diff -Naur snort-2.7.0.1/src/preprocessors/spp_frag3.c ss-snort-2.7.0.1-frag3/src/preprocessors/spp_frag3.c --- snort-2.7.0.1/src/preprocessors/spp_frag3.c 2007-07-03 14:41:45.000000000 -0600 +++ ss-snort-2.7.0.1-frag3/src/preprocessors/spp_frag3.c 2007-09-11 10:32:27.000000000 -0600 @@ -74,6 +74,9 @@ * the README file for specifics! */ +/* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /* I N C L U D E S ************************************************/ #ifdef HAVE_CONFIG_H #include "config.h" @@ -175,6 +178,19 @@ /* flag for detecting attacks/alerting */ #define FRAG3_DETECT_ANOMALIES 0x01 +/** StillSecure **/ +#define DROP_IPOPTIONS 0x000000001 +#define DROP_TEARDROP 0x000000002 +#define DROP_SHORT_FRAG 0x000000004 +#define DROP_ANOMALY_OVERSIZE 0x000000008 +#define DROP_ANOMALY_ZERO 0x000000010 +#define DROP_ANOMALY_BADSIZE_SM 0x000000020 +#define DROP_ANOMALY_BADSIZE_LG 0x000000040 +#define DROP_ANOMALY_OVLP 0x000000080 +#define DROP_IPV6_BSD_ICMP_FRAG 0x000000100 +#define DROP_IPV6_BAD_FRAG_PKT 0x000000200 +/** End StillSecure **/ + /* D A T A S T R U C T U R E S **********************************/ /* global configuration data struct for this preprocessor */ @@ -199,6 +215,8 @@ char frag3_alerts; /* Whether or not frag3 alerts are enabled */ IpAddrSet *bound_addrs; /* addresses bound to this context */ + //StillSecure + u_int16_t drop_flags; } Frag3Context; @@ -497,6 +515,30 @@ LogMessage(" Fragment min_ttl: %d\n", context->min_ttl); LogMessage(" Fragment ttl_limit: %d\n", context->ttl_limit); LogMessage(" Fragment Problems: %X\n", context->frag3_alerts); + + /** StillSecure **/ + if(context->drop_flags & DROP_IPOPTIONS) + LogMessage(" Drop inconsistent IP Options\n"); + if(context->drop_flags & DROP_TEARDROP) + LogMessage(" Drop Teardrop attack\n"); + if(context->drop_flags & DROP_SHORT_FRAG) + LogMessage(" Drop short fragment, possible DOS\n"); + if(context->drop_flags & DROP_ANOMALY_OVERSIZE) + LogMessage(" Drop packet after defragmented packet\n"); + if(context->drop_flags & DROP_ANOMALY_ZERO) + LogMessage(" Drop zero byte fragmented packet\n"); + if(context->drop_flags & DROP_ANOMALY_BADSIZE_SM) + LogMessage(" Drop negative size fragment\n"); + if(context->drop_flags & DROP_ANOMALY_BADSIZE_LG) + LogMessage(" Drop oversized fragment\n"); + if(context->drop_flags & DROP_ANOMALY_OVLP) + LogMessage(" Drop fragmentation overlap\n"); + if(context->drop_flags & DROP_IPV6_BSD_ICMP_FRAG) + LogMessage(" Drop IPV6 BSD mbufs kernel overflow\n"); + if(context->drop_flags & DROP_IPV6_BAD_FRAG_PKT) + LogMessage(" Drop bogus fragmentation packet\n"); + /** End StillSecure **/ + //LogMessage(" Bound Addresses:\n"); IpAddrSetPrint(" Bound Addresses: ", context->bound_addrs); } @@ -508,7 +550,8 @@ * * @return none */ -static INLINE void EventAnomIpOpts(Frag3Context *context) +//StillSecure +static INLINE void EventAnomIpOpts(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -521,6 +564,11 @@ FRAG3_IPOPTIONS_STR, /* event message */ NULL); /* rule info ptr */ + /** StillSecure **/ + if((context->drop_flags & DROP_IPOPTIONS) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + f3stats.alerts++; } @@ -531,7 +579,8 @@ * * @return none */ -static INLINE void EventAttackTeardrop(Frag3Context *context) +//StillSecure +static INLINE void EventAttackTeardrop(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -544,6 +593,11 @@ FRAG3_TEARDROP_STR, /* event message */ NULL); /* rule info ptr */ + /** StillSecure **/ + if((context->drop_flags & DROP_TEARDROP) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + f3stats.alerts++; } @@ -555,7 +609,8 @@ * * @return none */ -static INLINE void EventAnomShortFrag(Frag3Context *context) +//StillSecure +static INLINE void EventAnomShortFrag(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -568,8 +623,13 @@ FRAG3_SHORT_FRAG_STR, /* event message */ NULL); /* rule info ptr */ - f3stats.alerts++; - f3stats.anomalies++; + /** StillSecure **/ + if((context->drop_flags & DROP_SHORT_FRAG) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + + f3stats.alerts++; + f3stats.anomalies++; } /** @@ -580,7 +640,8 @@ * * @return none */ -static INLINE void EventAnomOversize(Frag3Context *context) +//StillSecure +static INLINE void EventAnomOversize(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -593,8 +654,13 @@ FRAG3_ANOM_OVERSIZE_STR, /* event message */ NULL); /* rule info ptr */ - f3stats.alerts++; - f3stats.anomalies++; + /** StillSecure **/ + if((context->drop_flags & DROP_ANOMALY_OVERSIZE) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + + f3stats.alerts++; + f3stats.anomalies++; } /** @@ -605,7 +671,8 @@ * * @return none */ -static INLINE void EventAnomZeroFrag(Frag3Context *context) +//StillSecure +static INLINE void EventAnomZeroFrag(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -618,8 +685,13 @@ FRAG3_ANOM_ZERO_STR, /* event message */ NULL); /* rule info ptr */ - f3stats.alerts++; - f3stats.anomalies++; + /** StillSecure **/ + if((context->drop_flags & DROP_ANOMALY_ZERO) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + + f3stats.alerts++; + f3stats.anomalies++; } /** @@ -629,7 +701,8 @@ * * @return none */ -static INLINE void EventAnomBadsizeLg(Frag3Context *context) +//StillSecure +static INLINE void EventAnomBadsizeLg(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -642,6 +715,11 @@ FRAG3_ANOM_BADSIZE_LG_STR, /* event message */ NULL); /* rule info ptr */ + /** StillSecure **/ + if((context->drop_flags & DROP_ANOMALY_BADSIZE_LG) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + f3stats.alerts++; f3stats.anomalies++; } @@ -653,7 +731,8 @@ * * @return none */ -static INLINE void EventAnomBadsizeSm(Frag3Context *context) +//StillSecure +static INLINE void EventAnomBadsizeSm(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -666,8 +745,13 @@ FRAG3_ANOM_BADSIZE_SM_STR, /* event message */ NULL); /* rule info ptr */ - f3stats.alerts++; - f3stats.anomalies++; + /** StillSecure **/ + if((context->drop_flags & DROP_ANOMALY_BADSIZE_SM) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + + f3stats.alerts++; + f3stats.anomalies++; } /** @@ -677,7 +761,8 @@ * * @return none */ -static INLINE void EventAnomOverlap(Frag3Context *context) +//StillSecure +static INLINE void EventAnomOverlap(Frag3Context *context,Packet *p) { if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; @@ -690,8 +775,13 @@ FRAG3_ANOM_OVLP_STR, /* event message */ NULL); /* rule info ptr */ - f3stats.alerts++; - f3stats.anomalies++; + /** StillSecure **/ + if((context->drop_flags & DROP_ANOMALY_OVLP) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ + + f3stats.alerts++; + f3stats.anomalies++; } /** @@ -814,6 +904,8 @@ context->ttl_limit = FRAG3_TTL_LIMIT; context->min_ttl = FRAG3_MIN_TTL; context->frag3_alerts = 0; + //StillSecure + context->drop_flags = 0; /* * the IpAddrSet struct is initialized in Frag3ParseArgs @@ -1154,7 +1246,8 @@ else { int increment; - toks = mSplit(args, " ", 13, &num_toks, 0); + //StillSecure + toks = mSplit(args, " ", 23, &num_toks, 0); i=0; @@ -1256,6 +1349,46 @@ "CIDR block argument\n", file_name, file_line); } } + else if(!strcasecmp(index, "drop_ipoptions")) + { + context->drop_flags |= DROP_IPOPTIONS; + } + else if(!strcasecmp(index, "drop_teardrop")) + { + context->drop_flags |= DROP_TEARDROP; + } + else if(!strcasecmp(index, "drop_short_frag")) + { + context->drop_flags |= DROP_SHORT_FRAG; + } + else if(!strcasecmp(index, "drop_anomaly_oversize")) + { + context->drop_flags |= DROP_ANOMALY_OVERSIZE; + } + else if(!strcasecmp(index, "drop_anomaly_zero")) + { + context->drop_flags |= DROP_ANOMALY_ZERO; + } + else if(!strcasecmp(index, "drop_anomaly_badsize_sm")) + { + context->drop_flags |= DROP_ANOMALY_BADSIZE_SM; + } + else if(!strcasecmp(index, "drop_anomaly_badsize_lg")) + { + context->drop_flags |= DROP_ANOMALY_BADSIZE_LG; + } + else if(!strcasecmp(index, "drop_anomaly_ovlp")) + { + context->drop_flags |= DROP_ANOMALY_OVLP; + } + else if(!strcasecmp(index, "drop_ipv6_bsd_icmp_frag")) + { + context->drop_flags |= DROP_IPV6_BSD_ICMP_FRAG; + } + else if(!strcasecmp(index, "drop_ipv6_bad_frag_pkt")) + { + context->drop_flags |= DROP_IPV6_BAD_FRAG_PKT; + } else { FatalError("%s(%d) => Invalid Frag3 engine option (%s)\n", @@ -1881,7 +2014,7 @@ { if (ft->copied_ip_option_count != p->ip_option_count) { - EventAnomIpOpts(ft->context); + EventAnomIpOpts(ft->context,p); } } else @@ -1891,7 +2024,7 @@ { /* Is the high bit set? If not, weird anomaly. */ if (!(p->ip_options[i].code & 0x80)) - EventAnomIpOpts(ft->context); + EventAnomIpOpts(ft->context,p); } } } @@ -2079,7 +2212,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Short frag (Bonk, etc) attack!\n");); - EventAnomShortFrag(f3context); + EventAnomShortFrag(f3context,p); /* don't return, might still be interesting... */ } @@ -2562,7 +2695,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Short frag (Bonk, etc) attack!\n");); - EventAnomShortFrag(f3context); + EventAnomShortFrag(f3context,p); /* don't return, might still be interesting... */ } @@ -2586,7 +2719,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Oversize frag pkt!\n");); - EventAnomOversize(f3context); + EventAnomOversize(f3context,p); PREPROC_PROFILE_END(frag3InsertPerfStats); return FRAG_INSERT_ANOMALY; @@ -2605,7 +2738,7 @@ if(f3context->frag3_alerts & FRAG3_DETECT_ANOMALIES) { - EventAnomZeroFrag(f3context); + EventAnomZeroFrag(f3context,p); } PREPROC_PROFILE_END(frag3InsertPerfStats); @@ -2620,7 +2753,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Oversize frag!\n");); - EventAnomBadsizeLg(f3context); + EventAnomBadsizeLg(f3context,p); ft->frag_flags |= FRAG_BAD; @@ -2699,7 +2832,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Teardrop attack!\n");); - EventAttackTeardrop(f3context); + EventAttackTeardrop(f3context,p); ft->frag_flags |= FRAG_BAD; @@ -2741,7 +2874,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "zero size frag");); - EventAnomZeroFrag(f3context); + EventAnomZeroFrag(f3context,p); PREPROC_PROFILE_END(frag3InsertPerfStats); return FRAG_INSERT_ANOMALY; @@ -2832,7 +2965,7 @@ if(f3context->frag3_alerts & FRAG3_DETECT_ANOMALIES) { - EventAnomBadsizeSm(f3context); + EventAnomBadsizeSm(f3context,p); } PREPROC_PROFILE_END(frag3InsertPerfStats); @@ -2887,7 +3020,7 @@ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[..] Teardrop attack!\n");); - EventAttackTeardrop(f3context); + EventAttackTeardrop(f3context,p); ft->frag_flags |= FRAG_BAD; @@ -2982,7 +3115,7 @@ /* * retrans/full overlap */ - EventAnomOverlap(f3context); + EventAnomOverlap(f3context,p); alerted_overlap = 1; f3stats.overlaps++; }