diff options
author | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
---|---|---|
committer | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
commit | 8879b125d26e8db1a5633de5a9c692eb2d1c4f83 (patch) | |
tree | c7259d85a991b83dfa85ab2e339360669fc1f58e /framework/src/suricata/src/detect-ftpbounce.c | |
parent | 13d05bc8458758ee39cb829098241e89616717ee (diff) |
suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a
Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f
Diffstat (limited to 'framework/src/suricata/src/detect-ftpbounce.c')
-rw-r--r-- | framework/src/suricata/src/detect-ftpbounce.c | 560 |
1 files changed, 560 insertions, 0 deletions
diff --git a/framework/src/suricata/src/detect-ftpbounce.c b/framework/src/suricata/src/detect-ftpbounce.c new file mode 100644 index 00000000..39e1c5a2 --- /dev/null +++ b/framework/src/suricata/src/detect-ftpbounce.c @@ -0,0 +1,560 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Pablo Rincon <pablo.rincon.crespo@gmail.com> + * + * ftpbounce keyword, part of the detection engine. + */ + +#include "suricata-common.h" +#include "debug.h" +#include "decode.h" +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-content.h" + +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-ftp.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "util-debug.h" +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" +#include "threads.h" +#include "detect-ftpbounce.h" +#include "stream-tcp.h" +#include "util-byte.h" + +int DetectFtpbounceMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, + Signature *, SigMatch *); +int DetectFtpbounceALMatch(ThreadVars *, DetectEngineThreadCtx *, Flow *, + uint8_t, void *, Signature *, SigMatch *); +static int DetectFtpbounceSetup(DetectEngineCtx *, Signature *, char *); +int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len, + uint32_t ip_orig, uint16_t offset); +void DetectFtpbounceRegisterTests(void); +void DetectFtpbounceFree(void *); + +/** + * \brief Registration function for ftpbounce: keyword + * \todo add support for no_stream and stream_only + */ +void DetectFtpbounceRegister(void) +{ + sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce"; + sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup; + sigmatch_table[DETECT_FTPBOUNCE].Match = NULL; + sigmatch_table[DETECT_FTPBOUNCE].AppLayerMatch = DetectFtpbounceALMatch; + sigmatch_table[DETECT_FTPBOUNCE].alproto = ALPROTO_FTP; + sigmatch_table[DETECT_FTPBOUNCE].Free = NULL; + sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests; + sigmatch_table[DETECT_FTPBOUNCE].flags = SIGMATCH_NOOPT; + return; +} + +/** + * \brief This function is used to match ftpbounce attacks + * + * \param payload Payload of the PORT command + * \param payload_len Length of the payload + * \param ip_orig IP source to check the ftpbounce condition + * \param offset offset to the arguments of the PORT command + * + * \retval 1 if ftpbounce detected, 0 if not + */ +int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len, + uint32_t ip_orig, uint16_t offset) +{ + SCEnter(); + SCLogDebug("Checking ftpbounce condition"); + char *c = NULL; + uint16_t i = 0; + int octet = 0; + int octet_ascii_len = 0; + int noctet = 0; + uint32_t ip = 0; + /* PrintRawDataFp(stdout, payload, payload_len); */ + + if (payload_len < 7) { + /* we need at least a differet ip address + * in the format 1,2,3,4,x,y where x,y is the port + * in two byte representation so let's look at + * least for the IP octets in comma separated */ + return 0; + } + + if (offset + 7 >= payload_len) + return 0; + + c =(char*) payload; + if (c == NULL) { + SCLogDebug("No payload to check"); + return 0; + } + + i = offset; + /* Search for the first IP octect(Skips "PORT ") */ + while (i < payload_len && !isdigit((unsigned char)c[i])) i++; + + for (;i < payload_len && octet_ascii_len < 4 ;i++) { + if (isdigit((unsigned char)c[i])) { + octet =(c[i] - '0') + octet * 10; + octet_ascii_len++; + } else { + if (octet > 256) { + SCLogDebug("Octet not in ip format"); + return 0; + } + + if (isspace((unsigned char)c[i])) + while (i < payload_len && isspace((unsigned char)c[i]) ) i++; + + if (i < payload_len && c[i] == ',') { /* we have an octet */ + noctet++; + octet_ascii_len = 0; + ip =(ip << 8) + octet; + octet = 0; + } else { + SCLogDebug("Unrecognized character '%c'", c[i]); + return 0; + } + if (noctet == 4) { + /* Different IP than src, ftp bounce scan */ + ip = SCByteSwap32(ip); + + if (ip != ip_orig) { + SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d", + ip, ip_orig); + return 1; + } + SCLogDebug("Same ip, so no match here"); + return 0; + } + } + } + SCLogDebug("No match"); + return 0; +} + +/** + * \brief This function is used to check matches from the FTP App Layer Parser + * + * \param t pointer to thread vars + * \param det_ctx pointer to the pattern matcher thread + * \param p pointer to the current packet + * \param m pointer to the sigmatch but we don't use it since ftpbounce + * has no options + * \retval 0 no match + * \retval 1 match + */ +int DetectFtpbounceALMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, + Flow *f, uint8_t flags, void *state, Signature *s, + SigMatch *m) +{ + SCEnter(); + FtpState *ftp_state =(FtpState *)state; + if (ftp_state == NULL) { + SCLogDebug("no ftp state, no match"); + SCReturnInt(0); + } + + int ret = 0; + + if (ftp_state->command == FTP_COMMAND_PORT) { + ret = DetectFtpbounceMatchArgs(ftp_state->port_line, + ftp_state->port_line_len, f->src.address.address_un_data32[0], + ftp_state->arg_offset); + } + + SCReturnInt(ret); +} + +/** + * \brief this function is used to add the parsed ftpbounce + * + * \param de_ctx pointer to the Detection Engine Context + * \param s pointer to the Current Signature + * \param m pointer to the Current SigMatch + * \param ftpbouncestr pointer to the user provided ftpbounce options + * currently there are no options. + * + * \retval 0 on Success + * \retval -1 on Failure + */ +int DetectFtpbounceSetup(DetectEngineCtx *de_ctx, Signature *s, char *ftpbouncestr) +{ + SCEnter(); + + SigMatch *sm = NULL; + + sm = SigMatchAlloc(); + if (sm == NULL) { + goto error;; + } + + sm->type = DETECT_FTPBOUNCE; + + /* We don't need to allocate any data for ftpbounce here. + * + * TODO: As a suggestion, maybe we can add a flag in the flow + * to set the stream as "bounce detected" for fast Match. + * When you do a ftp bounce attack you usually use the same + * communication control stream to "setup" various destinations + * whithout breaking the connection, so I guess we can make it a bit faster + * with a flow flag set lookup in the Match function. + */ + sm->ctx = NULL; + + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_FTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + goto error; + } + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); + + s->alproto = ALPROTO_FTP; + s->flags |= SIG_FLAG_APPLAYER; + SCReturnInt(0); + +error: + if (sm != NULL) { + SigMatchFree(sm); + } + SCReturnInt(-1); +} + +#ifdef UNITTESTS + +/** + * \test DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce + */ +int DetectFtpbounceTestSetup01(void) +{ + int res = 0; + DetectEngineCtx *de_ctx = NULL; + Signature *s = SigAlloc(); + if (s == NULL) + return 0; + + /* ftpbounce doesn't accept options so the str is NULL */ + res = !DetectFtpbounceSetup(de_ctx, s, NULL); + res &= s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL && s->sm_lists[DETECT_SM_LIST_AMATCH]->type & DETECT_FTPBOUNCE; + + SigFree(s); + return res; +} + +#include "stream-tcp-reassemble.h" + +/** + * \test Check the ftpbounce match, send a get request in three chunks + * + more data. + * \brief This test tests the ftpbounce condition match, based on the + * ftp layer parser + */ +static int DetectFtpbounceTestALMatch02(void) +{ + int result = 0; + + uint8_t ftpbuf1[] = { 'P','O' }; + uint32_t ftplen1 = sizeof(ftpbuf1); + uint8_t ftpbuf2[] = { 'R', 'T' }; + uint32_t ftplen2 = sizeof(ftpbuf2); + uint8_t ftpbuf3[] = { ' ', '8','0',',','5' }; + uint32_t ftplen3 = sizeof(ftpbuf3); + uint8_t ftpbuf4[] = "8,0,33,10,20\r\n"; + uint32_t ftplen4 = sizeof(ftpbuf4); + + TcpSession ssn; + Flow f; + Packet *p = NULL; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacketSrcDst(NULL, 0, IPPROTO_TCP, "1.2.3.4", "5.6.7.8"); + + FLOW_INITIALIZE(&f); + f.src.address.address_un_data32[0]=0x01020304; + f.protoctx =(void *)&ssn; + f.proto = IPPROTO_TCP; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; + f.alproto = ALPROTO_FTP; + + StreamTcpInitConfig(TRUE); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any " + "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx); + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER, ftpbuf1, ftplen1); + if (r != 0) { + SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f,ALPROTO_FTP, STREAM_TOSERVER, ftpbuf2, ftplen2); + if (r != 0) { + SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f,ALPROTO_FTP, STREAM_TOSERVER, ftpbuf3, ftplen3); + if (r != 0) { + SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f,ALPROTO_FTP, STREAM_TOSERVER, ftpbuf4, ftplen4); + if (r != 0) { + SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + SCMutexUnlock(&f.m); + + FtpState *ftp_state = f.alstate; + if (ftp_state == NULL) { + SCLogDebug("no ftp state: "); + result = 0; + goto end; + } + + if (ftp_state->command != FTP_COMMAND_PORT) { + SCLogDebug("expected command port not detected"); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + goto end; + } + + result = 1; +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + + UTHFreePackets(&p, 1); + return result; +} + +/** + * \test Check the ftpbounce match + * \brief This test tests the ftpbounce condition match, based on + * the ftp layer parser + */ +static int DetectFtpbounceTestALMatch03(void) +{ + int result = 0; + + uint8_t ftpbuf1[] = { 'P','O' }; + uint32_t ftplen1 = sizeof(ftpbuf1); + uint8_t ftpbuf2[] = { 'R', 'T' }; + uint32_t ftplen2 = sizeof(ftpbuf2); + uint8_t ftpbuf3[] = { ' ', '1',',','2',',' }; + uint32_t ftplen3 = sizeof(ftpbuf3); + uint8_t ftpbuf4[] = "3,4,10,20\r\n"; + uint32_t ftplen4 = sizeof(ftpbuf4); + + TcpSession ssn; + Flow f; + Packet *p = SCMalloc(SIZE_OF_PACKET); + if (unlikely(p == NULL)) + return 0; + Signature *s = NULL; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(p, 0, SIZE_OF_PACKET); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p->src.family = AF_INET; + p->dst.family = AF_INET; + p->src.addr_data32[0] = 0x04030201; + p->payload = NULL; + p->payload_len = 0; + p->proto = IPPROTO_TCP; + + FLOW_INITIALIZE(&f); + f.src.address.address_un_data32[0]=0x04030201; + f.protoctx =(void *)&ssn; + f.proto = IPPROTO_TCP; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; + f.alproto = ALPROTO_FTP; + + StreamTcpInitConfig(TRUE); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any " + "(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)"); + if (s == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx); + + SCMutexLock(&f.m); + int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER, ftpbuf1, ftplen1); + if (r != 0) { + SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f,ALPROTO_FTP, STREAM_TOSERVER, ftpbuf2, ftplen2); + if (r != 0) { + SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f,ALPROTO_FTP, STREAM_TOSERVER, ftpbuf3, ftplen3); + if (r != 0) { + SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + + r = AppLayerParserParse(alp_tctx, &f,ALPROTO_FTP, STREAM_TOSERVER, ftpbuf4, ftplen4); + if (r != 0) { + SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); + result = 0; + SCMutexUnlock(&f.m); + goto end; + } + SCMutexUnlock(&f.m); + + FtpState *ftp_state = f.alstate; + if (ftp_state == NULL) { + SCLogDebug("no ftp state: "); + result = 0; + goto end; + } + + if (ftp_state->command != FTP_COMMAND_PORT) { + SCLogDebug("expected command port not detected"); + result = 0; + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + /* It should not match */ + if (!(PacketAlertCheck(p, 1))) { + result = 1; + } else { + SCLogDebug("It should not match here!"); + } + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + + DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + SCFree(p); + return result; +} + +#endif /* UNITTESTS */ + +/** + * \brief this function registers unit tests for DetectFtpbounce + */ +void DetectFtpbounceRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("DetectFtpbounceTestSetup01", DetectFtpbounceTestSetup01, 1); + UtRegisterTest("DetectFtpbounceTestALMatch02", + DetectFtpbounceTestALMatch02, 1); + UtRegisterTest("DetectFtpbounceTestALMatch03", + DetectFtpbounceTestALMatch03, 1); +#endif /* UNITTESTS */ +} |