diff -Naur snort-2.7.0.1/src/preprocessors/Stream5/snort_stream5_tcp.c ss-snort-2.7.0.1-stream5/src/preprocessors/Stream5/snort_stream5_tcp.c --- snort-2.7.0.1/src/preprocessors/Stream5/snort_stream5_tcp.c 2007-07-26 14:08:15.000000000 -0600 +++ ss-snort-2.7.0.1-stream5/src/preprocessors/Stream5/snort_stream5_tcp.c 2007-09-11 10:28:50.000000000 -0600 @@ -45,6 +45,10 @@ * - limit on number of overlapping packets? */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + #include "debug.h" #include "detect.h" #include "plugbase.h" @@ -149,6 +153,19 @@ #define EVENT_EXCESSIVE_TCP_OVERLAPS 0x00000040 #define EVENT_DATA_AFTER_RESET 0x00000080 +/** StillSecure **/ +/* drops - mirrors events*/ +#define DROP_SYN_ON_EST 0x00000001 +#define DROP_DATA_ON_SYN 0x00000002 +#define DROP_DATA_ON_CLOSED 0x00000004 +#define DROP_BAD_TIMESTAMP 0x00000008 +#define DROP_BAD_SEGMENT 0x00000010 +#define DROP_WINDOW_TOO_LARGE 0x00000020 +#define DROP_EXCESSIVE_TCP_OVERLAPS 0x00000040 +#define DROP_DATA_AFTER_RESET 0x00000080 +/** End StillSecure **/ + + #define TF_NONE 0x00 #define TF_WSCALE 0x01 #define TF_TSTAMP 0x02 @@ -292,6 +309,8 @@ u_int32_t overlap_limit; u_int32_t hs_timeout; u_int16_t flags; + //StillSecure + u_int16_t drop_flags; IpAddrSet *bound_addrs; FlushConfig flush_config[MAX_PORTS]; FlushPointList flush_point_list; @@ -827,13 +846,16 @@ s5TcpPolicy->min_ttl = S5_DEFAULT_MIN_TTL; s5TcpPolicy->max_window = 0; s5TcpPolicy->flags = 0; + //StillSecure + s5TcpPolicy->drop_flags = 0; //s5TcpPolicy->flags |= STREAM5_CONFIG_STATEFUL_INSPECTION; //s5TcpPolicy->flags |= STREAM5_CONFIG_ENABLE_ALERTS; //s5TcpPolicy->flags |= STREAM5_CONFIG_REASS_CLIENT; if(args != NULL && strlen(args) != 0) { - toks = mSplit(args, ",", 13, &num_toks, 0); + //StillSecure + toks = mSplit(args, ",", 21, &num_toks, 0); i=0; @@ -1190,6 +1212,79 @@ set_flush_policy = 1; } } + /** StillSecure **/ + else if(!strcasecmp(stoks[0], "drop_syn_on_est")) + { + s5TcpPolicy->drop_flags |= DROP_SYN_ON_EST; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_data_on_syn")) + { + s5TcpPolicy->drop_flags |= DROP_DATA_ON_SYN; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_data_on_closed")) + { + s5TcpPolicy->drop_flags |= DROP_DATA_ON_CLOSED; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_bad_timestamp")) + { + s5TcpPolicy->drop_flags |= DROP_BAD_TIMESTAMP; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_bad_segment")) + { + s5TcpPolicy->drop_flags |= DROP_BAD_SEGMENT; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_window_too_large")) + { + s5TcpPolicy->drop_flags |= DROP_WINDOW_TOO_LARGE; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_excessive_tcp_overlaps")) + { + s5TcpPolicy->drop_flags |= DROP_EXCESSIVE_TCP_OVERLAPS; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } + else if(!strcasecmp(stoks[0], "drop_data_after_reset")) + { + s5TcpPolicy->drop_flags |= DROP_DATA_AFTER_RESET; + if (s_toks > 1) + { + FatalError("%s(%d) => Invalid Stream5 TCP Policy option. Missing comma?\n", + file_name, file_line); + } + } else { FatalError("%s(%d) => Invalid Stream5 TCP policy option\n", @@ -1280,6 +1375,43 @@ { LogMessage(" Don't Queue Large Packets for Reassembly: YES\n"); } + /** StillSecure **/ + if (s5TcpPolicy->drop_flags & DROP_SYN_ON_EST) + { + LogMessage(" Drop SYN on established packet: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_DATA_ON_SYN) + { + LogMessage(" Drop data on SYN packet: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_DATA_ON_CLOSED) + { + LogMessage(" Drop data on stream not accepting data: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_BAD_TIMESTAMP) + { + LogMessage(" Drop when TCP timestamp is outside of PAWS window: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_BAD_SEGMENT) + { + LogMessage(" Drop on bad segment, overlap adjusted size <=0: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_WINDOW_TOO_LARGE) + { + LogMessage(" Drop when window size(after scaling) larger than policy allows: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_EXCESSIVE_TCP_OVERLAPS) + { + LogMessage(" Drop when limit on number of overlapping TCP packets reached: YES\n"); + } + if (s5TcpPolicy->drop_flags & DROP_DATA_AFTER_RESET) + { + LogMessage(" Drop data after reset packet: YES\n"); + } + /** End StillSecure **/ + + + } LogMessage(" Reassembly Ports:\n"); for (i=0; idrop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | retcode; } @@ -5432,6 +5568,10 @@ "Pkt ack is out of bounds, bailing!\n");); s5stats.tcp_discards++; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_BAD_PKT; } @@ -5465,6 +5605,10 @@ Stream5UpdatePerfBaseState(&sfPerf.sfBase, tcpssn, TCP_STATE_CLOSING); /* Leave listener open, data may be in transit */ LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_RST; } @@ -5473,6 +5617,10 @@ "bad sequence number, bailing\n");); s5stats.tcp_discards++; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING; } @@ -5510,6 +5658,10 @@ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Accepted SYN ACK\n");); LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING; } @@ -5542,6 +5694,10 @@ Stream5UpdatePerfBaseState(&sfPerf.sfBase, tcpssn, TCP_STATE_CLOSING); /* Leave listener open, data may be in transit */ LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_RST; } @@ -5550,6 +5706,10 @@ "bad sequence number, bailing\n");); s5stats.tcp_discards++; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ts_action; } @@ -5562,6 +5722,10 @@ "bad sequence number, bailing\n");); s5stats.tcp_discards++; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ts_action; } @@ -5573,6 +5737,10 @@ "bad timestamp, bailing\n");); s5stats.tcp_discards++; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ts_action; } @@ -5612,6 +5780,10 @@ /* got a bad SYN on the session, alert! */ eventcode |= EVENT_SYN_ON_EST; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return action; } @@ -5628,6 +5800,10 @@ eventcode |= EVENT_WINDOW_TOO_LARGE; s5stats.tcp_discards++; LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING | ACTION_BAD_PKT; } @@ -5946,6 +6122,10 @@ /* yoink that shit */ LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ DeleteLWSession(tcp_lws_cache, lwssn); p->ssnptr = NULL; PREPROC_PROFILE_END(s5TcpStatePerfStats); @@ -5964,6 +6144,10 @@ CheckFlushPolicy(tcpssn, talker, listener, tdb, p); LogTcpEvents(listener->tcp_policy, eventcode); + /** StillSecure **/ + if((s5TcpPolicy->drop_flags & eventcode) && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ PREPROC_PROFILE_END(s5TcpStatePerfStats); return ACTION_NOTHING; }