From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] snort: Update to 2.9.8.0 with Quantum Insert patch Date: Fri, 11 Dec 2015 19:30:59 +0100 Message-ID: <1449858659-12543-1-git-send-email-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6418995731710491226==" List-Id: --===============6418995731710491226== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable snort: Updated to 2.9.8.0 with Quantum Insert patch included Updated: rootfile Updated: patch file Signed-off-by: Matthias Fischer --- config/rootfiles/common/snort | 2 +- lfs/snort | 5 +- .../stream_quantuminsert-snort-2.9.8.0.patch | 417 +++++++++++++++++++= ++ 3 files changed, 421 insertions(+), 3 deletions(-) create mode 100644 src/patches/stream_quantuminsert-snort-2.9.8.0.patch diff --git a/config/rootfiles/common/snort b/config/rootfiles/common/snort index 6dfcdfc..77208e8 100644 --- a/config/rootfiles/common/snort +++ b/config/rootfiles/common/snort @@ -27,7 +27,6 @@ usr/bin/u2spewfoo #usr/include/snort/dynamic_output/snort_debug.h #usr/include/snort/dynamic_output/stream_api.h #usr/include/snort/dynamic_preproc -#usr/include/snort/dynamic_preproc/appId.h #usr/include/snort/dynamic_preproc/bitop.h #usr/include/snort/dynamic_preproc/cpuclock.h #usr/include/snort/dynamic_preproc/file_api.h @@ -38,6 +37,7 @@ usr/bin/u2spewfoo #usr/include/snort/dynamic_preproc/mpse_methods.h #usr/include/snort/dynamic_preproc/obfuscation.h #usr/include/snort/dynamic_preproc/packet_time.h +#usr/include/snort/dynamic_preproc/perf_indicators.h #usr/include/snort/dynamic_preproc/preprocids.h #usr/include/snort/dynamic_preproc/profiler.h #usr/include/snort/dynamic_preproc/segment_mem.h diff --git a/lfs/snort b/lfs/snort index 148f539..9b1d34d 100644 --- a/lfs/snort +++ b/lfs/snort @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.9.7.6 +VER =3D 2.9.8.0 =20 THISAPP =3D snort-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 65349f3272c4de5b3210f77f1f7ab0e6 +$(DL_FILE)_MD5 =3D 33a2ffd0daf3f60b81ab685848f95947 =20 install : $(TARGET) =20 @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) $(DIR_SRC)/snort* && cd $(DIR_SRC) && tar zxf $(DIR_DL)/= $(DL_FILE) + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/stream_quantuminsert-= snort-2.9.8.0.patch cd $(DIR_APP) && ./configure \ --prefix=3D/usr \ --sysconfdir=3D/etc/snort \ diff --git a/src/patches/stream_quantuminsert-snort-2.9.8.0.patch b/src/patch= es/stream_quantuminsert-snort-2.9.8.0.patch new file mode 100644 index 0000000..f482de4 --- /dev/null +++ b/src/patches/stream_quantuminsert-snort-2.9.8.0.patch @@ -0,0 +1,417 @@ +--- src/preprocessors/Stream6/snort_stream_tcp.c Wed Nov 18 19:59:15 2015 ++++ src/preprocessors/Stream6/snort_stream_tcp.c Fri Dec 11 13:39:41 2015 +@@ -48,6 +48,7 @@ +=20 + #include + #include ++#include "Unified2_common.h" +=20 + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -202,6 +203,7 @@ + #define EVENT_BAD_ACK 0x00008000 + #define EVENT_DATA_AFTER_RST_RCVD 0x00010000 + #define EVENT_WINDOW_SLAM 0x00020000 ++#define EVENT_QUANTUM_INSERT 0x00040000 +=20 + #define TF_NONE 0x0000 + #define TF_WSCALE 0x0001 +@@ -386,6 +388,12 @@ + // TBD move out of here since only used per packet? + StreamSegment* seglist_next; /* next queued segment to flush */ +=20 ++ // Keep track of acked/purged segments, configurable with `max_track_ol= d_segs` ++ StreamSegment *qi_seglist; /* first queued segment */ ++ StreamSegment *qi_seglist_tail; /* last queued segment */ ++ StreamSegment *qi_inserted_seg; /* the inconsistent segment, used for = extra_data */ ++ uint32_t qi_seg_count; /* number of current queued segments */ ++ + #ifdef DEBUG + int segment_ordinal; + #endif +@@ -1402,6 +1410,7 @@ + clone->max_consec_small_segs =3D master->max_consec_small_segs; + clone->max_consec_small_seg_size =3D master->max_consec_small_seg_size; + memcpy(clone->small_seg_ignore, master->small_seg_ignore, sizeof(master= ->small_seg_ignore)); ++ clone->max_track_old_segs =3D master->max_track_old_segs; +=20 + config =3D (StreamConfig *) sfPolicyUserDataGet(stream_online_config, g= etParserPolicy( snort_conf )); + addStreamTcpPolicyToList( config->tcp_config, clone ); +@@ -1544,6 +1553,38 @@ +=20 + #define STATIC_FP ((s5TcpPolicy->flags & STREAM_CONFIG_STATIC_FLUSHPOINTS)?= 1:0) +=20 ++static int GetQuantumPacket(void *ssn_ptr, uint8_t **buf, uint32_t *len, ui= nt32_t *type) ++{ ++ SessionControlBlock* scb =3D NULL; ++ TcpSession *tcpssn =3D NULL; ++ StreamTracker *listener =3D NULL; ++ StreamSegment *seg =3D NULL; ++ ++ if (ssn_ptr =3D=3D NULL) ++ return 0; ++ ++ scb =3D (SessionControlBlock*) ssn_ptr; ++ if (scb->proto_specific_data) ++ tcpssn =3D (TcpSession *)scb->proto_specific_data->data; ++ ++ if (tcpssn =3D=3D NULL) ++ return 0; ++ ++ listener =3D &tcpssn->client; ++ seg =3D listener->qi_inserted_seg; ++ ++ if (seg =3D=3D NULL) ++ return 0; ++ ++ *buf =3D (uint8_t *)seg->data; ++ *len =3D seg->size; ++ *type =3D EVENT_INFO_GENERIC_DATA; ++ ++ listener->qi_inserted_seg =3D NULL; ++ ++ return 1; ++} ++ + static void StreamParseTcpArgs(struct _SnortConfig *sc, StreamTcpConfig *co= nfig, char *args, StreamTcpPolicy *s5TcpPolicy) + { + char **toks; +@@ -1571,6 +1612,10 @@ + s5TcpPolicy->max_consec_small_seg_size =3D STREAM_DEFAULT_MAX_SMALL_SEG= _SIZE; + s5TcpPolicy->log_asymmetric_traffic =3D false; +=20 ++ s5TcpPolicy->max_track_old_segs =3D STREAM_DEFAULT_TRACK_OLD_SEGS; ++ if (stream_api) ++ s5TcpPolicy->xtra_quantum_id =3D stream_api->reg_xtra_data_cb(GetQu= antumPacket); ++ + if(args !=3D NULL && strlen(args) !=3D 0) + { + toks =3D mSplit(args, ",", 0, &num_toks, 0); +@@ -1859,6 +1904,39 @@ + } + max_s_toks =3D 2; + } ++ ++ else if(!strcasecmp(stoks[0], "max_track_old_segs")) ++ { ++ if(stoks[1]) ++ { ++ long_val =3D SnortStrtol(stoks[1], &endPtr, 10); ++ if (errno =3D=3D ERANGE) ++ { ++ errno =3D 0; ++ FatalError("%s(%d) =3D> Invalid Max Track Old Segme= nts. Integer parameter required.\n", ++ file_name, file_line); ++ } ++ s5TcpPolicy->max_track_old_segs =3D (uint32_t)long_val; ++ } ++ ++ if (!stoks[1] || (endPtr =3D=3D &stoks[1][0])) ++ { ++ FatalError("%s(%d) =3D> Invalid Max Track Old Segments.= Integer parameter required.\n", ++ file_name, file_line); ++ } ++ ++ if (((long_val > STREAM_MAX_MAX_TRACK_OLD_SEGS) || ++ (long_val < STREAM_MIN_MAX_TRACK_OLD_SEGS)) && ++ (long_val !=3D 0)) ++ { ++ FatalError("%s(%d) =3D> Invalid Max Track Old Segments." ++ " Must be 0 (disabled) or between %d and %d\n", ++ file_name, file_line, ++ STREAM_MAX_MAX_TRACK_OLD_SEGS, STREAM_MIN_MAX_T= RACK_OLD_SEGS); ++ } ++ max_s_toks =3D 2; ++ } ++ + else if (!strcasecmp(stoks[0], "small_segments")) + { + char **ptoks; +@@ -2338,6 +2416,11 @@ + LogMessage(" Maximum number of segs to queue per session: %d\n", + s5TcpPolicy->max_queued_segs); + } ++ if (s5TcpPolicy->max_track_old_segs !=3D 0) ++ { ++ LogMessage(" Maximum number of old segs to track per session: %d= \n", ++ s5TcpPolicy->max_track_old_segs); ++ } + if (s5TcpPolicy->flags) + { + LogMessage(" Options:\n"); +@@ -3055,6 +3138,22 @@ + NULL); /* rule info ptr */ + } +=20 ++static inline void EventQuantumInsert (StreamTcpPolicy *s5TcpPolicy) ++{ ++ // if(!(s5TcpPolicy->flags & STREAM_CONFIG_ENABLE_ALERTS)) ++ // return; ++ ++ s5stats.events++; ++ ++ SnortEventqAdd(GENERATOR_SPP_STREAM, /* GID */ ++ STREAM_QUANTUM_INSERT, /* SID */ ++ 1, /* rev */ ++ 0, /* class */ ++ 3, /* priority */ ++ STREAM_QUANTUM_INSERT_STR, /* event msg */ ++ NULL); /* rule info ptr */ ++} ++ + /* + * Utility functions for TCP stuff + */ +@@ -4133,6 +4232,10 @@ + st->seglist =3D st->seglist_tail =3D st->seglist_next =3D NULL; + st->seg_count =3D st->flush_count =3D 0; + st->seg_bytes_total =3D st->seg_bytes_logical =3D 0; ++ ++ st->qi_seg_count =3D 0; ++ DeleteSeglist(st->qi_seglist); ++ st->qi_seglist =3D st->qi_seglist_tail =3D st->qi_inserted_seg =3D NULL; + } +=20 + // purge_flushed_ackd(): +@@ -6113,6 +6216,69 @@ + return NULL; + } +=20 ++static inline StreamSegment *FindOldSegment(StreamTracker *st, uint32_t pkt= _seq) ++{ ++ int32_t dist_head; ++ int32_t dist_tail; ++ StreamSegment *ss; ++ ++ if (!st->qi_seglist) ++ return NULL; ++ ++ dist_head =3D pkt_seq - st->qi_seglist->seq; ++ dist_tail =3D pkt_seq - st->qi_seglist_tail->seq; ++ ++ if (dist_head <=3D dist_tail) ++ { ++ /* Start iterating at the head (left) */ ++ for (ss =3D st->qi_seglist; ss; ss =3D ss->next) ++ { ++ if (SEQ_EQ(ss->seq, pkt_seq)) ++ return ss; ++ ++ if (SEQ_GEQ(ss->seq, pkt_seq)) ++ break; ++ } ++ } ++ else ++ { ++ /* Start iterating at the tail (right) */ ++ for (ss =3D st->qi_seglist_tail; ss; ss =3D ss->prev) ++ { ++ if (SEQ_EQ(ss->seq, pkt_seq)) ++ return ss; ++ ++ if (SEQ_LT(ss->seq, pkt_seq)) ++ break; ++ } ++ } ++ return NULL; ++} ++ ++static inline int CheckQuantumInsert(StreamTracker *listener, ++ TcpDataBlock *tdb, ++ Packet *p) ++{ ++ int ret =3D 0; ++ StreamSegment* seg =3D NULL; ++ ++ if (listener->seglist_tail && tdb->seq <=3D listener->seglist_tail->seq= ) { ++ seg =3D FindSegment(listener, tdb->seq); ++ } ++ if (seg =3D=3D NULL && listener->qi_seglist_tail && tdb->seq <=3D liste= ner->qi_seglist_tail->seq) { ++ seg =3D FindOldSegment(listener, tdb->seq); ++ } ++ if (seg) { ++ // compare smallest segment size ++ if (memcmp(p->data, seg->data, MIN(p->dsize, seg->size)) !=3D 0) { ++ listener->qi_inserted_seg =3D seg; ++ SetExtraData(p, listener->tcp_policy->xtra_quantum_id); ++ ret |=3D EVENT_QUANTUM_INSERT; ++ } ++ } ++ return ret; ++} ++ + void StreamTcpSessionClear(Packet *p) + { + SessionControlBlock *scb; +@@ -7476,8 +7642,10 @@ + { + if ( !(tcpssn->scb->ha_state.session_flags & SSNFLAG_STREAM_ORD= ER_BAD) ) + { +- if ( !SEQ_LEQ((tdb->seq + p->dsize), listener->r_nxt_ack) ) ++ if ( !SEQ_LEQ((tdb->seq + p->dsize), listener->r_nxt_ack) )= { + tcpssn->scb->ha_state.session_flags |=3D SSNFLAG_STREAM= _ORDER_BAD; ++ CheckQuantumInsert(listener, tdb, p); ++ } + } + ProcessTcpStream(listener, tcpssn, p, tdb, s5TcpPolicy); + } +@@ -8162,6 +8330,9 @@ +=20 + if (eventcode & EVENT_WINDOW_SLAM) + EventWindowSlam(s5TcpPolicy); ++ ++ if (eventcode & EVENT_QUANTUM_INSERT) ++ EventQuantumInsert(s5TcpPolicy); + } +=20 + static inline void DisableInspection (SessionControlBlock *scb, Packet* p, = char ignore) +@@ -9195,6 +9366,10 @@ + if ((p->tcph->th_flags !=3D 0) || (s5TcpPolicy->policy =3D=3D S= TREAM_POLICY_LINUX) || (s5TcpPolicy->policy =3D=3D STREAM_POLICY_NOACK)) + { + ProcessTcpData(p, listener, tcpssn, tdb, s5TcpPolicy); ++ ++ if (listener->qi_inserted_seg) ++ eventcode |=3D EVENT_QUANTUM_INSERT; ++ + //Check if all segments are received. Process FIN transition + if(checkFINTransitionStatus(p, listener)) + process_fin =3D true; +@@ -10144,8 +10319,46 @@ + if ( st->seglist_next =3D=3D seg ) + st->seglist_next =3D NULL; +=20 +- SegmentFree(seg); +- st->seg_count--; ++ // Keep track of `max_track_old_segs` segments ++ if (st->tcp_policy->max_track_old_segs) { ++ StreamSegment* prev =3D st->qi_seglist_tail; ++ StreamSegment* new =3D seg; ++ if(prev) ++ { ++ new->next =3D prev->next; ++ new->prev =3D prev; ++ prev->next =3D new; ++ if (new->next) ++ new->next->prev =3D new; ++ else ++ st->qi_seglist_tail =3D new; ++ } ++ else ++ { ++ new->next =3D st->qi_seglist; ++ if(new->next) ++ new->next->prev =3D new; ++ else ++ st->qi_seglist_tail =3D new; ++ st->qi_seglist =3D new; ++ } ++ ++ st->qi_seg_count++; ++ while (st->qi_seg_count > st->tcp_policy->max_track_old_segs) { ++ StreamSegment* old =3D st->qi_seglist; ++ st->qi_seglist =3D st->qi_seglist->next; ++ if (st->qi_seglist) ++ st->qi_seglist->prev =3D NULL; ++ if (st->qi_seglist =3D=3D NULL) ++ st->qi_seglist_tail =3D NULL; ++ SegmentFree(old); ++ st->qi_seg_count--; ++ st->seg_count--; ++ } ++ } else { ++ SegmentFree(seg); ++ st->seg_count--; ++ } +=20 + return ret; + } +--- src/preprocessors/Stream6/stream_common.h Wed Nov 18 19:59:15 2015 ++++ src/preprocessors/Stream6/stream_common.h Fri Dec 11 13:41:15 2015 +@@ -69,6 +69,9 @@ + #define STREAM_DEFAULT_CONSEC_SMALL_SEGS 0 /* disabled */ + #define STREAM_MAX_CONSEC_SMALL_SEGS 2048 /* 2048 single byte packets = without acks is alot */ + #define STREAM_MIN_CONSEC_SMALL_SEGS 0 /* 0 means disabled */ ++#define STREAM_DEFAULT_TRACK_OLD_SEGS 10 /* keep track of 10 old TCP = segments */ ++#define STREAM_MIN_MAX_TRACK_OLD_SEGS 0 /* 0 means disabled */ ++#define STREAM_MAX_MAX_TRACK_OLD_SEGS 2048 /* history of 2048 segments = should be enough */ +=20 + #if defined(FEAT_OPEN_APPID) + #define MAX_APP_PROTOCOL_ID 4 +@@ -203,6 +206,10 @@ +=20 + uint32_t max_consec_small_segs; + uint32_t max_consec_small_seg_size; ++ ++ uint32_t max_track_old_segs; ++ uint32_t xtra_quantum_id; ++ + char small_seg_ignore[MAX_PORTS/8]; + bool log_asymmetric_traffic; +=20 +--- src/sfutil/Unified2_common.h Wed Nov 18 19:59:15 2015 ++++ src/sfutil/Unified2_common.h Fri Dec 11 13:42:17 2015 +@@ -193,7 +193,8 @@ + EVENT_INFO_HTTP_HOSTNAME, + EVENT_INFO_IPV6_SRC, + EVENT_INFO_IPV6_DST, +- EVENT_INFO_JSNORM_DATA ++ EVENT_INFO_JSNORM_DATA, ++ EVENT_INFO_GENERIC_DATA + }EventInfoEnum; +=20 + typedef enum _EventDataType +--- src/generators.h Wed Nov 18 19:59:14 2015 ++++ src/generators.h Fri Dec 11 13:12:12 2015 +@@ -438,6 +438,7 @@ + #define DNS_EVENT_OBSOLETE_TYPES 1 + #define DNS_EVENT_EXPERIMENTAL_TYPES 2 + #define DNS_EVENT_RDATA_OVERFLOW 3 ++#define STREAM_QUANTUM_INSERT 21 +=20 + #define GENERATOR_SKYPE 132 +=20 +@@ -592,6 +593,7 @@ + #define STREAM_DATA_AFTER_RST_RCVD_STR "Data sent on stream after TCP Reset= received" + #define STREAM_WINDOW_SLAM_STR "TCP window closed before receiving data" + #define STREAM_NO_3WHS_STR "TCP session without 3-way handshake" ++#define STREAM_QUANTUM_INSERT_STR "Possible Quantum Insert" +=20 + #define STREAM_INTERNAL_EVENT_STR "" +=20 +--- tools/u2openappid/u2openappid.c Thu Apr 23 19:28:11 2015 ++++ tools/u2openappid/u2openappid.c Fri Dec 11 13:43:55 2015 +@@ -296,6 +296,11 @@ + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(S= erialUnified2ExtraData)); + break; +=20 ++ case EVENT_INFO_GENERIC_DATA: ++ printf("Generic Data:\n"); ++ LogBuffer(record->data + sizeof(Unified2ExtraDataHdr) + sizeof(= SerialUnified2ExtraData), len); ++ break; ++ + case EVENT_INFO_SMTP_FILENAME: + printf("SMTP Attachment Filename: %.*s\n", + len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(Se= rialUnified2ExtraData)); +--- tools/u2spewfoo/u2spewfoo.c Thu Apr 23 19:28:11 2015 ++++ tools/u2spewfoo/u2spewfoo.c Fri Dec 11 13:45:27 2015 +@@ -43,6 +43,8 @@ +=20 + #include "Unified2_common.h" +=20 ++static void LogBuffer (const uint8_t* p, unsigned n); ++ + #define SUCCESS 314159265 + #define STEVE -1 + #define FAILURE STEVE +@@ -294,6 +296,11 @@ + case EVENT_INFO_JSNORM_DATA: + printf("Normalized JavaScript Data: %.*s\n", + len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(S= erialUnified2ExtraData)); ++ break; ++ ++ case EVENT_INFO_GENERIC_DATA: ++ printf("Generic Data:\n"); ++ LogBuffer(record->data + sizeof(Unified2ExtraDataHdr) + sizeof(= SerialUnified2ExtraData), len); + break; +=20 + case EVENT_INFO_SMTP_FILENAME: --=20 2.6.4 --===============6418995731710491226==--