diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h --- snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h 2007-07-03 14:41:39.000000000 -0600 +++ ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h 2007-09-11 10:15:28.000000000 -0600 @@ -29,6 +29,10 @@ * - 20.09.04: Initial Development. SAS * */ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + #ifndef __FTP_EO_EVENTS_H__ #define __FTP_EO_EVENTS_H__ @@ -57,6 +61,21 @@ #define FTP_EO_BOUNCE_SID 8 #define FTP_EO_EVASIVE_TELNET_CMD_SID 9 +/** StillSecure **/ +/* + * FTP Drops + */ +#define FTP_DROP_TELNET_CMD 0x00000001 +#define FTP_DROP_INVALID_CMD 0x00000002 +#define FTP_DROP_PARAMETER_LENGTH_OVERFLOW 0x00000004 +#define FTP_DROP_MALFORMED_PARAMETER 0x00000008 +#define FTP_DROP_PARAMETER_STR_FORMAT 0x00000010 +#define FTP_DROP_RESPONSE_LENGTH_OVERFLOW 0x00000020 +#define FTP_DROP_ENCRYPTED 0x00000040 +#define FTP_DROP_BOUNCE 0x00000080 +#define FTP_DROP_EVASIVE_TELNET_CMD 0x00000100 +/** End StillSecure **/ + /* * IMPORTANT: * Every time you add an FTP event, this number must be @@ -97,6 +116,15 @@ #define TELNET_EO_ENCRYPTED_SID 2 #define TELNET_EO_SB_NO_SE_SID 3 +/** StillSecure **/ +/* + * Telent Drops + */ +#define TELNET_DROP_AYT_OVERFLOW 0x00000001 +#define TELNET_DROP_ENCRYPTED 0x00000002 +#define TELNET_DROP_SB_NO_SE 0x00000004 +/** End StillSecure **/ + /* * IMPORTANT: diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h --- snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h 2007-07-03 14:41:40.000000000 -0600 +++ ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h 2007-09-11 10:16:34.000000000 -0600 @@ -34,6 +34,10 @@ * - 20.09.04: Initial Development. SAS */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + #ifndef __FTPP_UI_CONFIG_H__ #define __FTPP_UI_CONFIG_H__ @@ -213,6 +217,9 @@ FTPTELNET_CONF_OPT telnet_cmds; int data_chan; + //StillSecure + unsigned int drop_flags; + } FTP_SERVER_PROTO_CONF; typedef struct s_FTP_BOUNCE_TO @@ -242,6 +249,9 @@ /* TODO: change this to use a quick find of IP/mask */ BOUNCE_LOOKUP *bounce_lookup; + //StillSecure + unsigned int drop_flags; + } FTP_CLIENT_PROTO_CONF; /* @@ -259,6 +269,9 @@ int ayt_threshold; char detect_anomalies; + + //StillSecure + unsigned int drop_flags; } TELNET_PROTO_CONF; @@ -280,6 +293,9 @@ SERVER_LOOKUP *server_lookup; CLIENT_LOOKUP *client_lookup; + //StillSecure + unsigned int drop_flags; + } FTPTELNET_GLOBAL_CONF; /* diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/pp_ftp.c ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/pp_ftp.c --- snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/pp_ftp.c 2007-07-03 14:41:40.000000000 -0600 +++ ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/pp_ftp.c 2007-09-11 10:17:31.000000000 -0600 @@ -33,6 +33,10 @@ * */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + /* your preprocessor header file goes here */ #ifdef HAVE_CONFIG_H @@ -381,6 +385,10 @@ /* Alert on string format attack in parameter */ ftp_eo_event_log(Session, FTP_EO_PARAMETER_STR_FORMAT, NULL, NULL); + /** StillSecure **/ + if((Session->server_conf->drop_flags & FTP_DROP_PARAMETER_STR_FORMAT) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ return FTPP_ALERTED; } } @@ -517,6 +525,11 @@ /* Return here -- because we will likely want to * inspect the data traffic over a bounced data * connection */ + /** StillSecure **/ + if((Session->client_conf->drop_flags & FTP_DROP_BOUNCE) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ + return FTPP_PORT_ATTACK; } } @@ -687,7 +700,12 @@ if (Session->global_conf->global_telnet.detect_anomalies) { ftp_eo_event_log(Session, FTP_EO_EVASIVE_TELNET_CMD, NULL, NULL); - } } + /** StillSecure **/ + if((Session->global_conf->drop_flags & FTP_DROP_BOUNCE) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ + } + } return iRet; } @@ -701,6 +719,12 @@ { /* alert -- FTP channel with telnet commands */ ftp_eo_event_log(Session, FTP_EO_TELNET_CMD, NULL, NULL); + /** StillSecure **/ + if ( (( (Session->client_conf->drop_flags & FTP_DROP_TELNET_CMD) != 0) && + (iMode == FTPP_SI_CLIENT_MODE)) || + (( (Session->server_conf->drop_flags & FTP_DROP_TELNET_CMD) != 0) && + (iMode == FTPP_SI_SERVER_MODE)) ) + _dpd.inlineDrop(p); return FTPP_ALERT; /* Nothing else to do since we alerted */ } @@ -896,6 +920,10 @@ /* Alert on encrypted channel */ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); + /** StillSecure **/ + if((Session->global_conf->drop_flags & FTP_DROP_ENCRYPTED) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } DEBUG_WRAP(_dpd.debugMsg(DEBUG_FTPTELNET, "FTP stream is now TLS encrypted\n");); @@ -911,6 +939,10 @@ /* Alert on encrypted channel */ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); + /** StillSecure **/ + if((Session->global_conf->drop_flags & FTP_DROP_ENCRYPTED) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } DEBUG_WRAP(_dpd.debugMsg(DEBUG_FTPTELNET, "FTP stream is now SSL encrypted\n");); @@ -925,6 +957,10 @@ /* Alert on encrypted channel */ ftp_eo_event_log(Session, FTP_EO_ENCRYPTED, NULL, NULL); + /** StillSecure **/ + if((Session->global_conf->drop_flags & FTP_DROP_ENCRYPTED) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } DEBUG_WRAP(_dpd.debugMsg(DEBUG_FTPTELNET, "FTP stream is now encrypted\n");); @@ -1065,6 +1101,10 @@ /* Alert on encrypted channel */ ftp_eo_event_log(ftpssn, FTP_EO_ENCRYPTED, NULL, NULL); + /** StillSecure **/ + if((ftpssn->global_conf->drop_flags & FTP_DROP_ENCRYPTED) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } if (!ftpssn->global_conf->check_encrypted_data) { @@ -1088,6 +1128,11 @@ /* Alert, cmd not found */ ftp_eo_event_log(ftpssn, FTP_EO_INVALID_CMD, NULL, NULL); state = FTP_CMD_INV; + + /** StillSecure **/ + if((ftpssn->server_conf->drop_flags & FTP_DROP_INVALID_CMD) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } else { @@ -1100,6 +1145,11 @@ /* Alert, cmd not found */ ftp_eo_event_log(ftpssn, FTP_EO_INVALID_CMD, NULL, NULL); state = FTP_CMD_INV; + + /** StillSecure **/ + if((ftpssn->server_conf->drop_flags & FTP_DROP_INVALID_CMD) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } else { @@ -1143,6 +1193,10 @@ /* Alert on encrypted channel */ ftp_eo_event_log(ftpssn, FTP_EO_ENCRYPTED, NULL, NULL); + /** StillSecure **/ + if((ftpssn->global_conf->drop_flags & FTP_DROP_ENCRYPTED) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ } if (!ftpssn->global_conf->check_encrypted_data) { @@ -1323,6 +1377,10 @@ /* Alert on response message overflow */ ftp_eo_event_log(ftpssn, FTP_EO_RESPONSE_LENGTH_OVERFLOW, NULL, NULL); + /** StillSecure **/ + if((ftpssn->client_conf->drop_flags & FTP_DROP_RESPONSE_LENGTH_OVERFLOW) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ iRet = FTPP_ALERT; } @@ -1345,6 +1403,10 @@ /* Alert on response message overflow */ ftp_eo_event_log(ftpssn, FTP_EO_RESPONSE_LENGTH_OVERFLOW, NULL, NULL); + /** StillSecure **/ + if((ftpssn->client_conf->drop_flags & FTP_DROP_RESPONSE_LENGTH_OVERFLOW) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ iRet = FTPP_ALERT; } break; @@ -1359,6 +1421,10 @@ /* Alert on response message overflow */ ftp_eo_event_log(ftpssn, FTP_EO_RESPONSE_LENGTH_OVERFLOW, NULL, NULL); + /** StillSecure **/ + if((ftpssn->client_conf->drop_flags & FTP_DROP_RESPONSE_LENGTH_OVERFLOW) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ iRet = FTPP_ALERT; } break; @@ -1374,6 +1440,10 @@ /* Alert on param length overrun */ ftp_eo_event_log(ftpssn, FTP_EO_PARAMETER_LENGTH_OVERFLOW, NULL, NULL); + /** StillSecure **/ + if((ftpssn->server_conf->drop_flags & FTP_DROP_PARAMETER_LENGTH_OVERFLOW) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ DEBUG_WRAP(_dpd.debugMsg(DEBUG_FTPTELNET, "FTP command: %.*s" "parameter length overrun %d > %d \n", req->cmd_size, req->cmd_begin, req->param_size, @@ -1429,6 +1499,10 @@ /* Set Alert on malformatted parameter */ ftp_eo_event_log(ftpssn, FTP_EO_MALFORMED_PARAMETER, NULL, NULL); + /** StillSecure **/ + if((ftpssn->server_conf->drop_flags & FTP_DROP_MALFORMED_PARAMETER) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ iRet = FTPP_ALERT; break; } diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/pp_telnet.c ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/pp_telnet.c --- snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/pp_telnet.c 2007-07-03 14:41:40.000000000 -0600 +++ ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/pp_telnet.c 2007-09-11 10:18:05.000000000 -0600 @@ -39,6 +39,10 @@ * */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + /* your preprocessor header file goes here */ #ifdef HAVE_CONFIG_H @@ -243,6 +247,10 @@ /* Alert on consecutive AYT commands */ telnet_eo_event_log(tnssn, TELNET_EO_AYT_OVERFLOW, NULL, NULL); + /** StillSecure **/ + if((tnssn->telnet_conf->drop_flags & TELNET_DROP_AYT_OVERFLOW) && _dpd.inlineMode()) + _dpd.inlineDrop(p); + /** End StillSecure **/ tnssn->consec_ayt = 0; return FTPP_ALERT; } diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c --- snort-2.7.0.1/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2007-07-03 14:41:40.000000000 -0600 +++ ss-snort-2.7.0.1-ftptelnet/src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2007-09-11 10:18:42.000000000 -0600 @@ -46,6 +46,10 @@ * - 16.09.04: Initial Development. SAS * */ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + #include #include #include @@ -162,6 +166,24 @@ #define ALLOW_BOUNCE "bounce_to" #define MAX_RESP_LEN "max_resp_len" +/** StillSecure **/ +/* + * Drop keywords + */ +#define DROP_TELNET_CMD "drop_telnet_cmd" +#define DROP_INVALID_CMD "drop_invalid_cmd" +#define DROP_PARAMETER_LENGTH_OVERFLOW "drop_long_cmd_parameters" +#define DROP_MALFORMED_PARAMETER "drop_malformed_parameters" +#define DROP_PARAMETER_STR_FORMAT "drop_string_format_parameters" +#define DROP_RESPONSE_LENGTH_OVERFLOW "drop_long_response_parameters" +#define DROP_ENCRYPTED "drop_encrypted_traffic" +#define DROP_BOUNCE "drop_bounce_attempt" +#define DROP_EVASIVE_TELNET_CMD "drop_evasive_telnet_cmd" +#define DROP_AYT_OVERFLOW "drop_ayt_overflow" +#define DROP_SB_NO_SE "drop_sb_no_se" +/** End StillSecure **/ + + /* * Data type keywords */ @@ -511,6 +533,12 @@ return iRet; } } + /** StillSecure **/ + else if(!strcmp(DROP_ENCRYPTED, pcToken)) + GlobalConf->drop_flags |= FTP_DROP_ENCRYPTED; + else if(!strcmp(DROP_EVASIVE_TELNET_CMD, pcToken)) + GlobalConf->drop_flags |= FTP_DROP_EVASIVE_TELNET_CMD; + /** End StillSecure **/ else { snprintf(ErrorString, ErrStrLen, @@ -725,6 +753,15 @@ _dpd.logMsg(" Normalize: %s\n", TelnetConf->normalize ? "YES" : "NO"); _dpd.logMsg(" Detect Anomalies: %s\n", TelnetConf->detect_anomalies ? "YES" : "NO"); + /** StillSecure **/ + if(TelnetConf->drop_flags & TELNET_DROP_AYT_OVERFLOW) + _dpd.logMsg(" Drop TELNET AYT Commands Beyond Threshold: YES\n"); + if(TelnetConf->drop_flags & TELNET_DROP_ENCRYPTED) + _dpd.logMsg(" Drop Encrypted TELNET Traffic: YES\n"); + if(TelnetConf->drop_flags & TELNET_DROP_SB_NO_SE) + _dpd.logMsg(" Drop TELNET Subnegotiation Begin Command Without Subnegotiation End: YES\n"); + /** End StillSecure **/ + return FTPP_SUCCESS; } @@ -796,6 +833,20 @@ { GlobalConf->global_telnet.detect_anomalies = 1; } + /** StillSecure **/ + else if(!strcmp(DROP_AYT_OVERFLOW,pcToken)) + { + GlobalConf->global_telnet.drop_flags |= TELNET_DROP_AYT_OVERFLOW; + } + else if(!strcmp(DROP_ENCRYPTED,pcToken)) + { + GlobalConf->global_telnet.drop_flags |= TELNET_DROP_ENCRYPTED; + } + else if(!strcmp(DROP_SB_NO_SE,pcToken)) + { + GlobalConf->global_telnet.drop_flags |= TELNET_DROP_SB_NO_SE; + } + /** End StillSecure **/ /* * Start the CONF_OPT configurations. */ @@ -2377,6 +2428,14 @@ } FTPBounce = ftp_bounce_lookup_next(ClientConf->bounce_lookup, &iErr); } + /** StillSecure **/ + if(ClientConf->drop_flags & FTP_DROP_BOUNCE) + _dpd.logMsg(" Drop Bounce Attack: Yes\n"); + if(ClientConf->drop_flags & FTP_DROP_TELNET_CMD) + _dpd.logMsg(" Drop Telnet Cmds: Yes\n"); + if(ClientConf->drop_flags & FTP_DROP_RESPONSE_LENGTH_OVERFLOW) + _dpd.logMsg(" Drop Response That Exceeds Max Length: Yes\n"); + /** End StillSecure **/ return FTPP_SUCCESS; } @@ -2454,6 +2513,14 @@ return iRet; } } + /** StillSecure **/ + else if(!strcmp(DROP_TELNET_CMD, pcToken)) + ClientConf->drop_flags |= FTP_DROP_TELNET_CMD; + else if(!strcmp(DROP_RESPONSE_LENGTH_OVERFLOW, pcToken)) + ClientConf->drop_flags |= FTP_DROP_RESPONSE_LENGTH_OVERFLOW; + else if(!strcmp(DROP_BOUNCE, pcToken)) + ClientConf->drop_flags |= FTP_DROP_BOUNCE; + /** End StillSecure **/ else { snprintf(ErrorString, ErrStrLen, @@ -2665,6 +2732,18 @@ FTPCmd = ftp_cmd_lookup_next(ServerConf->cmd_lookup, &iRet); } } + /** StillSecure **/ + if(ServerConf->drop_flags & FTP_DROP_TELNET_CMD) + _dpd.logMsg(" Drop Response That Exceeds Max Length: Yes\n"); + if(ServerConf->drop_flags & FTP_DROP_INVALID_CMD) + _dpd.logMsg(" Drop Invalid FTP Commands: Yes\n"); + if(ServerConf->drop_flags & FTP_DROP_PARAMETER_LENGTH_OVERFLOW) + _dpd.logMsg(" Drop When Command Parameters Exceeds Max Length: Yes\n"); + if(ServerConf->drop_flags & FTP_DROP_MALFORMED_PARAMETER) + _dpd.logMsg(" Drop Command Parameters That Are Malformed: Yes\n"); + if(ServerConf->drop_flags & FTP_DROP_PARAMETER_STR_FORMAT) + _dpd.logMsg(" Drop Command Parameters That Contain Potential String Format: Yes\n"); + /** End StillSecure **/ return FTPP_SUCCESS; } @@ -2816,6 +2895,18 @@ return iRet; } } + /** StillSecure **/ + else if(!strcmp(DROP_TELNET_CMD, pcToken)) + ServerConf->drop_flags |= FTP_DROP_TELNET_CMD; + else if(!strcmp(DROP_INVALID_CMD, pcToken)) + ServerConf->drop_flags |= FTP_DROP_INVALID_CMD; + else if(!strcmp(DROP_PARAMETER_LENGTH_OVERFLOW, pcToken)) + ServerConf->drop_flags |= FTP_DROP_PARAMETER_LENGTH_OVERFLOW; + else if(!strcmp(DROP_MALFORMED_PARAMETER, pcToken)) + ServerConf->drop_flags |= FTP_DROP_MALFORMED_PARAMETER; + else if(!strcmp(DROP_PARAMETER_STR_FORMAT, pcToken)) + ServerConf->drop_flags |= FTP_DROP_PARAMETER_STR_FORMAT; + /** End StillSecure */ else { snprintf(ErrorString, ErrStrLen, @@ -3008,6 +3099,13 @@ PrintConfOpt(&GlobalConf->encrypted, "Check for Encrypted Traffic"); _dpd.logMsg(" Continue to check encrypted data: %s\n", GlobalConf->check_encrypted_data ? "YES" : "NO"); + /** StillSecure **/ + if(GlobalConf->drop_flags & FTP_DROP_ENCRYPTED) + _dpd.logMsg(" Drop FTP Encrypted Traffic\n"); + if(GlobalConf->drop_flags & FTP_DROP_EVASIVE_TELNET_CMD) + _dpd.logMsg(" Drop Evasive(incomplete) TELNET CMD on FTP Command Channel\n"); + /** End StillSecure **/ + return FTPP_SUCCESS; }