n < len) { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "data[n]: 0x%02x", data[n]));
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/dce2_session.h ^
@@ -40,9 +40,11 @@ DCE2_SSN_FLAG__NONE = 0x0000, DCE2_SSN_FLAG__SEEN_CLIENT = 0x0001, DCE2_SSN_FLAG__SEEN_SERVER = 0x0002, - DCE2_SSN_FLAG__MISSED_PKTS = 0x0004, - DCE2_SSN_FLAG__AUTODETECTED = 0x0008, - DCE2_SSN_FLAG__NO_INSPECT = 0x0010, + DCE2_SSN_FLAG__CLI_MISSED_PKTS = 0x0004, + DCE2_SSN_FLAG__SRV_MISSED_PKTS = 0x0008, + DCE2_SSN_FLAG__AUTODETECTED = 0x0010, + DCE2_SSN_FLAG__NO_INSPECT = 0x0020, + DCE2_SSN_FLAG__PAF_ABORT = 0x0040, DCE2_SSN_FLAG__ALL = 0xffff } DCE2_SsnFlag; @@ -62,11 +64,9 @@ uint32_t cli_seq; uint32_t cli_nseq; - uint32_t cli_missed_bytes; uint16_t cli_overlap_bytes; uint32_t srv_seq; uint32_t srv_nseq; - uint32_t srv_missed_bytes; uint16_t srv_overlap_bytes; tSfPolicyId policy_id; @@ -93,6 +93,11 @@ static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData ); static inline int DCE2_SsnMissedPkts(DCE2_SsnData ); static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData ); +#ifdef ENABLE_PAF +static inline bool DCE2_SsnIsPafActive(SFSnortPacket ); +static inline void DCE2_SsnSetPafAbort(DCE2_SsnData ); +static inline int DCE2_SsnPafAbort(DCE2_SsnData ); +#endif static inline void DCE2_SsnSetSeenClient(DCE2_SsnData ); static inline int DCE2_SsnSeenClient(DCE2_SsnData ); static inline void DCE2_SsnSetSeenServer(DCE2_SsnData ); @@ -102,9 +107,7 @@ static inline int DCE2_SsnAutodetectDir(DCE2_SsnData ); static inline void DCE2_SsnSetNoInspect(DCE2_SsnData ); static inline int DCE2_SsnNoInspect(DCE2_SsnData sd); - static inline uint16_t DCE2_SsnGetOverlap(DCE2_SsnData ); -static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData sd); /******************************************************************** * Function: DCE2_SsnIsEstablished() @@ -367,7 +370,10 @@ *******************************************************************/ static inline void DCE2_SsnSetMissedPkts(DCE2_SsnData sd) { - sd->flags \|= DCE2_SSN_FLAG__MISSED_PKTS; + if (DCE2_SsnFromClient(sd->wire_pkt)) + sd->flags \|= DCE2_SSN_FLAG__CLI_MISSED_PKTS; + else + sd->flags \|= DCE2_SSN_FLAG__SRV_MISSED_PKTS; } /****************************************************************** @@ -386,7 +392,10 @@ *****************************************************************/ static inline int DCE2_SsnMissedPkts(DCE2_SsnData sd) { - return sd->flags & DCE2_SSN_FLAG__MISSED_PKTS; + if (DCE2_SsnFromClient(sd->wire_pkt)) + return sd->flags & DCE2_SSN_FLAG__CLI_MISSED_PKTS; + else + return sd->flags & DCE2_SSN_FLAG__SRV_MISSED_PKTS; } /****************************************************************** @@ -403,8 +412,67 @@ *****************************************************************/ static inline void DCE2_SsnClearMissedPkts(DCE2_SsnData sd) { - sd->flags &= ~DCE2_SSN_FLAG__MISSED_PKTS; + if (DCE2_SsnFromClient(sd->wire_pkt)) + sd->flags &= ~DCE2_SSN_FLAG__CLI_MISSED_PKTS; + else + sd->flags &= ~DCE2_SSN_FLAG__SRV_MISSED_PKTS; +} + +#ifdef ENABLE_PAF +/******************************************************************** + * Function: DCE2_SsnIsPafActive() + * + * Purpose: Checks stream api to see if PAF is active for this side + * of the session. + * + * Arguments: + * DCE2_SsnData * - pointer to session data + * + * Returns: + * bool - true if paf is active + * false if not + * + *******************************************************************/ +static inline bool DCE2_SsnIsPafActive(SFSnortPacket p) +{ + bool to_server = DCE2_SsnFromClient(p) ? true : false; + return _dpd.streamAPI->is_paf_active(p->stream_session_ptr, to_server); +} + +/******************************************************************** + * Function: DCE2_SsnSetPafAbort() + * + * Purpose: Sets paf abort flag + * + * Arguments: + * DCE2_SsnData * - pointer to session data + * + * Returns: None + * + *******************************************************************/ +static inline void DCE2_SsnSetPafAbort(DCE2_SsnData sd) +{ + sd->flags \|= DCE2_SSN_FLAG__PAF_ABORT; +} + +/******************************************************************** + * Function: DCE2_SsnPafAbort() + * + * Purpose: Checks paf abort flag + * + * Arguments: + * DCE2_SsnData * - pointer to session data + * + * Returns: + * int - non-zero if abort flag is set + * zero if abort flag not set + * + *******************************************************************/ +static inline int DCE2_SsnPafAbort(DCE2_SsnData sd) +{ + return sd->flags & DCE2_SSN_FLAG__PAF_ABORT; } +#endif /******************************************************************** * Function: DCE2_SsnSetSeenClient() @@ -564,6 +632,9 @@ static inline void DCE2_SsnSetNoInspect(DCE2_SsnData sd) { sd->flags \|= DCE2_SSN_FLAG__NO_INSPECT; +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); +#endif } /***************************************************************** @@ -606,32 +677,6 @@ } return 0; -} - -/****************************************************************** - * Function: DCE2_SsnGetMissedBytes() - * - * Purpose: Returns the number of missed bytes. - * - * Arguments: - * DCE2_SsnData * - pointer to session data - * - * Returns: - * uint16_t - the number of overlapped bytes - * - *******************************************************************/ -static inline uint32_t DCE2_SsnGetMissedBytes(DCE2_SsnData sd) -{ - if ((sd->cli_missed_bytes != 0) && DCE2_SsnFromClient(sd->wire_pkt)) - { - return sd->cli_missed_bytes; - } - else if ((sd->srv_missed_bytes != 0) && DCE2_SsnFromServer(sd->wire_pkt)) - { - return sd->srv_missed_bytes; - } - - return 0; } #endif /* _DCE2_SESSION_H_ */
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/dce2_smb.c ^
@@ -386,40 +386,21 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Processing SMB packet.\n")); dce2_stats.smb_pkts++; - /* If we missed packets previously and couldn't autodetect, we've - * already reset for missed packets. If we can autodetect, move on / - if (ssd->missed_pkts) + if (DCE2_SsnMissedPkts(&ssd->sd)) { - if (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return; - - ssd->missed_pkts = 0; - } - else if (DCE2_SsnMissedPkts(&ssd->sd)) - { - uint32_t missed_bytes = DCE2_SsnGetMissedBytes(&ssd->sd); - - if (ignore_bytes != 0) - { - if (ignore_bytes > missed_bytes) - { - ignore_bytes -= missed_bytes; - missed_bytes = 0; - } - else - { - ignore_bytes = 0; - missed_bytes -= ignore_bytes; - } - } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Missed packets.\n")); DCE2_SmbResetForMissedPkts(ssd); - if ((missed_bytes != 0) && (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE)) + if (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE) { - ssd->missed_pkts = 1; + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, + "Missing bytes and autodetect failed - not inspecting.\n")); return; } + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__SMB, "Autodetect succeeded - continue processing.\n")); + DCE2_SsnClearMissedPkts(&ssd->sd); } if (overlap_bytes != 0) @@ -727,8 +708,12 @@ while ((tmp_ptr + sizeof(uint32_t)) <= (data_ptr + data_len)) { - if (SmbId((SmbNtHdr )tmp_ptr) == DCE2_SMB_ID) + if ((SmbId((SmbNtHdr )tmp_ptr) == DCE2_SMB_ID) + \|\| (SmbId((SmbNtHdr )tmp_ptr) == DCE2_SMB2_ID)) + { break; + } + tmp_ptr++; } @@ -762,9 +747,12 @@ DCE2_Policy policy = DCE2_ScPolicy(ssd->sd.sconfig); int smb_com = SmbCom(smb_hdr); - / Don't support SMB2 yet / + / XXX Don't support SMB2 yet / if (SmbId(smb_hdr) == DCE2_SMB2_ID) + { + DCE2_SetNoInspect(&ssd->sd); return 0; + } / See if this is something we need to inspect / switch (smb_com) @@ -846,8 +834,21 @@ if (smb_type == SMB_TYPE__REQUEST) { - ssd->req_uid = SmbUid(smb_hdr); - ssd->req_tid = SmbTid(smb_hdr); + // Only relevant for Samba policies that allow for + // OpenAndX -> SessionSetupAndX + // OpenAndX -> TreeConnectAndX + switch (DCE2_ScPolicy(ssd->sd.sconfig)) + { + case DCE2_POLICY__SAMBA_3_0_20: + case DCE2_POLICY__SAMBA_3_0_22: + case DCE2_POLICY__SAMBA_3_0_37: + case DCE2_POLICY__SAMBA: + ssd->req_uid = SmbUid(smb_hdr); + ssd->req_tid = SmbTid(smb_hdr); + break; + default: + break; + } } / Handle the command */ @@ -1984,7 +1985,7 @@ // to care, or even look at this flag } - if (SmbId(smb_hdr) != DCE2_SMB_ID) + if ((SmbId(smb_hdr) != DCE2_SMB_ID) && (SmbId(smb_hdr) != DCE2_SMB2_ID)) { if (is_seg_buf) DCE2_SmbSegAlert(ssd, DCE2_EVENT__SMB_BAD_ID); @@ -6900,8 +6901,16 @@ if (ssd == NULL) return; - DCE2_BufferEmpty(ssd->cli_seg.buf); - DCE2_BufferEmpty(ssd->srv_seg.buf); + if (DCE2_SsnFromClient(ssd->sd.wire_pkt)) + { + ssd->cli_ignore_bytes = 0; + DCE2_BufferEmpty(ssd->cli_seg.buf); + } + else + { + ssd->srv_ignore_bytes = 0; + DCE2_BufferEmpty(ssd->srv_seg.buf); + } ssd->req_uid = DCE2_SENTINEL; ssd->req_tid = DCE2_SENTINEL;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/dce2_smb.h ^
@@ -169,9 +169,6 @@ int chained_tc; /* Set if client and chained TreeConnect / int last_open_fid; / The last inserted fid from an OpenAndX or NtCreateAndX / - / Boolean for whether or not packets have been currently been missed / - char missed_pkts; - } DCE2_SmbSsnData; /******************************************************************* @@ -216,8 +213,11 @@ if (p->payload_size > (sizeof(NbssHdr) + sizeof(SmbNtHdr))) { - if (SmbId(smb_hdr) == DCE2_SMB_ID) + if ((SmbId(smb_hdr) == DCE2_SMB_ID) + \|\| (SmbId(smb_hdr) == DCE2_SMB2_ID)) + { return DCE2_TRANS_TYPE__SMB; + } } }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/dce2_utils.h ^
@@ -38,7 +38,9 @@ #define DCE2_SENTINEL -1 #define DCE2_MOVE(data_ptr, data_len, amount) \ - { data_ptr = (uint8_t )data_ptr + (amount); data_len -= (amount); } + { int64_t dcexxxxxx = (amount); \ + data_ptr = (uint8_t )data_ptr + dcexxxxxx; \ + data_len -= dcexxxxxx; } /******************************************************************** * Enumerations
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/snort_dce2.c ^
@@ -86,11 +86,7 @@ static DCE2_TransType DCE2_GetTransport(SFSnortPacket , const DCE2_ServerConfig , int ); static DCE2_TransType DCE2_GetDetectTransport(SFSnortPacket , const DCE2_ServerConfig ); static DCE2_TransType DCE2_GetAutodetectTransport(SFSnortPacket , const DCE2_ServerConfig ); -static DCE2_Ret DCE2_ConfirmTransport(DCE2_SsnData , SFSnortPacket ); - static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData , SFSnortPacket ); -static void DCE2_SetNoInspect(DCE2_SsnData ); - static void DCE2_SsnFree(void ); /******************************************************************** @@ -197,18 +193,8 @@ if (DCE2_SsnIsStreamInsert(p)) { -#if 0 #ifdef ENABLE_PAF - if (!_dpd.isPafEnabled()) -#endif - { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); - //DCE2_SsnFlush(p); // No need to flush since this is first data packet? - } -#endif - -#ifdef ENABLE_PAF - if (!_dpd.isPafEnabled() \|\| !PacketHasFullPDU(p)) + if (!DCE2_SsnIsPafActive(p) \|\| !PacketHasFullPDU(p)) #endif { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); @@ -282,7 +268,7 @@ if (DCE2_SsnIsStreamInsert(p)) { #ifdef ENABLE_PAF - if (!_dpd.isPafEnabled()) + if (!DCE2_SsnIsPafActive(p)) #endif { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n")); @@ -290,7 +276,7 @@ } #ifdef ENABLE_PAF - if (!_dpd.isPafEnabled() \|\| !PacketHasFullPDU(p)) + if (!DCE2_SsnIsPafActive(p) \|\| !PacketHasFullPDU(p)) #endif { DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n")); @@ -325,13 +311,14 @@ DCE2_SsnClearAutodetected(sd); } + sd->wire_pkt = p; + if (IsTCP(p) && (DCE2_SetSsnState(sd, p) != DCE2_RET__SUCCESS)) { PREPROC_PROFILE_END(dce2_pstat_session); return DCE2_RET__NOT_INSPECTED; } - sd->wire_pkt = p; if (DCE2_PushPkt((void )p) != DCE2_RET__SUCCESS) { DCE2_Log(DCE2_LOG_TYPE__ERROR, @@ -398,7 +385,7 @@ Returns: * *******************************************************************/ -static void DCE2_SetNoInspect(DCE2_SsnData sd) +void DCE2_SetNoInspect(DCE2_SsnData sd) { if (sd == NULL) return; @@ -448,66 +435,64 @@ static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData sd, SFSnortPacket p) { uint32_t pkt_seq = ntohl(p->tcp_header->sequence); + uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement); DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Payload size: %u\n", p->payload_size)); if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd)) { -#if 0 - // This code should be obsoleted by the junk data check in dce2_smb.c - - / Check to make sure we can continue processing / - if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) + if (DCE2_SsnSeenServer(sd) && (sd->cli_seq != pkt_seq)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - sd->cli_seq = pkt_seq; - sd->cli_nseq = pkt_seq; - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, next seq: %u\n" - "Setting current and next to the same thing, since we're " - "not inspecting this packet.\n", sd->cli_seq, sd->cli_nseq)); - - return DCE2_RET__NOT_INSPECTED; - } + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); #endif + } DCE2_SsnSetSeenClient(sd); - sd->cli_seq = pkt_seq; sd->cli_nseq = pkt_seq + p->payload_size; + if (!DCE2_SsnSeenServer(sd)) + { + sd->srv_seq = pkt_ack; + } + else + { + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + // Saw server before client, missing packets, abort PAF + DCE2_SsnSetPafAbort(sd); +#endif + } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, next seq: %u\n", sd->cli_seq, sd->cli_nseq)); } else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd)) { -#if 0 - // This code should be obsoleted by the junk data check in dce2_smb.c - - / Check to make sure we can continue processing / - if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) + if (DCE2_SsnSeenClient(sd) && (sd->srv_seq != pkt_seq)) { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - sd->srv_seq = pkt_seq; - sd->srv_nseq = pkt_seq; - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, next seq: %u\n" - "Setting current and next to the same thing, since we're " - "not inspecting this packet.\n", sd->cli_seq, sd->cli_nseq)); - - return DCE2_RET__NOT_INSPECTED; - } + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); #endif + } DCE2_SsnSetSeenServer(sd); - sd->srv_seq = pkt_seq; sd->srv_nseq = pkt_seq + p->payload_size; + if (!DCE2_SsnSeenClient(sd)) + { + sd->cli_seq = pkt_ack; + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + // Saw server before client, missing packets, abort PAF + DCE2_SsnSetPafAbort(sd); +#endif + } + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial server => seq: %u, next seq: %u\n", sd->srv_seq, sd->srv_nseq)); } @@ -515,14 +500,12 @@ { uint32_t ssn_seq; uint32_t ssn_nseq; - uint32_t missed_bytes; uint16_t overlap_bytes; if (DCE2_SsnFromClient(p)) { ssn_seq = &sd->cli_seq; ssn_nseq = &sd->cli_nseq; - missed_bytes = &sd->cli_missed_bytes; overlap_bytes = &sd->cli_overlap_bytes; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, next seq: %u\n", @@ -534,7 +517,6 @@ { ssn_seq = &sd->srv_seq; ssn_nseq = &sd->srv_nseq; - missed_bytes = &sd->srv_missed_bytes; overlap_bytes = &sd->srv_overlap_bytes; DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, next seq: %u\n", @@ -553,7 +535,16 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Next expected sequence number (%u) is less than " "this sequence number (%u).\n", ssn_nseq, pkt_seq)); + dce2_stats.missed_bytes += (pkt_seq - ssn_nseq); + + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missed %u bytes.\n", (pkt_seq - ssn_nseq))); + DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Currently missing %u bytes.\n", + dce2_stats.missed_bytes)); + DCE2_SsnSetMissedPkts(sd); +#ifdef ENABLE_PAF + DCE2_SsnSetPafAbort(sd); +#endif } else { @@ -563,9 +554,6 @@ DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, next seq: %u\n", pkt_seq, pkt_seq + p->payload_size)); - if (DCE2_SsnMissedPkts(sd)) - DCE2_SsnClearMissedPkts(sd); - /* Do what we can and take the difference and only inspect what we * haven't already inspected / if ((pkt_seq + p->payload_size) > ssn_nseq @@ -585,36 +573,6 @@ DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(p->payload, p->payload_size);); } - else if (DCE2_SsnMissedPkts(sd)) - { - DCE2_SsnClearMissedPkts(sd); - } - - if (DCE2_SsnMissedPkts(sd)) - { - missed_bytes += (pkt_seq - ssn_nseq); - dce2_stats.missed_bytes += (pkt_seq - ssn_nseq); - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Missed %u bytes.\n", (pkt_seq - ssn_nseq))); - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Currently missing %u bytes.\n", missed_bytes)); - - if (DCE2_ConfirmTransport(sd, p) != DCE2_RET__SUCCESS) - { - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Couldn't confirm transport - " - "not inspecting\n")); - - ssn_seq = pkt_seq; - ssn_nseq = pkt_seq + p->payload_size; - - return DCE2_RET__NOT_INSPECTED; - } - - DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Autodetected - continue to inspect.\n")); - } - else if (missed_bytes != 0) - { - missed_bytes = 0; - } ssn_seq = pkt_seq; ssn_nseq = pkt_seq + p->payload_size; @@ -819,98 +777,6 @@ } /******************************************************************** - * Function: DCE2_ConfirmTransport() - * - * Called when we're not sure where we are, e.g. because of missed - * packets. This function makes sure we can process this packet, with - * a decent amount of certainty, avoiding false positives. - * - * Arguments: - * SFSnortPacket * - * Pointer to packet structure. - * DCE2_TransType - * The transport to check. - * - * Returns: - * DCE2_Ret - * DCE2_RET__SUCCESS if we can autodetect the transport for - * which the session was created. - * DCE2_RET__ERROR if we can't autodetect the transport for - * which the session was created. - * - ********************************************************************/ -static DCE2_Ret DCE2_ConfirmTransport(DCE2_SsnData sd, SFSnortPacket p) -{ - if (IsTCP(p)) - { - switch (sd->trans) - { - case DCE2_TRANS_TYPE__SMB: - if (DCE2_SmbAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - break; - - case DCE2_TRANS_TYPE__TCP: - if (DCE2_TcpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - break; - - case DCE2_TRANS_TYPE__HTTP_SERVER: - if (!DCE2_SsnSeenServer(sd) && DCE2_SsnFromServer(p)) - { - if (DCE2_HttpAutodetectServer(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - else if (DCE2_SsnSeenServer(sd) && DCE2_SsnSeenClient(sd)) - { - if (DCE2_TcpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - - break; - - case DCE2_TRANS_TYPE__HTTP_PROXY: - if (!DCE2_SsnSeenClient(sd) && DCE2_SsnFromClient(p)) - { - if (DCE2_HttpAutodetectProxy(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - else if (DCE2_SsnSeenServer(sd) && DCE2_SsnSeenClient(sd)) - { - if (DCE2_TcpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - } - - break; - - default: - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Invalid transport type: %d", - __FILE__, __LINE__, sd->trans); - return DCE2_RET__ERROR; - } - } - else / it's UDP / - { - switch (sd->trans) - { - case DCE2_TRANS_TYPE__UDP: - if (DCE2_UdpAutodetect(p) == DCE2_TRANS_TYPE__NONE) - return DCE2_RET__ERROR; - break; - - default: - DCE2_Log(DCE2_LOG_TYPE__ERROR, - "%s(%d) Invalid transport type: %d", - __FILE__, __LINE__, sd->trans); - return DCE2_RET__ERROR; - } - } - - return DCE2_RET__SUCCESS; -} - -/******************************************************************** * Function: DCE2_InitRpkts() * * Purpose: Allocate and initialize reassembly packets.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/dcerpc2/snort_dce2.h ^
@@ -74,6 +74,7 @@ void DCE2_Detect(DCE2_SsnData ); uint16_t DCE2_GetRpktMaxData(DCE2_SsnData , DCE2_RpktType); void DCE2_FreeGlobals(void); +void DCE2_SetNoInspect(DCE2_SsnData ); /******************************************************************* * Inline function prototypes
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c ^
@@ -330,9 +330,17 @@ static void _addPortsToStream5(char , tSfPolicyId, int); static void _addFtpServerConfPortsToStream5(void ); +char* mystrtok (char* s, const char* delim) +{ + static char* last = NULL; + if ( s \|\| last ) + last = strtok(s, delim); + return last; +} + char NextToken(char delimiters) { - char retTok = strtok(NULL, delimiters); + char retTok = mystrtok(NULL, delimiters); if (retTok > maxToken) return NULL; @@ -2679,7 +2687,7 @@ { //list begin token matched ip_list = 1; - if ((pIpAddressList = strtok(NULL, END_IPADDR_LIST)) == NULL) + if ((pIpAddressList = mystrtok(NULL, END_IPADDR_LIST)) == NULL) { snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", CLIENT); @@ -3188,7 +3196,7 @@ char firstIpAddress = 1; FTP_SERVER_PROTO_CONF new_server_conf = NULL; char ConfigParseResumePtr = NULL; - char unused; / For unused token gotten from strtok / + char unused; /* For unused token gotten from mystrtok / char ip_list = 0; FTP_SERVER_PROTO_CONF ftp_conf = NULL; @@ -3209,7 +3217,7 @@ { //list begin token matched ip_list = 1; - if ((pIpAddressList = strtok(NULL, END_IPADDR_LIST)) == NULL) + if ((pIpAddressList = mystrtok(NULL, END_IPADDR_LIST)) == NULL) { snprintf(ErrorString, ErrStrLen, "Invalid IP Address list in '%s' token.", SERVER); @@ -3348,7 +3356,7 @@ char default_conf_str = DefaultConf(&default_conf_len); maxToken = default_conf_str + default_conf_len; - default_client = strtok(default_conf_str, CONF_SEPARATORS); + default_client = mystrtok(default_conf_str, CONF_SEPARATORS); iRet = ProcessFTPServerOptions(ftp_conf, ErrorString, ErrStrLen); @@ -3361,10 +3369,10 @@ } } - / Okay, now we need to reset the strtok pointers so we can process + /* Okay, now we need to reset the mystrtok pointers so we can process * the specific server configuration. Quick hack/trick here: reset - * the end of the client string to a conf separator, then call strtok. - * That will reset strtok's internal pointer to the next token after + * the end of the client string to a conf separator, then call mystrtok. + * That will reset mystrtok's internal pointer to the next token after * the client name, which is what we're expecting it to be. / if (ConfigParseResumePtr < maxToken) @@ -3375,7 +3383,7 @@ else ConfigParseResumePtr-- = CONF_SEPARATORS[0]; - unused = strtok(ConfigParseResumePtr, CONF_SEPARATORS); + unused = mystrtok(ConfigParseResumePtr, CONF_SEPARATORS); iRet = ProcessFTPServerOptions(ftp_conf, ErrorString, ErrStrLen); if (iRet < 0) {
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c ^
@@ -208,6 +208,8 @@ * / +extern char mystrtok (char* s, const char* delim); + static void FTPTelnetInit(char args) { char pcToken; @@ -227,10 +229,10 @@ /* Find out what is getting configured / maxToken = args + strlen(args); - pcToken = strtok(args, CONF_SEPARATORS); + pcToken = mystrtok(args, CONF_SEPARATORS); if (pcToken == NULL) { - DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it " + DynamicPreprocessorFatalMessage("%s(%d)mystrtok returned NULL when it " "should not.", __FILE__, __LINE__); } @@ -464,10 +466,10 @@ / Find out what is getting configured */ maxToken = args + strlen(args); - pcToken = strtok(args, CONF_SEPARATORS); + pcToken = mystrtok(args, CONF_SEPARATORS); if (pcToken == NULL) { - DynamicPreprocessorFatalMessage("%s(%d)strtok returned NULL when it " + DynamicPreprocessorFatalMessage("%s(%d)mystrtok returned NULL when it " "should not.", __FILE__, __LINE__); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/modbus/spp_modbus.c ^
@@ -658,4 +658,5 @@ } } } + free(session); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/pop/snort_pop.c ^
@@ -398,6 +398,7 @@ pop_ssn->state = STATE_UNKNOWN; pop_ssn->data_state = STATE_DATA_INIT; + pop_ssn->prev_response = 0; pop_ssn->state_flags = 0; ClearEmailDecodeState(pop_ssn->decode_state); memset(&pop_ssn->mime_boundary, 0, sizeof(POPMimeBoundary)); @@ -439,6 +440,7 @@ pop_ssn = ssn; SetPopBuffers(ssn); + ssn->prev_response = 0; _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_POP, ssn, &POP_SessionFree); @@ -856,6 +858,7 @@ /* calculate length of command line / cmd_line_len = eol - ptr; + / TODO If the end of line marker coincides with the end of payload we can't be * sure that we got a command and not a substring which we could tell through * inspection of the next packet. Maybe a command pending state where the first @@ -1440,7 +1443,10 @@ if(tmp != NULL) pop_ssn->state = STATE_DATA; else + { + pop_ssn->prev_response = RESP_OK; pop_ssn->state = STATE_UNKNOWN; + } break; default: @@ -1450,16 +1456,19 @@ } else { - if(ptr == '+' ) + if(pop_ssn->prev_response == RESP_OK) { - POP_GenerateAlert(POP_UNKNOWN_RESP, "%s", POP_UNKNOWN_RESP_STR); - DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response not found\n");); + { + pop_ssn->state = STATE_DATA; + pop_ssn->prev_response = 0; + continue; + } } - else + else if(ptr == '+') { - DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response description\n");); + POP_GenerateAlert(POP_UNKNOWN_RESP, "%s", POP_UNKNOWN_RESP_STR); + DEBUG_WRAP(DebugMessage(DEBUG_POP, "Server response not found\n");); } - } ptr = eol;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/pop/snort_pop.h ^
@@ -130,7 +130,7 @@ typedef enum _POPRespEnum { - RESP_OK = 0, + RESP_OK = 1, RESP_ERR, RESP_LAST @@ -180,6 +180,7 @@ typedef struct _POP { int state; + int prev_response; int data_state; int state_flags; int session_flags;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/sip_config.c ^
@@ -45,6 +45,7 @@ * Default values for configurable parameters. / #define SIP_DEFAULT_MAX_SESSIONS 10000 +#define SIP_DEFAULT_MAX_DIALOGS_IN_SESSION 4 #define SIP_DEFAULT_MAX_URI_LEN 256 #define SIP_DEFAULT_MAX_CALL_ID_LEN 256 #define SIP_DEFAULT_MAX_REQUEST_NAME_LEN 20 @@ -59,6 +60,8 @@ / #define MIN_MAX_NUM_SESSION 1024 #define MAX_MAX_NUM_SESSION 4194303 +#define MIN_MAX_NUM_DIALOG 1 +#define MAX_MAX_NUM_DIALOG 4194303 #define MIN_MAX_URI_LEN 0 #define MAX_MAX_URI_LEN 65535 #define MIN_MAX_CALL_ID_LEN 0 @@ -81,6 +84,7 @@ #define SIP_DISABLED_KEYWORD "disabled" #define SIP_PORTS_KEYWORD "ports" #define SIP_MAX_SESSION_KEYWORD "max_sessions" +#define SIP_MAX_DIALOG_KEYWORD "max_dialogs" #define SIP_METHODS_KEYWORD "methods" #define SIP_MAX_URI_LEN_KEYWORD "max_uri_len" #define SIP_MAX_CALL_ID_LEN_KEYWORD "max_call_id_len" @@ -178,6 +182,11 @@ config->maxNumSessions == SIP_DEFAULT_MAX_SESSIONS ? "(Default)" : "" ); + _dpd.logMsg(" Max number of dialogs in a session: %d %s \n", + config->maxNumDialogsInSession, + config->maxNumDialogsInSession + == SIP_DEFAULT_MAX_DIALOGS_IN_SESSION ? + "(Default)" : "" ); _dpd.logMsg(" Status: %s\n", config->disabled ? "DISABLED":"ENABLED"); @@ -544,6 +553,7 @@ if (config == NULL) return; config->maxNumSessions = SIP_DEFAULT_MAX_SESSIONS; + config->maxNumDialogsInSession = SIP_DEFAULT_MAX_DIALOGS_IN_SESSION; config->maxUriLen = SIP_DEFAULT_MAX_URI_LEN; config->maxCallIdLen = SIP_DEFAULT_MAX_CALL_ID_LEN; config->maxRequestNameLen = SIP_DEFAULT_MAX_REQUEST_NAME_LEN; @@ -620,6 +630,14 @@ MIN_MAX_NUM_SESSION, MAX_MAX_NUM_SESSION); } + else if ( !strcmp( cur_tokenp, SIP_MAX_DIALOG_KEYWORD )) + { + cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS); + config->maxNumDialogsInSession = (uint32_t)ParseNumInRange(cur_tokenp, + SIP_MAX_DIALOG_KEYWORD, + MIN_MAX_NUM_DIALOG, + MAX_MAX_NUM_DIALOG); + } else if ( !strcmp( cur_tokenp, SIP_MAX_URI_LEN_KEYWORD )) { cur_tokenp = strtok( NULL, SIP_CONFIG_VALUE_SEPERATORS);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/sip_config.h ^
@@ -111,6 +111,7 @@ { uint8_t disabled; uint32_t maxNumSessions; + uint32_t maxNumDialogsInSession; uint8_t ports[MAXPORTS/8]; uint32_t methodsConfig; SIPMethodlist methods;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/sip_dialog.c ^
@@ -77,7 +77,7 @@ /If dialog not exist, create one / if((NULL == dialog)&&(SIP_METHOD_CANCEL != sipMsg->methodFlag)) { - dialog = SIP_addDialog(sipMsg, dList, dList); + dialog = SIP_addDialog(sipMsg, dList->head, dList); } methodFlag = sipMsg->methodFlag; @@ -583,21 +583,21 @@ if (NULL != currDialog->prevD) currDialog->prevD->nextD = dialog; else - dList = dialog; // become the head + dList->head = dialog; // become the head currDialog->prevD = dialog; } else { // The first dialog dialog->prevD = NULL; - dList = dialog; + dList->head = dialog; } dialog->dlgID = sipMsg->dlgID; dialog->creator = sipMsg->methodFlag; dialog->state = SIP_DLG_CREATE; SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); - + dList->num_dialogs++; return dialog; } @@ -625,7 +625,7 @@ { if(NULL != currDialog->nextD) currDialog->nextD->prevD = NULL; - dList = currDialog->nextD; + dList->head = currDialog->nextD; } else { @@ -635,6 +635,8 @@ } sip_freeMediaList(currDialog->mediaSessions); free(currDialog); + if( dList->num_dialogs > 0) + dList->num_dialogs--; return SIP_SUCCESS; } /******************************************************************** @@ -654,6 +656,7 @@ int SIP_updateDialog(SIPMsg sipMsg, SIP_DialogList dList, SFSnortPacket p) { SIP_DialogData dialog; + SIP_DialogData* oldDialog = NULL; int ret; if ((NULL == sipMsg)\|\|(0 == sipMsg->dlgID.callIdHash)) @@ -661,7 +664,8 @@ DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Updating Dialog id: %u, From: %u, To: %u\n", sipMsg->dlgID.callIdHash,sipMsg->dlgID.fromTagHash,sipMsg->dlgID.toTagHash)); - dialog = dList; + + dialog = dList->head; /Find out the dialog in the dialog list/ @@ -676,9 +680,17 @@ break; } + oldDialog = dialog; dialog = dialog->nextD; } + /If the number of dialogs exceeded, release the oldest one/ + if((dList->num_dialogs >= sip_eval_config->maxNumDialogsInSession) && (!dialog)) + { + ALERT(SIP_EVENT_MAX_DIALOGS_IN_A_SESSION, SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR); + SIP_deleteDialog(oldDialog, dList); + } + /Update the dialog information/ if (sipMsg->status_code == 0) @@ -704,10 +716,10 @@ Returns: None * *******************************************************************/ -void sip_freeDialogs (SIP_DialogList list) +void sip_freeDialogs (SIP_DialogList list) { SIP_DialogData nextNode; - SIP_DialogData curNode = list; + SIP_DialogData *curNode = list->head; while (NULL != curNode) {
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/sip_dialog.h ^
@@ -29,6 +29,6 @@ #include "spp_sip.h" int SIP_updateDialog(SIPMsg sipMsg, SIP_DialogList dList, SFSnortPacket p); -void sip_freeDialogs (SIP_DialogList list); +void sip_freeDialogs (SIP_DialogList list); #endif /* SIP_DIALOG_H_ */
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/sip_parser.c ^
@@ -400,12 +400,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_SIP, "method: %.s\n", msg->methodLen, msg->method)); method = SIP_FindMethod (sip_eval_config->methods, msg->method, msg->methodLen); - if (NULL == method) - { - ALERT(SIP_EVENT_UNKOWN_METHOD, SIP_EVENT_UNKOWN_METHOD_STR); - return SIP_FAILURE; - } - else + if (method) { msg->methodFlag = method->methodFlag; DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag)); @@ -436,9 +431,13 @@ ALERT(SIP_EVENT_INVALID_VERSION,SIP_EVENT_INVALID_VERSION_STR); } + if (NULL == method) + { + ALERT(SIP_EVENT_UNKOWN_METHOD, SIP_EVENT_UNKOWN_METHOD_STR); + return SIP_FAILURE; + } } - return SIP_SUCCESS; } /******************************************************************* @@ -1178,7 +1177,7 @@ start = nextIndex; msg->bodyLen = end - start; /Disable this check for TCP. Revisit this again when PAF enabled for SIP/ - if((!msg->isTcp)&&(msg->content_len != msg->bodyLen)) + if((!msg->isTcp)&&(msg->content_len > msg->bodyLen)) ALERT(SIP_EVENT_MISMATCH_CONTENT_LEN,SIP_EVENT_MISMATCH_CONTENT_LEN_STR); if (msg->content_len < msg->bodyLen) @@ -1193,10 +1192,16 @@ // Find out whether multiple SIP messages in this packet /Disable this check for TCP. Revisit this again when PAF enabled for SIP/ - if ((!msg->isTcp) && (nextIndex < end)) + if ((!msg->isTcp) && (msg->content_len < msg->bodyLen)) { - if (SIP_SUCCESS == sip_startline_parse(msg, nextIndex, end, &nextIndex)) + if (SIP_SUCCESS == sip_startline_parse(msg, start + msg->content_len, end, &nextIndex)) + { ALERT(SIP_EVENT_MULTI_MSGS,SIP_EVENT_MULTI_MSGS_STR); + } + else + { + ALERT(SIP_EVENT_MISMATCH_CONTENT_LEN,SIP_EVENT_MISMATCH_CONTENT_LEN_STR); + } } return status; }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/spp_sip.c ^
@@ -545,7 +545,7 @@ numSessions--; /Free all the dialog data/ - sip_freeDialogs(ssn->dialogs); + sip_freeDialogs(&ssn->dialogs); /Clean the configuration data/ if (ssn->config != NULL)
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/sip/spp_sip.h ^
@@ -111,7 +111,11 @@ struct _SIP_DialogData prevD; } SIP_DialogData; -typedef SIP_DialogData SIP_DialogList; +typedef struct _SIP_DialogList +{ + SIP_DialogData* head; + uint32_t num_dialogs; +}SIP_DialogList; /* * Per-session data block containing current state @@ -218,6 +222,7 @@ #define SIP_EVENT_INVALID_VERSION 24 #define SIP_EVENT_MISMATCH_METHOD 25 #define SIP_EVENT_UNKOWN_METHOD 26 +#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION 27 /* * SIP preprocessor alert strings. @@ -248,6 +253,7 @@ #define SIP_EVENT_INVALID_VERSION_STR "(spp_sip) SIP version is invalid" #define SIP_EVENT_MISMATCH_METHOD_STR "(spp_sip) Mismatch in METHOD of request and the CSEQ header" #define SIP_EVENT_UNKOWN_METHOD_STR "(spp_sip) Method is unknown" +#define SIP_EVENT_MAX_DIALOGS_IN_A_SESSION_STR "(spp_sip) Maximum dialogs within a session reached" #define MAX_STAT_CODE 999 #define MIN_STAT_CODE 100
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/smtp/smtp_config.h ^
@@ -32,6 +32,7 @@ #define __SMTP_CONFIG_H__ #include "sfPolicyUserData.h" +#include "sf_email_attach_decode.h" #define CONF_SEPARATORS " \t\n\r" #define CONF_PORTS "ports" #define CONF_INSPECTION_TYPE "inspection_type" @@ -178,6 +179,19 @@ } SMTPConfig; +typedef struct _SMTP_Stats +{ + uint64_t sessions; + uint64_t conc_sessions; + uint64_t max_conc_sessions; + uint64_t memcap_exceeded; + uint64_t attachments[DECODE_ALL]; + uint64_t decoded_bytes[DECODE_ALL]; + +} SMTP_Stats; + +extern SMTP_Stats smtp_stats; + /* Function prototypes / void SMTP_ParseArgs(SMTPConfig , char ); void SMTP_PrintConfig(SMTPConfig config);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/smtp/smtp_util.c ^
@@ -216,6 +216,8 @@ if(log_avail <= 0 \|\| !alt_buf) return -1; + else if(log_avail < length) + length = log_avail; if ( alt_len > 0 && ((alt_len + 1) < alt_size)) { @@ -248,6 +250,7 @@ if( tmp != NULL ) { smtp_ssn->decode_state->decode_type = DECODE_B64; + smtp_stats.attachments[DECODE_B64]++; return; } } @@ -258,6 +261,7 @@ if( tmp != NULL ) { smtp_ssn->decode_state->decode_type = DECODE_QP; + smtp_stats.attachments[DECODE_QP]++; return; } } @@ -268,6 +272,7 @@ if( tmp != NULL ) { smtp_ssn->decode_state->decode_type = DECODE_UU; + smtp_stats.attachments[DECODE_UU]++; return; } } @@ -275,6 +280,7 @@ if(smtp_ssn->decode_state->bitenc_state.depth > -1) { smtp_ssn->decode_state->decode_type = DECODE_BITENC; + smtp_stats.attachments[DECODE_BITENC]++; return; }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/smtp/snort_smtp.c ^
@@ -267,7 +267,7 @@ } else { - SMTP_GenerateAlert(SMTP_DECODE_MEMCAP_EXCEEDED, "%s", SMTP_DECODE_MEMCAP_EXCEEDED_STR); + smtp_stats.memcap_exceeded++; } } } @@ -305,6 +305,12 @@ } } +static inline void SMTP_UpdateDecodeStats(Email_DecodeState ds) +{ + smtp_stats.decoded_bytes[ds->decode_type] += ds->decoded_bytes; +} + + void SMTP_InitCmds(SMTPConfig config) { @@ -571,6 +577,10 @@ ssn->policy_id = policy_id; ssn->config = smtp_config; pPolicyConfig->ref_count++; + smtp_stats.sessions++; + smtp_stats.conc_sessions++; + if(smtp_stats.max_conc_sessions < smtp_stats.conc_sessions) + smtp_stats.max_conc_sessions = smtp_stats.conc_sessions; return ssn; } @@ -755,6 +765,8 @@ } free(smtp); + if(smtp_stats.conc_sessions) + smtp_stats.conc_sessions--; } @@ -1432,6 +1444,7 @@ } _dpd.detect(p); smtp_ssn->state_flags &= ~SMTP_FLAG_MULTIPLE_EMAIL_ATTACH; + SMTP_UpdateDecodeStats(smtp_ssn->decode_state); ResetEmailDecodeState(smtp_ssn->decode_state); p->flags \|=FLAG_ALLOW_MULTIPLE_DETECT; /* Reset the log count when a packet goes through detection multiple times */ @@ -1461,6 +1474,7 @@ if(smtp_ssn->decode_state != NULL) { _dpd.setFileDataPtr(smtp_ssn->decode_state->decodePtr, (uint16_t)smtp_ssn->decode_state->decoded_bytes); + SMTP_UpdateDecodeStats(smtp_ssn->decode_state); ResetDecodedBytes(smtp_ssn->decode_state); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/dynamic-preprocessors/smtp/spp_smtp.c ^
@@ -84,8 +84,8 @@ #define SetupSMTP DYNAMIC_PREPROC_SETUP MemPool smtp_mime_mempool = NULL; +SMTP_Stats smtp_stats; MemPool smtp_mempool = NULL; - tSfPolicyUserContextId smtp_config = NULL; SMTPConfig smtp_eval_config = NULL; @@ -99,6 +99,7 @@ static void SMTPResetStatsFunction(int, void ); static void _addPortsToStream5Filter(SMTPConfig , tSfPolicyId); static void SMTP_RegXtraDataFuncs(SMTPConfig config); +static void SMTP_PrintStats(int); #ifdef TARGET_BASED static void _addServicesToStream5Filter(tSfPolicyId); #endif @@ -176,6 +177,7 @@ /* _dpd.addPreproc(SMTPDetect, PRIORITY_APPLICATION, PP_SMTP, PROTO_BIT__TCP);/ _dpd.addPreprocExit(SMTPCleanExitFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocReset(SMTPResetFunction, NULL, PRIORITY_LAST, PP_SMTP); + _dpd.registerPreprocStats(SMTP_PROTO_REF_STR, SMTP_PrintStats); _dpd.addPreprocResetStats(SMTPResetStatsFunction, NULL, PRIORITY_LAST, PP_SMTP); _dpd.addPreprocConfCheck(SMTPCheckConfig); @@ -517,6 +519,27 @@ } } + +static void SMTP_PrintStats(int exiting) +{ + _dpd.logMsg("SMTP Preprocessor Statistics\n"); + _dpd.logMsg(" Total sessions : "STDu64"\n", smtp_stats.sessions); + _dpd.logMsg(" Max concurrent sessions : "STDu64"\n", smtp_stats.max_conc_sessions); + if (smtp_stats.sessions > 0) + { + _dpd.logMsg(" Base64 attachments decoded : "STDu64"\n", smtp_stats.attachments[DECODE_B64]); + _dpd.logMsg(" Total Base64 decoded bytes : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_B64]); + _dpd.logMsg(" Quoted-Printable attachments decoded : "STDu64"\n", smtp_stats.attachments[DECODE_QP]); + _dpd.logMsg(" Total Quoted decoded bytes : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_QP]); + _dpd.logMsg(" UU attachments decoded : "STDu64"\n", smtp_stats.attachments[DECODE_UU]); + _dpd.logMsg(" Total UU decoded bytes : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_UU]); + _dpd.logMsg(" Bit/Binary/Text attachments extracted : "STDu64"\n", smtp_stats.attachments[DECODE_BITENC]); + _dpd.logMsg(" Total Bit/Binary/Text bytes extracted : "STDu64"\n", smtp_stats.decoded_bytes[DECODE_BITENC]); + if ( smtp_stats.memcap_exceeded ) + _dpd.logMsg(" Sessions not decoded due to memory unavailability : "STDu64"\n", smtp_stats.memcap_exceeded); + } + +} #ifdef SNORT_RELOAD static void SMTPReload(char args)
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/encode.c ^
@@ -34,6 +34,7 @@ #include <dnet.h> #endif +#include "assert.h" #include "encode.h" #include "sfdaq.h" #include "sf_iph.h" @@ -44,11 +45,14 @@ #define GET_TCP_HDR_LEN(h) (((h)->th_offx2 & 0xf0) >> 2) #define SET_TCP_HDR_LEN(h, n) (h)->th_offx2 = ((n << 2) & 0xF0) +#define MIN_TTL 64 #define MAX_TTL 255 + #define ICMP_UNREACH_DATA 8 // (per RFC 792) #define IP_ID_COUNT 8192 -static uint8_t dst_mac = NULL; +static uint8_t dst_mac = NULL; +Packet* encode_pkt = NULL; static inline int IsIcmp (int type) { @@ -85,7 +89,9 @@ #define FORWARD(e) (e->flags & ENC_FLAG_FWD) #define REVERSE(f) (!(f & ENC_FLAG_FWD)) -#define PKT_SZ (ETHERNET_HEADER_LEN + VLAN_HEADER_LEN + IP_MAXPACKET) +// PKT_MAX is sized to ensure that any reassembled packet +// can accommodate a full datagram at innermost layer +#define PKT_MAX (ETHERNET_HEADER_LEN + VLAN_HEADER_LEN + ETHERNET_MTU + IP_MAXPACKET) // all layer encoders look like this: typedef ENC_STATUS (Encoder)(EncState, Buffer* in, Buffer* out); @@ -182,6 +188,9 @@ enc.ip_len = 0; enc.proto = 0; + if ( encode_pkt ) + p = encode_pkt; + return Encode_Packet(&enc, p, len); } @@ -201,6 +210,9 @@ enc.ip_len = 0; enc.proto = 0; + if ( encode_pkt ) + p = encode_pkt; + return Encode_Packet(&enc, p, len); } @@ -272,9 +284,8 @@ c->data = lyr->start + lyr->length; len = c->data - c->pkt; - // should actually be max less specific layers - // but this is a safe limit - c->max_dsize = IP_MAXPACKET - len; + assert(len < PKT_MAX - IP_MAXPACKET); + c->max_dsize = IP_MAXPACKET; c->proto_bits = p->proto_bits; c->packet_flags \|= PKT_PSEUDO; @@ -343,7 +354,7 @@ Packet* Encode_New () { Packet* p = SnortAlloc(sizeof(p)); - uint8_t b = SnortAlloc(sizeof(p->pkth) + PKT_SZ + SPARC_TWIDDLE); + uint8_t b = SnortAlloc(sizeof(p->pkth) + PKT_MAX + SPARC_TWIDDLE); if ( !p \|\| !b ) FatalError("Encode_New() => Failed to allocate packet\n"); @@ -371,7 +382,7 @@ // private implementation stuff //------------------------------------------------------------------------- -static uint8_t s_pkt[ETHERNET_HEADER_LEN+VLAN_HEADER_LEN+IP_MAXPACKET]; +static uint8_t s_pkt[PKT_MAX]; static const uint8_t Encode_Packet( EncState* enc, const Packet* p, uint32_t* len) @@ -511,6 +522,8 @@ uint8_t new_ttl = GetTTL(enc); if ( !new_ttl ) new_ttl = ( MAX_TTL - ttl ); + if ( new_ttl < MIN_TTL ) + new_ttl = MIN_TTL; return new_ttl; } @@ -934,6 +947,9 @@ ho->th_flags = TH_RST \| TH_ACK; } + // in case of ip6 extension headers, this gets next correct + enc->proto = IPPROTO_TCP; + // we don't need to set th_sum here because dnet's // ip_checksum() sets both IP and TCP checksums and // ip6_checksum() sets the TCP checksum.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/encode.h ^
@@ -28,6 +28,8 @@ #include "decode.h" +extern Packet encode_pkt; + void Encode_Init(void); void Encode_Term(void); @@ -74,5 +76,21 @@ // Set the destination MAC address void Encode_SetDstMAC(uint8_t ); +static inline void Encode_SetPkt(Packet* p) +{ + encode_pkt = p; +} + +static inline Packet* Encode_GetPkt(void) +{ + return encode_pkt; +} + +static inline void Encode_Reset(void) +{ + Encode_SetPkt(NULL); +} + + #endif // __ENCODE_H__
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/generators.h ^
@@ -340,7 +340,8 @@ #define SMTP_ILLEGAL_CMD 6 #define SMTP_HEADER_NAME_OVERFLOW 7 #define SMTP_XLINK2STATE_OVERFLOW 8 -#define SMTP_DECODE_MEMCAP_EXCEEDED 9 +/* This alert is obsolete. * +* #define SMTP_DECODE_MEMCAP_EXCEEDED 9*/ #define SMTP_B64_DECODING_FAILED 10 #define SMTP_QP_DECODING_FAILED 11 #define SMTP_BITENC_DECODING_FAILED 12
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_arubaaction.c ^
@@ -158,7 +158,6 @@ void AlertArubaActionInit(char ); SpoAlertArubaActionData ParseAlertArubaActionArgs(char ); void AlertArubaActionCleanExitFunc(int, void ); -void AlertArubaActionRestartFunc(int, void ); void AlertArubaAction(Packet , char , void , Event ); int ArubaSwitchConnect(SpoAlertArubaActionData data); int ArubaSwitchSend(SpoAlertArubaActionData data, uint8_t post, int len); @@ -220,7 +219,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(AlertArubaAction, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertArubaActionCleanExitFunc, data); - AddFuncToRestartList(AlertArubaActionRestartFunc, data); } void AlertArubaAction(Packet p, char msg, void arg, Event event) @@ -645,14 +643,3 @@ free(data->role_name); free(data); } - -void AlertArubaActionRestartFunc(int signal, void arg) -{ - SpoAlertArubaActionData data = (SpoAlertArubaActionData )arg; - - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertArubaActionRestartFunc\n");); - free(data->secret); - free(data->role_name); - free(data); -} -
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_fast.c ^
@@ -96,7 +96,6 @@ static void AlertFastInit(char ); static SpoAlertFastData ParseAlertFastArgs(char ); static void AlertFastCleanExitFunc(int, void ); -static void AlertFastRestartFunc(int, void ); static void AlertFast(Packet , char , void , Event ); / @@ -145,7 +144,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(AlertFast, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertFastCleanExitFunc, data); - AddFuncToRestartList(AlertFastRestartFunc, data); } static void AlertFast(Packet p, char msg, void arg, Event event) @@ -371,8 +369,3 @@ AlertFastCleanup(signal, arg, "AlertFastCleanExitFunc"); } -static void AlertFastRestartFunc(int signal, void arg) -{ - AlertFastCleanup(signal, arg, "AlertFastRestartFunc"); -} -
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_full.c ^
@@ -71,7 +71,6 @@ static SpoAlertFullData ParseAlertFullArgs(char ); static void AlertFull(Packet , char , void , Event ); static void AlertFullCleanExit(int, void ); -static void AlertFullRestart(int, void ); /* * not defined for backwards compatibility @@ -126,7 +125,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(AlertFull, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertFullCleanExit, data); - AddFuncToRestartList(AlertFullRestart, data); } static void AlertFull(Packet p, char msg, void arg, Event event) @@ -319,8 +317,3 @@ AlertFullCleanup(signal, arg, "AlertFullCleanExit"); } -static void AlertFullRestart(int signal, void arg) -{ - AlertFullCleanup(signal, arg, "AlertFullRestart"); -} -
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_prelude.c ^
@@ -792,7 +792,6 @@ AddFuncToOutputList(snort_alert_prelude, OUTPUT_TYPE__ALERT, client); AddFuncToCleanExitList(snort_alert_prelude_clean_exit, client); - AddFuncToRestartList(snort_alert_prelude_clean_exit, client); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_syslog.c ^
@@ -86,7 +86,6 @@ static SyslogData ParseSyslogArgs(char ); static void AlertSyslog(Packet , char , void , Event ); static void AlertSyslogCleanExit(int, void ); -static void AlertSyslogRestart(int, void ); @@ -140,7 +139,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(AlertSyslog, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertSyslogCleanExit, data); - AddFuncToRestartList(AlertSyslogRestart, data); } @@ -627,11 +625,3 @@ free(data); } -static void AlertSyslogRestart(int signal, void arg) -{ - SyslogData data = (SyslogData )arg; - DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogRestartFunc\n");); - /* free memory from SyslogData */ - if(data) - free(data); -}
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_test.c ^
@@ -104,7 +104,6 @@ void AlertTestInit(char ); SpoAlertTestData ParseAlertTestArgs(char ); void AlertTestCleanExitFunc(int, void ); -void AlertTestRestartFunc(int, void ); void AlertTest(Packet , char , void , Event ); extern PacketCount pc; @@ -156,7 +155,6 @@ / Set the preprocessor function into the function list / AddFuncToOutputList(AlertTest, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertTestCleanExitFunc, data); - AddFuncToRestartList(AlertTestRestartFunc, data); } void AlertTest(Packet p, char msg, void arg, Event event) @@ -313,18 +311,6 @@ fclose(data->file); /free memory from SpoAlertTestData / - free(data); -} - -void AlertTestRestartFunc(int signal, void arg) -{ - SpoAlertTestData data = (SpoAlertTestData )arg; - - /* close alert file / - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertTestRestartFunc\n");); - fclose(data->file); - - /free memory from SpoAlertTestData */ free(data); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_alert_unixsock.c ^
@@ -89,7 +89,6 @@ static void AlertUnixSock(Packet , char , void , Event ); static void ParseAlertUnixSockArgs(char ); static void AlertUnixSockCleanExit(int, void ); -static void AlertUnixSockRestart(int, void ); static void OpenAlertSock(void); static void CloseAlertSock(void); @@ -138,7 +137,6 @@ AddFuncToOutputList(AlertUnixSock, OUTPUT_TYPE__ALERT, NULL); AddFuncToCleanExitList(AlertUnixSockCleanExit, NULL); - AddFuncToRestartList(AlertUnixSockRestart, NULL); } @@ -303,12 +301,6 @@ CloseAlertSock(); } -static void AlertUnixSockRestart(int signal, void arg) -{ - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"AlertUnixSockRestartFunc\n");); - CloseAlertSock(); -} - static void CloseAlertSock(void) { if(alertsd >= 0) {
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_csv.c ^
@@ -95,7 +95,6 @@ static AlertCSVData AlertCSVParseArgs(char ); static void AlertCSV(Packet , char , void , Event ); static void AlertCSVCleanExit(int, void ); -static void AlertCSVRestart(int, void ); static void RealAlertCSV( Packet, char msg, char *args, int numargs, Event, TextLog* ); @@ -146,7 +145,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(AlertCSV, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(AlertCSVCleanExit, data); - AddFuncToRestartList(AlertCSVRestart, data); } / @@ -260,12 +258,6 @@ AlertCSVCleanup(signal, arg, "AlertCSVCleanExit"); } -static void AlertCSVRestart(int signal, void arg) -{ - AlertCSVCleanup(signal, arg, "AlertCSVRestart"); -} - - static void AlertCSV(Packet p, char msg, void arg, Event event) { AlertCSVData data = (AlertCSVData *)arg;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_database.c ^
@@ -298,7 +298,6 @@ static void Database(Packet , char , void , Event ); static char * snort_escape_string(const char , DatabaseData ); static void SpoDatabaseCleanExitFunction(int, void ); -static void SpoDatabaseRestartFunction(int, void ); //static void InitDatabase(void); static int UpdateLastCid(DatabaseData , int, int); static int GetLastCid(DatabaseData , int); @@ -410,7 +409,6 @@ } AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data); - AddFuncToRestartList(SpoDatabaseRestartFunction, data); AddFuncToPostConfigList(DatabaseInitFinalize, data); ++instances; @@ -3356,27 +3354,6 @@ if(data != NULL) { - UpdateLastCid(data, data->shared->sid, data->shared->cid-1); - Disconnect(data); - free(data->args); - free(data); - data = NULL; - } - - if(--instances == 0) - { - FreeSharedDataList(); - } -} - -static void SpoDatabaseRestartFunction(int signal, void arg) -{ - DatabaseData data = (DatabaseData *)arg; - - DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): entered SpoDatabaseRestartFunction\n");); - - if(data != NULL) - { UpdateLastCid(data, data->shared->sid, data->shared->cid-1); Disconnect(data); free(data->args);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_log_ascii.c ^
@@ -78,7 +78,6 @@ static void LogAsciiInit(char args); static void LogAscii(Packet p, char msg, void arg, Event event); static void LogAsciiCleanExit(int signal, void arg); -static void LogAsciiRestart(int signal, void arg); static char IcmpFileName(Packet * p); static FILE OpenLogFile(int mode, Packet p); @@ -105,7 +104,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(LogAscii, OUTPUT_TYPE__LOG, NULL); AddFuncToCleanExitList(LogAsciiCleanExit, NULL); - AddFuncToRestartList(LogAsciiRestart, NULL); } static void LogAscii(Packet p, char msg, void arg, Event event) @@ -161,11 +159,6 @@ { return; } - -static void LogAsciiRestart(int signal, void arg) -{ - return; -} static char *logfile[] = { "", "PACKET_FRAG", "PACKET_BOGUS", "PACKET_NONIP", "ARP", "log" };
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_log_null.c ^
@@ -59,7 +59,6 @@ static void LogNullInit(char ); static void LogNull(Packet , char , void , Event ); static void LogNullCleanExitFunc(int, void ); -static void LogNullRestartFunc(int, void ); void LogNullSetup(void) { @@ -78,7 +77,6 @@ / Set the preprocessor function into the function list / AddFuncToOutputList(LogNull, OUTPUT_TYPE__LOG, NULL); AddFuncToCleanExitList(LogNullCleanExitFunc, NULL); - AddFuncToRestartList(LogNullRestartFunc, NULL); } @@ -94,7 +92,3 @@ return; } -static void LogNullRestartFunc(int signal, void arg) -{ - return; -}
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_log_tcpdump.c ^
@@ -107,7 +107,6 @@ static void TcpdumpInitLogFile(LogTcpdumpData , int); static void TcpdumpRollLogFile(LogTcpdumpData); static void SpoLogTcpdumpCleanExitFunc(int, void ); -static void SpoLogTcpdumpRestartFunc(int, void ); static void LogTcpdumpSingle(Packet , char , void , Event ); static void LogTcpdumpStream(Packet , char , void , Event ); //static void DirectLogTcpdump(DAQ_PktHdr_t , uint8_t ); @@ -165,7 +164,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(LogTcpdump, OUTPUT_TYPE__LOG, data); AddFuncToCleanExitList(SpoLogTcpdumpCleanExitFunc, data); - AddFuncToRestartList(SpoLogTcpdumpRestartFunc, data); } / @@ -493,11 +491,6 @@ SpoLogTcpdumpCleanup(signal, arg, "SpoLogTcpdumpCleanExitFunc"); } -static void SpoLogTcpdumpRestartFunc(int signal, void *arg) -{ - SpoLogTcpdumpCleanup(signal, arg, "SpoLogTcpdumpRestartFunc"); -} - void LogTcpdumpReset(void) { TcpdumpRollLogFile(log_tcpdump_ptr);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_unified.c ^
@@ -181,7 +181,6 @@ /* -------------------- Local Functions -----------------------/ static UnifiedConfig UnifiedParseArgs(char , char ); static void UnifiedCleanExit(int, void ); -static void UnifiedRestart(int, void ); static void UnifiedLogInitFinalize(int, void ); / Unified Output functions / @@ -270,7 +269,6 @@ AddFuncToOutputList(UnifiedLogPacketAlert, OUTPUT_TYPE__LOG, unifiedConfig); AddFuncToCleanExitList(UnifiedCleanExit, unifiedConfig); - AddFuncToRestartList(UnifiedRestart, unifiedConfig); } / @@ -968,29 +966,6 @@ -/* - * Function: Restart() - * - * Purpose: For restarts (SIGHUP usually) clean up structs that need it - * - * Arguments: signal => signal that caused this event - * arg => data ptr to reference this plugin's data - * - * Returns: void function - / -static void UnifiedRestart(int signal, void arg) -{ - UnifiedConfig data = (UnifiedConfig )arg; - - DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified: Restart\n");); - - fclose(data->stream); - free(data->filename); - free(data); -} - - - /* Unified Alert functions (deprecated) / void UnifiedAlertInit(char args) { @@ -1008,7 +983,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(OldUnifiedLogAlert, OUTPUT_TYPE__ALERT, data); AddFuncToCleanExitList(UnifiedCleanExit, data); - AddFuncToRestartList(UnifiedRestart, data); } / * Function: UnifiedInitAlertFile() @@ -1108,7 +1082,6 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(OldUnifiedLogPacketAlert, OUTPUT_TYPE__LOG, UnifiedInfo); AddFuncToCleanExitList(UnifiedCleanExit, UnifiedInfo); - AddFuncToRestartList(UnifiedRestart, UnifiedInfo); } static void UnifiedLogInitFinalize(int unused, void arg)
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/output-plugins/spo_unified2.c ^
@@ -148,7 +148,9 @@ /* -------------------- Local Functions -----------------------/ static Unified2Config Unified2ParseArgs(char , char ); static void Unified2CleanExit(int, void ); -static void Unified2Restart(int, void ); +#ifdef SNORT_RELOAD +static void Unified2Reload(int, void ); +#endif / Unified2 Output functions / static void Unified2Init(char ); @@ -233,7 +235,9 @@ AddFuncToOutputList(Unified2LogPacketAlert, OUTPUT_TYPE__LOG, config); AddFuncToCleanExitList(Unified2CleanExit, config); - AddFuncToRestartList(Unified2Restart, config); +#ifdef SNORT_RELOAD + AddFuncToReloadList(Unified2Reload, config); +#endif AddFuncToPostConfigList(Unified2PostConfig, config); } @@ -375,8 +379,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -449,8 +461,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -541,8 +561,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -623,8 +651,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -731,8 +767,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -852,8 +896,16 @@ { if ( Active_PacketWasDropped() ) { - alertdata.impact_flag = U2_FLAG_BLOCKED; - alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + if (DAQ_GetInterfaceMode(p->pkth) == DAQ_MODE_INLINE) + { + alertdata.impact_flag = U2_FLAG_BLOCKED; + alertdata.blocked = U2_BLOCKED_FLAG_BLOCKED; + } + else + { + // Set would be dropped if not inline interface + alertdata.blocked = U2_BLOCKED_FLAG_WDROP; + } } else if ( Active_PacketWouldBeDropped() ) { @@ -1626,35 +1678,26 @@ } } +#ifdef SNORT_RELOAD /* - * Function: Restart() + * Function: Reload() * - * Purpose: For restarts (SIGHUP usually) clean up structs that need it + * Purpose: For reloads (SIGHUP usually), over the output * * Arguments: signal => signal that caused this event * arg => data ptr to reference this plugin's data * * Returns: void function / -static void Unified2Restart(int signal, void arg) +static void Unified2Reload(int signal, void arg) { Unified2Config config = (Unified2Config )arg; - DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Restart\n");); + DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified2: Reload\n");); - log_config = alert_config = NULL; - / free up initialized memory / - if (config != NULL) - { - if (config->stream != NULL) - fclose(config->stream); - - if (config->base_filename != NULL) - free(config->base_filename); - - free(config); - } + Unified2RotateFile(config); } +#endif / Unified2 Alert functions (deprecated) / static void Unified2AlertInit(char args) @@ -1683,7 +1726,9 @@ /* Set the preprocessor function into the function list / AddFuncToOutputList(Unified2LogAlert, OUTPUT_TYPE__ALERT, config); AddFuncToCleanExitList(Unified2CleanExit, config); - AddFuncToRestartList(Unified2Restart, config); +#ifdef SNORT_RELOAD + AddFuncToReloadList(Unified2Reload, config); +#endif AddFuncToPostConfigList(Unified2PostConfig, config); } @@ -1716,7 +1761,9 @@ / Set the preprocessor function into the function list */ AddFuncToOutputList(Unified2LogPacketAlert, OUTPUT_TYPE__LOG, config); AddFuncToCleanExitList(Unified2CleanExit, config); - AddFuncToRestartList(Unified2Restart, config); +#ifdef SNORT_RELOAD + AddFuncToReloadList(Unified2Reload, config); +#endif AddFuncToPostConfigList(Unified2PostConfig, config); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/plugbase.c ^
@@ -145,7 +145,9 @@ extern PreprocStatsFuncNode preproc_stats_funcs; extern PluginSignalFuncNode plugin_shutdown_funcs; extern PluginSignalFuncNode plugin_clean_exit_funcs; -extern PluginSignalFuncNode plugin_restart_funcs; +#ifdef SNORT_RELOAD +extern PluginSignalFuncNode plugin_reload_funcs; +#endif extern OutputFuncNode AlertList; extern OutputFuncNode LogList; extern PeriodicCheckFuncNode periodic_check_funcs; @@ -549,7 +551,7 @@ head = head->next; - /* don't free sig->arg, that's free'd by the CleanExit/Restart func / + / don't free sig->arg, that's free'd by the CleanExit func / free(tmp); } } @@ -1404,7 +1406,7 @@ while (head != NULL) { tmp = head->next; - / don't free sig->arg, that's free'd by the CleanExit/Restart func / + / don't free sig->arg, that's free'd by the CleanExit func / free(head); head = tmp; } @@ -1417,7 +1419,7 @@ while (head != NULL) { tmp = head->next; - / don't free sig->arg, that's free'd by the CleanExit/Restart func / + / don't free sig->arg, that's free'd by the CleanExit func / free(head); head = tmp; } @@ -1718,10 +1720,12 @@ / functions to aid in cleaning up after plugins * Used for both rule options and output. Preprocessors have their own / -void AddFuncToRestartList(PluginSignalFunc pl_sig_func, void arg) +#ifdef SNORT_RELOAD +void AddFuncToReloadList(PluginSignalFunc pl_sig_func, void arg) { - AddFuncToSignalList(pl_sig_func, arg, &plugin_restart_funcs); + AddFuncToSignalList(pl_sig_func, arg, &plugin_reload_funcs); } +#endif void AddFuncToCleanExitList(PluginSignalFunc pl_sig_func, void arg) {
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/plugbase.h ^
@@ -426,7 +426,9 @@ } PluginSignalFuncNode; /* Used for both rule options and output. Preprocessors have their own / -void AddFuncToRestartList(PluginSignalFunc, void ); +#ifdef SNORT_RELOAD +void AddFuncToReloadList(PluginSignalFunc, void ); +#endif void AddFuncToCleanExitList(PluginSignalFunc, void ); void AddFuncToShutdownList(PluginSignalFunc, void ); void AddFuncToPostConfigList(PluginSignalFunc, void );
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/HttpInspect/client/hi_client.c ^
@@ -125,7 +125,7 @@ / int CheckChunkEncoding(HI_SESSION Session, const u_char start, const u_char end, const u_char *post_end, u_char iChunkBuf, uint32_t max_size, - uint32_t last_chunk_size, uint32_t chunkSize, uint32_t chunkRead, HttpSessionData hsd, + uint32_t chunk_remainder, uint32_t updated_chunk_remainder, uint32_t chunkRead, HttpSessionData hsd, int iInspectMode) { uint32_t iChunkLen = 0; @@ -143,33 +143,38 @@ ptr = start; - if(last_chunk_size) + if(chunk_remainder) { - if(last_chunk_size > max_size) - { - if(chunkSize) - chunkSize = last_chunk_size - max_size ; - last_chunk_size = max_size; - } - iDataLen = end - ptr; - if(last_chunk_size > iDataLen) + if( iDataLen < max_size) + { + if( chunk_remainder > iDataLen ) + { + if(updated_chunk_remainder) + updated_chunk_remainder = chunk_remainder - iDataLen ; + chunk_remainder = iDataLen; + } + } + else { - if(chunkSize) - chunkSize = last_chunk_size - iDataLen ; - last_chunk_size = iDataLen; + if( chunk_remainder > max_size ) + { + if(updated_chunk_remainder) + updated_chunk_remainder = chunk_remainder - max_size ; + chunk_remainder = max_size; + } } - jump_ptr = ptr + last_chunk_size - 1; + jump_ptr = ptr + chunk_remainder - 1; if(hi_util_in_bounds(start, end, jump_ptr)) { chunkPresent = 1; if(iChunkBuf) { - memcpy(iChunkBuf, ptr, last_chunk_size); - chunkBytesCopied = last_chunk_size; + memcpy(iChunkBuf, ptr, chunk_remainder); + chunkBytesCopied = chunk_remainder; } ptr = jump_ptr + 1; } @@ -254,8 +259,8 @@ if( iChunkLen > iDataLen) { - if(chunkSize) - chunkSize = iChunkLen - iDataLen; + if(updated_chunk_remainder) + updated_chunk_remainder = iChunkLen - iDataLen; iChunkLen = iDataLen; } @@ -2609,6 +2614,13 @@ end = data + dsize; ptr = start; +#ifdef ENABLE_PAF + if ( ScPafEnabled() ) + { + if(stream_ins) + return HI_INVALID_ARG; + } +#endif /* ** Apache and IIS strike again . . . Thanks Kanatoko @@ -2647,15 +2659,21 @@ method_end = mthd++; break; } - - /* isascii returns non-zero if it is ascii / - if (isascii((int)mthd) == 0) +#ifdef ENABLE_PAF + if ( !ScPafEnabled() ) { - /* Possible post data or something else strange... / - method_end = mthd++; - non_ascii_mthd = 1; - break; +#endif + / isascii returns non-zero if it is ascii / + if (isascii((int)mthd) == 0) + { + /* Possible post data or something else strange... / + method_end = mthd++; + non_ascii_mthd = 1; + break; + } +#ifdef ENABLE_PAF } +#endif mthd++; } @@ -2694,23 +2712,30 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); } - sans_uri = 1; Client->request.method = HI_UNKNOWN_METHOD; } } else { #ifdef ENABLE_PAF - / Might have gotten non-ascii characters, hence no method, but if - * PAF is in use, checking "!stream_ins" equates to PacketHasStartOfPDU() - * so we know we're looking for a method and not guessing that we're in - * the body or somewhere else because we found a non-ascii character / - if (!stream_ins && hi_eo_generate_event(Session, HI_EO_CLIENT_UNKNOWN_METHOD)) - hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); + if( ScPafEnabled() ) + { + / Might have gotten non-ascii characters, hence no method, but if + * PAF is in use, checking "!stream_ins" equates to PacketHasStartOfPDU() + * so we know we're looking for a method and not guessing that we're in + * the body or somewhere else because we found a non-ascii character */ + if (!stream_ins && hi_eo_generate_event(Session, HI_EO_CLIENT_UNKNOWN_METHOD)) + hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); + Client->request.method = HI_UNKNOWN_METHOD; + } + else #endif - - sans_uri = 1; - Client->request.method = HI_UNKNOWN_METHOD; + { + if (!stream_ins && hi_eo_generate_event(Session, HI_EO_CLIENT_UNKNOWN_METHOD)) + hi_eo_client_event_log(Session, HI_EO_CLIENT_UNKNOWN_METHOD, NULL, NULL); + sans_uri = 1; + Client->request.method = HI_UNKNOWN_METHOD; + } } if (!sans_uri ) @@ -2735,8 +2760,7 @@ } if(iRet == URI_END && - !(ServerConf->uri_only) && - !(Client->request.method & HI_UNKNOWN_METHOD)) + !(ServerConf->uri_only)) { Client->request.method_raw = method_ptr.uri; Client->request.method_size = method_ptr.uri_end - method_ptr.uri;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/HttpInspect/normalization/hi_norm.c ^
@@ -80,8 +80,8 @@ /* ** Directory tracking / - u_char dir_track[MAX_DIRS]; u_int dir_count; + u_char dir_track[MAX_DIRS]; } URI_NORM_STATE; @@ -977,9 +977,8 @@ if(!norm_state->param) { - norm_state->dir_track[norm_state->dir_count] = ub_ptr; - if(norm_state->dir_count < MAX_DIRS) - norm_state->dir_count++; + if(norm_state->dir_count < (MAX_DIRS - 1)) + norm_state->dir_track[norm_state->dir_count++] = ub_ptr; } (ub_ptr)++;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/HttpInspect/server/hi_server.c ^
@@ -749,7 +749,7 @@ const u_char start = ptr; int iRet = HI_SUCCESS; const u_char post_end = end; - uint32_t chunk_size = 0; + uint32_t updated_chunk_remainder = 0; uint32_t chunk_read = 0; int bytes_to_read = 0; ServerConf = Session->server_conf; @@ -790,10 +790,10 @@ if (sd->resp_state.last_pkt_chunked && CheckChunkEncoding(Session, start, end, &post_end, (u_char )HttpDecodeBuf.data, sizeof(HttpDecodeBuf.data), - sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd->resp_state.chunk_remainder, &updated_chunk_remainder, &chunk_read, sd, HI_SI_SERVER_MODE) == 1) { - sd->resp_state.last_chunk_size = chunk_size; + sd->resp_state.chunk_remainder = updated_chunk_remainder; sd->resp_state.last_pkt_chunked = 1; result->uri = (u_char )HttpDecodeBuf.data; result->uri_end = result->uri + chunk_read; @@ -959,8 +959,9 @@ int compr_bytes_read, decompr_bytes_read; int compr_avail, decompr_avail; int total_bytes_read = 0; - uint32_t chunk_size = 0; + uint32_t updated_chunk_remainder = 0; uint32_t chunk_read = 0; + uint32_t saved_chunk_size = 0; u_char compr_buffer; u_char decompr_buffer; @@ -970,6 +971,7 @@ decompr_bytes_read = sd->decomp_state->decompr_bytes_read; compr_buffer = sd->decomp_state->compr_buffer; decompr_buffer = sd->decomp_state->decompr_buffer; + saved_chunk_size = sd->resp_state.chunk_remainder; if(Session->server_conf->unlimited_decompress) { @@ -1024,10 +1026,10 @@ { if(sd->resp_state.last_pkt_chunked && CheckChunkEncoding(Session, start, end, NULL, compr_buffer, compr_avail, - sd->resp_state.last_chunk_size, &chunk_size, &chunk_read, + sd->resp_state.chunk_remainder, &updated_chunk_remainder, &chunk_read, sd, HI_SI_SERVER_MODE ) == 1) { - sd->resp_state.last_chunk_size = chunk_size; + sd->resp_state.chunk_remainder = updated_chunk_remainder; compr_avail = chunk_read; zRet = uncompress_gzip(decompr_buffer,decompr_avail,compr_buffer, compr_avail, sd, &total_bytes_read, sd->decomp_state->compress_fmt); @@ -1052,11 +1054,11 @@ &total_bytes_read, sd->decomp_state->compress_fmt); } - sd->decomp_state->compr_bytes_read += compr_avail; - hi_stats.compr_bytes_read += compr_avail; if((zRet == HI_SUCCESS) \|\| (zRet == HI_NONFATAL_ERR)) { + sd->decomp_state->compr_bytes_read += compr_avail; + hi_stats.compr_bytes_read += compr_avail; if(decompr_buffer) { result->uri = decompr_buffer; @@ -1078,15 +1080,24 @@ } else { + if(!sd->decomp_state->decompr_bytes_read) + { + sd->resp_state.chunk_remainder = saved_chunk_size; + iRet = HI_NONFATAL_ERR; + } + else + ResetRespState(&(sd->resp_state)); ResetGzipState(sd->decomp_state); - ResetRespState(&(sd->resp_state)); } if(zRet!=HI_SUCCESS) { - if(hi_eo_generate_event(Session, HI_EO_SERVER_DECOMPR_FAILED)) + if(sd->decomp_state->decompr_bytes_read) { - hi_eo_server_event_log(Session, HI_EO_SERVER_DECOMPR_FAILED, NULL, NULL); + if(hi_eo_generate_event(Session, HI_EO_SERVER_DECOMPR_FAILED)) + { + hi_eo_server_event_log(Session, HI_EO_SERVER_DECOMPR_FAILED, NULL, NULL); + } } } @@ -1119,6 +1130,13 @@ if((sd->decomp_state != NULL) && sd->decomp_state->decompress_data) { iRet = hi_server_decompress(Session, sd, ptr, end, result); + if(iRet == HI_NONFATAL_ERR) + { + sd->resp_state.inspect_body = 1; + result->uri = ptr; + result->uri_end = end; + iRet = hi_server_extract_body(Session, sd, ptr, end, result); + } } else #endif
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/HttpInspect/server/hi_server_norm.c ^
@@ -85,6 +85,7 @@ return HI_INVALID_ARG; } + ServerResp = &Session->server.response; ServerResp->header_encode_type = 0; ServerResp->cookie_encode_type = 0; @@ -322,7 +323,7 @@ //Save before the <script> begins if(js_start > ptr) { - status = SafeMemcpy(HttpDecodeBuf.data+index, ptr, (js_start - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + status = SafeBoundsMemmove(HttpDecodeBuf.data+index, ptr, (js_start - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); if(status == SAFEMEM_SUCCESS) index += (js_start - ptr); else @@ -353,7 +354,7 @@ { if( ptr < end ) { - status = SafeMemcpy(HttpDecodeBuf.data+index, ptr, (end - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); + status = SafeBoundsMemmove(HttpDecodeBuf.data+index, ptr, (end - ptr), HttpDecodeBuf.data, HttpDecodeBuf.data + sizeof(HttpDecodeBuf.data)); if(status == SAFEMEM_SUCCESS) index += (end - ptr); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/Stream5/snort_stream5_tcp.c ^
@@ -236,6 +236,7 @@ #define S5_FT_EXTERNAL 1 // set by other preprocessor #define S5_FT_PAF_MAX 2 // paf_max + footprint fp +#define SLAM_MAX 4 /* Only track a maximum number of alerts per session / #define MAX_SESSION_ALERTS 8 @@ -2810,8 +2811,6 @@ break; case STREAM_POLICY_FIRST: case STREAM_POLICY_LAST: - / Uh, who knows / - case STREAM_POLICY_BSD: case STREAM_POLICY_MACOS: case STREAM_POLICY_WINDOWS: case STREAM_POLICY_VISTA: @@ -2828,6 +2827,7 @@ "rst is not valid seq (next seq)!\n");); return 0; break; + case STREAM_POLICY_BSD: case STREAM_POLICY_LINUX: case STREAM_POLICY_OLD_LINUX: case STREAM_POLICY_SOLARIS: @@ -3081,7 +3081,7 @@ if ( right_ok ) { - if(SEQ_LT(tdb->seq, st->r_nxt_ack+Stream5GetWindow(st))) + if( SEQ_LT(tdb->seq, st->r_win_base+Stream5GetWindow(st)) ) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "seq is within window!\n");); @@ -3143,9 +3143,7 @@ #endif // * if we don't see a segment, we can't track seq at below // so we update the seq by the ack if it is beyond next expected - // FIXTHIS first test below is implied by second; verify test suite - // doesn't break - if(SEQ_GT(tdb->ack, rcv->l_unackd) && SEQ_GT(tdb->ack, rcv->l_nxt_seq)) + if(SEQ_GT(tdb->ack, rcv->l_unackd)) rcv->l_unackd = tdb->ack; // this is how we track the last seq number sent @@ -3416,7 +3414,12 @@ while ( seg && seg->buffered ) { - seq = seg->seq + seg->size; + uint32_t end = seg->seq + seg->size; + + if ( SEQ_GT(end, st->r_win_base) ) + break; + + seq = end; seg = seg->next; } if ( seq ) @@ -4819,7 +4822,7 @@ } #endif /* SUP_IP6 / -#ifdef DEBUG +#ifdef SEG_TEST static void CheckSegments (const StreamTracker a) { StreamSegment* ss = a->seglist; @@ -5561,18 +5564,23 @@ if(st->flush_mgr.flush_policy != STREAM_FLPOLICY_IGNORE) { + uint32_t seq = tdb->seq; + /* Check if we should not insert a large packet / if (IgnoreLargePkt(st, p, tdb)) { return; } + if ( p->tcph->th_flags & TH_SYN ) + seq++; + / new packet seq is below the last ack... / - if(SEQ_GT(st->seglist_base_seq, tdb->seq)) + if ( SEQ_GT(st->r_win_base, seq) ) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "segment overlaps ack'd data...\n");); - overlap = st->seglist_base_seq - tdb->seq; + overlap = st->r_win_base - tdb->seq; if(overlap >= p->dsize) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -5582,7 +5590,7 @@ } } - AddStreamNode(st, p, tdb, tcpssn, p->dsize, 0, 0, tdb->seq, NULL, &ss); + AddStreamNode(st, p, tdb, tcpssn, p->dsize, overlap, 0, tdb->seq+overlap, NULL, &ss); STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Attached new queue to seglist, %d bytes queued, " @@ -5796,7 +5804,6 @@ break; case STREAM_POLICY_FIRST: case STREAM_POLICY_LAST: - / Uh, who knows / case STREAM_POLICY_BSD: case STREAM_POLICY_MACOS: case STREAM_POLICY_SOLARIS: @@ -5832,7 +5839,7 @@ st->seg_bytes_logical, SegsToFlush(st));); retSeg = ss; -#ifdef DEBUG +#ifdef SEG_TEST CheckSegments(st); #endif return STREAM_INSERT_OK; @@ -6057,9 +6064,10 @@ / if(left) { - / - * check if the new segment overlaps on the left side - / + // NOTE that left->seq is always less than seq, otherwise it would + // be a right based on the above determination of left and right + + / check if the new segment overlaps on the left side / overlap = left->seq + left->size - seq; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -6067,6 +6075,8 @@ if(overlap > 0) { + // NOTE that overlap will always be less than left->size since + // seq is always greater than left->seq s5stats.tcp_overlaps++; st->overlap_count++; switch(reassembly_policy) @@ -6143,22 +6153,12 @@ return STREAM_INSERT_ANOMALY; } } + / Otherwise, trim the old data accordingly / left->size -= (int16_t)overlap; st->seg_bytes_logical -= overlap; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring new data\n");); - if (left->size <= 0) - { - dump_me = left; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "retrans, dumping old TCP data (seq: %d " - "overlap: %d)\n", dump_me->seq, overlap);); - - left = left->prev; - Stream5SeglistDeleteNode(st, dump_me, 0); - } break; case REASSEMBLY_POLICY_LAST: / True "Last" policy" / @@ -6194,19 +6194,9 @@ left->size -= (int16_t)overlap; st->seg_bytes_logical -= overlap; } + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "left overlap, honoring new data\n");); - if (left->size <= 0) - { - dump_me = left; - - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "retrans, dumping old TCP data (seq: %d " - "overlap: %d)\n", dump_me->seq, overlap);); - - left = left->prev; - Stream5SeglistDeleteNode(st, dump_me, 0); - } break; } @@ -6361,7 +6351,6 @@ SEQ_LT(seq, right->seq)) { dump_me = right; - st->seg_bytes_logical -= right->size; STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "retrans, dropping old data at seq %d, size %d\n", @@ -6672,7 +6661,26 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "queuing segment\n");); - StreamQueue(rcv, p, tdb, tcpssn); + + if ( SEQ_GT(rcv->r_win_base, tdb->seq) ) + { + uint32_t offset = rcv->r_win_base - tdb->seq; + + if ( offset < p->dsize ) + { + tdb->seq += offset; + p->data += offset; + p->dsize -= offset; + + StreamQueue(rcv, p, tdb, tcpssn); + + p->dsize += offset; + p->data -= offset; + tdb->seq -= offset; + } + } + else + StreamQueue(rcv, p, tdb, tcpssn); if ((rcv->tcp_policy->overlap_limit) && (rcv->overlap_count > rcv->tcp_policy->overlap_limit)) @@ -7487,7 +7495,6 @@ break; case STREAM_POLICY_FIRST: case STREAM_POLICY_LAST: - / Uh, who knows / case STREAM_POLICY_LINUX: case STREAM_POLICY_OLD_LINUX: case STREAM_POLICY_BSD: @@ -8209,6 +8216,16 @@ { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Got RST, bailing\n");); + + if ( + listener->s_mgr.state == TCP_STATE_FIN_WAIT_1 \|\| + listener->s_mgr.state == TCP_STATE_FIN_WAIT_2 \|\| + listener->s_mgr.state == TCP_STATE_CLOSING + ) { + Stream5FlushTalker(p, lwssn); + Stream5FlushListener(p, lwssn); + FreeLWApplicationData(lwssn); + } lwssn->session_flags \|= SSNFLAG_RESET; talker->s_mgr.state = TCP_STATE_CLOSED; talker->s_mgr.sub_state \|= SUB_RST_SENT; @@ -8323,7 +8340,7 @@ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING \| ACTION_BAD_PKT; } - else if ( !tdb->win && !talker->total_bytes_queued && + else if ( (tdb->win <= SLAM_MAX) && (tdb->ack == listener->isn + 1) && !(p->tcph->th_flags & (TH_FIN\|TH_RST)) ) { STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -8425,8 +8442,17 @@ { talker->s_mgr.state = TCP_STATE_LAST_ACK; } - // FIXTHIS this should be handled below in fin section - // but midstream sessions fail the seq test + if ( lwssn->session_flags & SSNFLAG_MIDSTREAM ) + { + // FIXTHIS this should be handled below in fin section + // but midstream sessions fail the seq test + listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; + listener->s_mgr.transition_seq = tdb->end_seq; + listener->s_mgr.expected_flags = TH_ACK; + } + } + else if (listener->s_mgr.state_queue == TCP_STATE_CLOSING) + { listener->s_mgr.state_queue = TCP_STATE_TIME_WAIT; listener->s_mgr.transition_seq = tdb->end_seq; listener->s_mgr.expected_flags = TH_ACK; @@ -8616,6 +8642,31 @@ / all other states stay where they are / break; } + // need substate since we don't change state immediately + if ( !(talker->s_mgr.sub_state & SUB_FIN_SENT) ) + { + talker->l_nxt_seq++; + listener->r_nxt_ack++; + talker->s_mgr.sub_state \|= SUB_FIN_SENT; + } + else if ( (talker->s_mgr.state == TCP_STATE_FIN_WAIT_1) \|\| + (talker->s_mgr.state == TCP_STATE_LAST_ACK) ) + { + uint32_t end_seq = ( lwssn->session_flags & SSNFLAG_MIDSTREAM ) ? + tdb->end_seq-1 : tdb->end_seq; + + if ( (listener->s_mgr.expected_flags == TH_ACK) && + SEQ_GEQ(end_seq, listener->s_mgr.transition_seq) ) + { + STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, + "FIN beyond previous, ignoring\n");); + eventcode \|= EVENT_BAD_FIN; + LogTcpEvents(talker->tcp_policy, eventcode); + NormalDropPacketIf(p, NORM_TCP); + PREPROC_PROFILE_END(s5TcpStatePerfStats); + return ACTION_NOTHING \| ACTION_BAD_PKT; + } + } switch ( listener->s_mgr.state ) { case TCP_STATE_ESTABLISHED: @@ -8636,28 +8687,6 @@ listener->s_mgr.expected_flags = TH_ACK; break; } - // need substate since we don't change state immediately - if ( !(talker->s_mgr.sub_state & SUB_FIN_SENT) ) - { - talker->l_nxt_seq++; - listener->r_nxt_ack++; - talker->s_mgr.sub_state \|= SUB_FIN_SENT; - } - else if(SEQ_GEQ(tdb->end_seq,talker->l_nxt_seq)) - { - STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, - "FIN beyond l_nxt_seq, ignoring\n");); - switch(talker->s_mgr.state) - { - case TCP_STATE_FIN_WAIT_1: - case TCP_STATE_LAST_ACK: - eventcode \|= EVENT_BAD_FIN; - LogTcpEvents(talker->tcp_policy, eventcode); - NormalDropPacketIf(p, NORM_TCP); - PREPROC_PROFILE_END(s5TcpStatePerfStats); - return ACTION_NOTHING \| ACTION_BAD_PKT; - } - } } } @@ -8675,7 +8704,8 @@ handle TIME_WAIT timer stuff */ if((talker->s_mgr.state == TCP_STATE_TIME_WAIT && listener->s_mgr.state == TCP_STATE_CLOSED) \|\| - (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_CLOSED)) + (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_CLOSED) \|\| + (listener->s_mgr.state == TCP_STATE_TIME_WAIT && talker->s_mgr.state == TCP_STATE_TIME_WAIT)) { //dropssn: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, @@ -9295,6 +9325,7 @@ seg->seq = flush_seq; seg->size -= (uint16_t)delta; + st->seg_bytes_logical -= delta; return 0; } }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/Stream5/stream5_common.c ^
@@ -40,6 +40,7 @@ #include "snort_stream5_tcp.h" #include "snort_stream5_udp.h" #include "snort_stream5_icmp.h" +#include "snort_stream5_ip.h" #include "parser.h" #include "active.h" @@ -608,6 +609,12 @@ config->icmp_config = NULL; } + if (config->ip_config != NULL) + { + Stream5IpConfigFree(config->ip_config); + config->ip_config = NULL; + } + free(config); }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/snort_httpinspect.c ^
@@ -664,11 +664,11 @@ return -1; } - if(max_gzip_mem < GZIP_MEM_MIN \|\| max_gzip_mem > GZIP_MEM_MAX) + if(max_gzip_mem < GZIP_MEM_MIN) { SnortSnprintf(ErrorString, ErrStrLen, - "Invalid argument to '%s'. Must be between %d and " - "%d.", MAX_GZIP_MEM, GZIP_MEM_MIN, GZIP_MEM_MAX); + "Invalid argument to '%s'. This value must be equal to or greater than %d bytes." + , MAX_GZIP_MEM, GZIP_MEM_MIN); return -1; }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/snort_httpinspect.h ^
@@ -66,7 +66,6 @@ #ifdef ZLIB #define DEFAULT_MAX_GZIP_MEM 838860 -#define GZIP_MEM_MAX 104857600 #define GZIP_MEM_MIN 3276 #define MAX_GZIP_DEPTH 65535 #define DEFAULT_COMP_DEPTH 1460 @@ -109,7 +108,7 @@ uint8_t last_pkt_contlen; uint8_t last_pkt_chunked; uint32_t next_seq; - uint32_t last_chunk_size; + uint32_t chunk_remainder; int flow_depth_read; uint32_t max_seq; int is_max_seq; @@ -296,7 +295,7 @@ ds->last_pkt_chunked = 0; ds->inspect_reassembled = 0; ds->next_seq = 0; - ds->last_chunk_size = 0; + ds->chunk_remainder = 0; ds->flow_depth_read = 0; ds->max_seq = 0; ds->is_max_seq = 0;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/spp_frag3.c ^
@@ -4093,7 +4093,7 @@ } #endif SnortEventqPush(); - ProcessPacket(NULL, dpkt->pkth, dpkt->pkt, ft); + ProcessPacket(dpkt, dpkt->pkth, dpkt->pkt, ft); SnortEventqPop(); DEBUG_WRAP(DebugMessage(DEBUG_FRAG,
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/preprocessors/spp_normalize.c ^
@@ -137,7 +137,7 @@ sfPolicyUserDataSetCurrent(base_set, pc); AddFuncToPreprocList( - Preproc_Execute, PRIORITY_NETWORK, PP_NORMALIZE, PROTO_BITS); + Preproc_Execute, PRIORITY_NORMALIZE, PP_NORMALIZE, PROTO_BITS); } return pc; } @@ -732,7 +732,7 @@ sfPolicyUserDataSetCurrent(swap_set, pc); AddFuncToPreprocList( - Preproc_Execute, PRIORITY_NETWORK, PP_NORMALIZE, PROTO_BITS); + Preproc_Execute, PRIORITY_NORMALIZE, PP_NORMALIZE, PROTO_BITS); } return pc; }
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/sfdaq.c ^
@@ -121,6 +121,23 @@ return 0; } +DAQ_Mode DAQ_GetInterfaceMode(const DAQ_PktHdr_t h) +{ +#ifdef DAQ_PKT_FLAG_NOT_FORWARDING + // interface is not inline, so return passive + if (h->flags & DAQ_PKT_FLAG_NOT_FORWARDING) + return DAQ_MODE_PASSIVE; +#endif + // interface is inline + if ( ScAdapterInlineMode() ) + { + return DAQ_MODE_INLINE; + } + + // interface is passive or readback + return DAQ_MODE_PASSIVE; +} + DAQ_Mode DAQ_GetMode (const SnortConfig sc) { if ( sc->daq_mode )
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/sfdaq.h ^
@@ -70,6 +70,7 @@ #ifdef HAVE_DAQ_ACQUIRE_WITH_META void DAQ_Set_MetaCallback(DAQ_Meta_Func_t meta_callback); #endif +DAQ_Mode DAQ_GetInterfaceMode(const DAQ_PktHdr_t h); int DAQ_ModifyFlow(const void h, uint32_t id);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/snort.c ^
@@ -282,7 +282,9 @@ PluginSignalFuncNode plugin_shutdown_funcs = NULL; PluginSignalFuncNode plugin_clean_exit_funcs = NULL; -PluginSignalFuncNode plugin_restart_funcs = NULL; +#ifdef SNORT_RELOAD +PluginSignalFuncNode plugin_reload_funcs = NULL; +#endif OutputFuncNode AlertList = NULL; / Alert function list / OutputFuncNode LogList = NULL; /* Log function list / @@ -462,7 +464,7 @@ / Private function prototypes ***********************************************/ static void InitNetmasks(void); static void InitProtoNames(void); -static const char GetPacketSource(void); +static const char* GetPacketSource(char); static void CleanExit(int); static void SnortInit(int, char ); @@ -548,11 +550,11 @@ /* inline FUNCTION ***********************************************************/ static inline void CheckForReload(void) { - #if defined(SNORT_RELOAD) && !defined(WIN32) / Check for a new configuration / if (snort_reload) { + PluginSignalFuncNode idxPlugin = NULL; snort_reload = 0; /* There was an error reloading. A non-reloadable configuration @@ -583,6 +585,14 @@ #endif snort_swapped = 1; + + /* Do any reload for plugin data / + idxPlugin = plugin_reload_funcs; + while(idxPlugin) + { + idxPlugin->func(SIGHUP, idxPlugin->arg); + idxPlugin = idxPlugin->next; + } } #endif } @@ -701,6 +711,7 @@ / int SnortMain(int argc, char argv[]) { + char tmp_ptr = NULL; const char* intf; int daqInit; @@ -712,7 +723,7 @@ SnortInit(argc, argv); - intf = GetPacketSource(); + intf = GetPacketSource(&tmp_ptr); daqInit = intf \|\| snort_conf->daq_type; if ( daqInit ) @@ -720,6 +731,9 @@ DAQ_Init(snort_conf); DAQ_New(snort_conf, intf); } + if ( tmp_ptr ) + free(tmp_ptr); + if ( ScDaemonMode() ) { GoDaemon(); @@ -1139,7 +1153,7 @@ return iface; } -static const char* GetPacketSource (void) +static const char* GetPacketSource (char** sptr) { const char* intf = "other"; @@ -1165,8 +1179,10 @@ !strcasecmp(snort_conf->daq_type, "afpacket") \|\| !strcasecmp(snort_conf->daq_type, "pcap") \|\| !strcasecmp(snort_conf->daq_type, "dump")) ) - + { intf = GetFirstInterface(); + sptr = (char)intf; + } } return intf; } @@ -1426,6 +1442,8 @@ static DAQ_Verdict PacketCallback( void* user, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt) { + Packet p; + int inject = 0; DAQ_Verdict verdict = DAQ_VERDICT_PASS; PROFILE_VARS; @@ -1483,10 +1501,61 @@ BsdPseudoPacket = NULL; #endif - verdict = ProcessPacket(user, pkthdr, pkt, NULL); + verdict = ProcessPacket(&p, pkthdr, pkt, NULL); - checkLWSessionTimeout(4, pkthdr->ts.tv_sec); +#ifdef ACTIVE_RESPONSE + if ( Active_ResponseQueued() ) + { + Active_SendResponses(&p); + } +#endif + if ( Active_PacketWasDropped() ) + { + if ( verdict == DAQ_VERDICT_PASS ) + verdict = DAQ_VERDICT_BLOCK; + } + else + { + Replace_ModifyPacket(&p); + if ( p.packet_flags & PKT_MODIFIED ) + { + // this packet was normalized and/or has replacements + Encode_Update(&p); + verdict = DAQ_VERDICT_REPLACE; + } +#ifdef NORMALIZER + else if ( p.packet_flags & PKT_RESIZED ) + { + // we never increase, only trim, but + // daq doesn't support resizing wire packet + if ( !DAQ_Inject(p.pkth, 0, p.pkt, p.pkth->pktlen) ) + { + verdict = DAQ_VERDICT_BLOCK; + inject = 1; + } + } +#endif + else + { + if ((p.packet_flags & PKT_IGNORE_PORT) \|\| + (stream_api && (stream_api->get_ignore_direction(p.ssnptr) == SSN_DIR_BOTH))) + { + verdict = DAQ_VERDICT_WHITELIST; + } + else + { + verdict = DAQ_VERDICT_PASS; + } + } + } + + /* Collect some "on the wire" stats about packet size, etc / + UpdateWireStats(&sfBase, pkthdr->caplen, Active_PacketWasDropped(), inject); + Active_Reset(); + Encode_Reset(); + + checkLWSessionTimeout(4, pkthdr->ts.tv_sec); ControlSocketDoWork(0); PREPROC_PROFILE_END(totalPerfStats); @@ -1516,40 +1585,39 @@ } DAQ_Verdict ProcessPacket( - void user, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt, void* ft) + Packet* p, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt, void* ft) { - Packet p; DAQ_Verdict verdict = DAQ_VERDICT_PASS; - int inject = 0; setRuntimePolicy(getDefaultPolicy()); /* call the packet decoder / - (grinder) (&p, pkthdr, pkt); + (grinder) (p, pkthdr, pkt); - if(!p.pkth \|\| !p.pkt) + if(!p->pkth \|\| !p->pkt) { return verdict; } / Make sure this packet skips the rest of the preprocessors / / Remove once the IPv6 frag code is moved into frag 3 / - if(p.packet_flags & PKT_NO_DETECT) + if(p->packet_flags & PKT_NO_DETECT) { - DisableAllDetect(&p); + DisableAllDetect(p); } if (ft) { - p.packet_flags \|= (PKT_PSEUDO \| PKT_REBUILT_FRAG); - p.pseudo_type = PSEUDO_PKT_IP; - p.fragtracker = ft; + p->packet_flags \|= (PKT_PSEUDO \| PKT_REBUILT_FRAG); + p->pseudo_type = PSEUDO_PKT_IP; + p->fragtracker = ft; + Encode_SetPkt(p); } { - int vlanId = (p.vh) ? VTH_VLAN(p.vh) : -1; - snort_ip_p srcIp = (p.iph) ? GET_SRC_IP((&p)) : (snort_ip_p)0; - snort_ip_p dstIp = (p.iph) ? GET_DST_IP((&p)) : (snort_ip_p)0; + int vlanId = (p->vh) ? VTH_VLAN(p->vh) : -1; + snort_ip_p srcIp = (p->iph) ? GET_SRC_IP((p)) : (snort_ip_p)0; + snort_ip_p dstIp = (p->iph) ? GET_DST_IP((p)) : (snort_ip_p)0; //set policy id for this packet setRuntimePolicy(sfGetApplicablePolicyId( @@ -1557,11 +1625,11 @@ } /** Policy specific decoding should into this function **/ - p.configPolicyId = + p->configPolicyId = snort_conf->targeted_policies[getRuntimePolicy()]->configPolicyId; // FIXTHIS ideally this would be done ... - DecodePolicySpecific(&p); + DecodePolicySpecific(p); //actions are queued only for IDS case sfActionQueueExecAll(decoderActionQ); @@ -1570,80 +1638,23 @@ // the purpose of which is just to wait until we know the policy / just throw away the packet if we are configured to ignore this port / - if ( !(p.packet_flags & PKT_IGNORE_PORT) ) + if ( !(p->packet_flags & PKT_IGNORE_PORT) ) { / start calling the detection processes / - Preprocess(&p); - log_func(&p); + Preprocess(p); + log_func(p); } if ( Active_SessionWasDropped() ) { - Active_DropAction(&p); + Active_DropAction(p); if ( ScInlineMode() \|\| Active_PacketForceDropped() ) verdict = DAQ_VERDICT_BLACKLIST; else verdict = DAQ_VERDICT_IGNORE; } - if ( ft ) - { - // we don't block, modify, pass, or count defrags - // if the defrag trigged a block, this verdict will - // be applied to the raw packet. - return verdict; - } - -#ifdef ACTIVE_RESPONSE - if ( Active_ResponseQueued() ) - { - Active_SendResponses(&p); - } -#endif - if ( Active_PacketWasDropped() ) - { - if ( verdict == DAQ_VERDICT_PASS ) - verdict = DAQ_VERDICT_BLOCK; - } - else - { - Replace_ModifyPacket(&p); - - if ( p.packet_flags & PKT_MODIFIED ) - { - // this packet was normalized and/or has replacements - Encode_Update(&p); - verdict = DAQ_VERDICT_REPLACE; - } -#ifdef NORMALIZER - else if ( p.packet_flags & PKT_RESIZED ) - { - // we never increase, only trim, but - // daq doesn't support resizing wire packet - if ( !DAQ_Inject(p.pkth, 0, p.pkt, p.pkth->pktlen) ) - { - verdict = DAQ_VERDICT_BLOCK; - inject = 1; - } - } -#endif - else - { - if ((p.packet_flags & PKT_IGNORE_PORT) \|\| - (stream_api && (stream_api->get_ignore_direction(p.ssnptr) == SSN_DIR_BOTH))) - { - verdict = DAQ_VERDICT_WHITELIST; - } - else - { - verdict = DAQ_VERDICT_PASS; - } - } - } - / Collect some "on the wire" stats about packet size, etc / - UpdateWireStats(&sfBase, pkthdr->caplen, Active_PacketWasDropped(), inject); - Active_Reset(); return verdict; } @@ -3105,6 +3116,34 @@ } #endif +static void PrintStatistics (void) +{ + if ( ScTestMode() \|\| ScVersionMode() +#ifdef DYNAMIC_PLUGIN + \|\| ScRuleDumpMode() +#endif + ) + return; + + fpShowEventStats(snort_conf); + +#ifdef PERF_PROFILING + { + int save_quiet_flag = snort_conf->logging_flags & LOGGING_FLAG__QUIET; + + snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET; + + ShowPreprocProfiles(); + ShowRuleProfiles(); + + snort_conf->logging_flags \|= save_quiet_flag; + } +#endif + + DropStats(2); + print_thresholding(snort_conf->threshold_config, 1); +} + /*************************************************************************** * * Function: CleanExit() @@ -3191,7 +3230,7 @@ { DAQ_Delete(); DAQ_Term(); - DropStats(2); + PrintStatistics(); return; } #if defined(SNORT_RELOAD) && !defined(WIN32) @@ -3277,32 +3316,7 @@ DAQ_Delete(); DAQ_Term(); - - /* Print Statistics */ - if (!ScTestMode() && !ScVersionMode() -#ifdef DYNAMIC_PLUGIN - && !ScRuleDumpMode() -#endif - ) - { - fpShowEventStats(snort_conf); - -#ifdef PERF_PROFILING - { - int save_quiet_flag = snort_conf->logging_flags & LOGGING_FLAG__QUIET; - - snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET; - - ShowPreprocProfiles(); - ShowRuleProfiles(); - - snort_conf->logging_flags \|= save_quiet_flag; - } -#endif - - DropStats(2); - print_thresholding(snort_conf->threshold_config, 1); - } + PrintStatistics(); #ifdef ACTIVE_RESPONSE Active_Term(); @@ -3421,8 +3435,10 @@ FreePluginSigFuncs(plugin_clean_exit_funcs); plugin_clean_exit_funcs = NULL; - FreePluginSigFuncs(plugin_restart_funcs); - plugin_restart_funcs = NULL; +#ifdef SNORT_RELOAD + FreePluginSigFuncs(plugin_reload_funcs); + plugin_reload_funcs = NULL; +#endif FreePeriodicFuncs(periodic_check_funcs); periodic_check_funcs = NULL;
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/snort.h ^
@@ -1020,7 +1020,7 @@ /* P R O T O T Y P E S *****************************************************/ int SnortMain(int argc, char argv[]); -DAQ_Verdict ProcessPacket(void, const DAQ_PktHdr_t, const uint8_t, void); +DAQ_Verdict ProcessPacket(Packet, const DAQ_PktHdr_t, const uint8_t, void); void SetupMetadataCallback(void); int InMainThread(void);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/snort_bounds.h ^
@@ -125,6 +125,48 @@ } /** + * A Safer Memmove + * dst and src can be in the same buffer + * + * @param dst where to copy to + * @param src where to copy from + * @param n number of bytes to copy + * @param start start of the dest buffer + * @param end end of the dst buffer + * + * @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success + / +static inline int SafeBoundsMemmove(void dst, const void src, size_t n, const void start, const void end) +{ + size_t overlap = 0; + if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS) + ERRORRET; + if (src == NULL) + ERRORRET; + + if( src == dst ) + { + return SAFEMEM_SUCCESS; + } + else if(inBounds(dst, ((uint8_t )dst + n), src)) + { + overlap = (uint8_t )src - (uint8_t )dst; + memcpy(dst, src , overlap); + memmove(((uint8_t )dst + overlap), ((uint8_t )src + overlap), (n - overlap)); + } + else if(inBounds(src, ((uint8_t )src + n), dst)) + { + overlap = (uint8_t )dst - (uint8_t )src; + memcpy(((uint8_t )dst + overlap), ((uint8_t )src + overlap), (n - overlap)); + memmove(dst, src, overlap); + } + else + { + memcpy(dst, src, n); + } + return SAFEMEM_SUCCESS; +} +/* * A Safer Memset * dst and src can be in the same buffer *
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/util.c ^
@@ -77,6 +77,7 @@ #include "mpse.h" #include "ppm.h" #include "active.h" +#include "packet_time.h" #ifdef TARGET_BASED #include "sftarget_reader.h" @@ -448,6 +449,56 @@ } /* + * Function: ErrorMessageThrottled(ThrottleInfo ,const char , ...) + * + * Purpose: Print a message to stderr, and throttle when + * too many messages are printed. + * + * Arguments: throttleInfo => point to the saved throttle state information + * format => the formatted error string to print out + * ... => format commands/fillers + * + * Returns: void function + / + +void ErrorMessageThrottled(ThrottleInfo throttleInfo, const char format,...) +{ + char buf[STD_BUF+1]; + va_list ap; + time_t current_time = packet_timeofday(); + + if ((snort_conf == NULL)\|\|(!throttleInfo)) + return; + + throttleInfo->count++; + DEBUG_WRAP(DebugMessage(DEBUG_INIT,"current_time: %d, throttle (%p): count "STDu64", last update: %d\n", + (int)current_time, throttleInfo, throttleInfo->count, (int)throttleInfo->lastUpdate );) + /Note: we only output the first error message, + * and the statistics after at least duration_to_log seconds + * when the same type of error message is printed out again / + if (current_time - throttleInfo->duration_to_log > throttleInfo->lastUpdate) + { + int index; + va_start(ap, format); + index = vsnprintf(buf, STD_BUF, format, ap); + va_end(ap); + + if (index && (throttleInfo->count > 1)) + { + snprintf(&buf[index - 1], STD_BUF-index, + " (suppressed "STDu64" times in the last %d seconds).\n", + throttleInfo->count, (int) (current_time - throttleInfo->lastUpdate)); + } + + ErrorMessage("%s",buf); + throttleInfo->lastUpdate = current_time; + throttleInfo->count = 0; + } + +} + + +/ * Function: LogMessage(const char , ...) * Purpose: Print a message to stderr or with logfacility.
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/util.h ^
@@ -204,6 +204,15 @@ void LogMessage(const char , ...) __attribute__((format (printf, 1, 2))); void WarningMessage(const char , ...) __attribute__((format (printf, 1, 2))); void ErrorMessage(const char , ...) __attribute__((format (printf, 1, 2))); +typedef struct _ThrottleInfo +{ + time_t lastUpdate; + /Within this duration (in seconds), maximal one distinct message is logged/ + uint32_t duration_to_log; + uint64_t count; +}ThrottleInfo; +void ErrorMessageThrottled(ThrottleInfo,const char , ...) __attribute__((format (printf, 2, 3))); + NORETURN void FatalError(const char , ...) __attribute__((format (printf, 1, 2))); int SnortSnprintf(char , size_t, const char , ...) __attribute__((format (printf, 3, 4))); int SnortSnprintfAppend(char , size_t, const char , ...) __attribute__((format (printf, 3, 4))); @@ -274,6 +283,65 @@ return iRet; } +// Checks to make sure we're not going to evaluate a negative number for which +// strtoul() gladly accepts and parses returning an underflowed wrapped unsigned +// long without error. +// +// Buffer passed in MUST be NULL terminated. +// +// Returns +// int +// -1 if buffer is nothing but spaces or first non-space character is a +// negative sign. Also if errno is EINVAL (which may be due to a bad +// base) or there was nothing to convert. +// 0 on success +// +// Populates pointer to uint32_t value passed in which should +// only be used on a successful return from this function. +// +// Also will set errno to ERANGE on a value returned from strtoul that is +// greater than UINT32_MAX, but still return success. +// +static inline int SnortStrToU32(const char buffer, char endptr, + uint32_t value, int base) +{ + unsigned long int tmp; + + if ((buffer == NULL) \|\| (endptr == NULL) \|\| (value == NULL)) + return -1; + + // Only positive numbers should be processed and strtoul will + // eat up white space and process '-' and '+' so move past + // white space and check for a negative sign. + while (isspace((int)buffer)) + buffer++; + + // If all spaces or a negative sign is found, return error. + // XXX May also want to exclude '+' as well. + if ((buffer == '\0') \|\| (buffer == '-')) + return -1; + + tmp = SnortStrtoul(buffer, endptr, base); + + // The user of the function should check for ERANGE in errno since this + // function can be used such that an ERANGE error is acceptable and + // value gets truncated to UINT32_MAX. + if ((errno == EINVAL) \|\| (endptr == buffer)) + return -1; + + // If value is greater than a UINT32_MAX set value to UINT32_MAX + // and errno to ERANGE + if (tmp > UINT32_MAX) + { + tmp = UINT32_MAX; + errno = ERANGE; + } + + value = (uint32_t)tmp; + + return 0; +} + static inline long SnortStrtolRange(const char nptr, char **endptr, int base, long lo, long hi) { long iRet = SnortStrtol(nptr, endptr, base);
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/win32/WIN32-Includes/config.h ^
@@ -125,7 +125,7 @@ * should both match the ones specified in the * AM_INIT_AUTOMAKE() macro of configure.in */ -#define VERSION "2.9.2.1"VERSION_ENABLE_ODBC""VERSION_ENABLE_MYSQL""VERSION_ENABLE_MSSQL""VERSION_ENABLE_ORACLE""VERSION_ENABLE_RESPONSE"-WIN32"VERSION_DEBUG +#define VERSION "2.9.2.2"VERSION_ENABLE_ODBC""VERSION_ENABLE_MYSQL""VERSION_ENABLE_MSSQL""VERSION_ENABLE_ORACLE""VERSION_ENABLE_RESPONSE"-WIN32"VERSION_DEBUG #define PACKAGE "snort" #define IFNAMSIZ 255
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/src/win32/WIN32-Prj/snort_installer.nsi ^
@@ -11,7 +11,7 @@ ; Note that this NSIS script is designed for NSIS version 2.09. ; -Name "Snort 2.9.2.1" +Name "Snort 2.9.2.2" CRCCheck On @@ -23,7 +23,7 @@ ;Configuration ;General - OutFile "Snort_2_9_2_1_Installer.exe" ; The name of the installer executable + OutFile "Snort_2_9_2_2_Installer.exe" ; The name of the installer executable ;Folder selection page InstallDir "C:\Snort"
[-] [+]	Changed	snort-2.9.2.2.tar.bz2/tools/u2spewfoo/u2spewfoo.c ^
@@ -124,6 +124,8 @@ u2record current; } u2iterator; +static long s_pos = 0, s_off = 0; + #define TO_IP(x) x >> 24, (x >> 16) & 0xff, (x >> 8) & 0xff, x & 0xff u2iterator new_iterator(char filename) { @@ -166,6 +168,12 @@ return FAILURE; } + if ( s_off ) + { + fseek(it->file, s_pos+s_off, SEEK_SET); + s_off = 0; + } + /* read type and length / bytes_read = fread(record, 1, sizeof(uint32_t) 2, it->file); /* But they're in network order! / @@ -184,13 +192,21 @@ return FAILURE; } + s_pos = ftell(it->file); + record->data = (uint8_t )realloc(record->data, record->length); bytes_read = fread(record->data, 1, record->length, it->file); if(bytes_read != record->length) { puts("get_record: (2) Failed to read all of record data."); printf("\tRead %u of %u bytes\n", bytes_read, record->length); - return FAILURE; + + if ( record->type != UNIFIED2_PACKET \|\| + bytes_read < ntohl(((Serial_Unified2Packet)record->data)->packet_length) + ) + return FAILURE; + + clearerr(it->file); } return SUCCESS; @@ -705,6 +721,10 @@ void packet_dump(u2record record) { uint32_t counter; uint8_t field; + + unsigned offset = sizeof(Serial_Unified2Packet)-4; + unsigned reclen = record->length - offset; + Serial_Unified2Packet packet; memcpy(&packet, record->data, sizeof(Serial_Unified2Packet)); @@ -724,7 +744,22 @@ packet.packet_second, packet.packet_microsecond, packet.linktype, packet.packet_length); - LogBuffer(record->data+sizeof(Serial_Unified2Packet)-4, packet.packet_length); + + if ( record->length <= offset ) + return; + + if ( packet.packet_length != reclen ) + { + printf("ERROR: logged %u but packet_length = %u\n", + record->length-offset, packet.packet_length); + + if ( packet.packet_length < reclen ) + { + reclen = packet.packet_length; + s_off = reclen + offset; + } + } + LogBuffer(record->data+offset, reclen); } int u2dump(char file) {

Changes of Revision 5