diff options
author | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
---|---|---|
committer | Ashlee Young <ashlee@onosfw.com> | 2015-09-09 22:21:41 -0700 |
commit | 8879b125d26e8db1a5633de5a9c692eb2d1c4f83 (patch) | |
tree | c7259d85a991b83dfa85ab2e339360669fc1f58e /framework/src/suricata/src/stream-tcp-private.h | |
parent | 13d05bc8458758ee39cb829098241e89616717ee (diff) |
suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a
Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f
Diffstat (limited to 'framework/src/suricata/src/stream-tcp-private.h')
-rw-r--r-- | framework/src/suricata/src/stream-tcp-private.h | 246 |
1 files changed, 246 insertions, 0 deletions
diff --git a/framework/src/suricata/src/stream-tcp-private.h b/framework/src/suricata/src/stream-tcp-private.h new file mode 100644 index 00000000..5c03c4bc --- /dev/null +++ b/framework/src/suricata/src/stream-tcp-private.h @@ -0,0 +1,246 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien <victor@inliniac.net> + */ + +#ifndef __STREAM_TCP_PRIVATE_H__ +#define __STREAM_TCP_PRIVATE_H__ + +#include "decode.h" +#include "util-pool.h" +#include "util-pool-thread.h" + +#define STREAMTCP_QUEUE_FLAG_TS 0x01 +#define STREAMTCP_QUEUE_FLAG_WS 0x02 +#define STREAMTCP_QUEUE_FLAG_SACK 0x04 + +/** currently only SYN/ACK */ +typedef struct TcpStateQueue_ { + uint8_t flags; + uint8_t wscale; + uint16_t win; + uint32_t seq; + uint32_t ack; + uint32_t ts; + uint32_t pkt_ts; + struct TcpStateQueue_ *next; +} TcpStateQueue; + +typedef struct StreamTcpSackRecord_ { + uint32_t le; /**< left edge, host order */ + uint32_t re; /**< right edge, host order */ + struct StreamTcpSackRecord_ *next; +} StreamTcpSackRecord; + +typedef struct TcpSegment_ { + uint8_t *payload; + uint16_t payload_len; /**< actual size of the payload */ + uint16_t pool_size; /**< size of the memory */ + uint32_t seq; + struct TcpSegment_ *next; + struct TcpSegment_ *prev; + /* coccinelle: TcpSegment:flags:SEGMENTTCP_FLAG */ + uint8_t flags; +} TcpSegment; + +typedef struct TcpStream_ { + uint16_t flags:12; /**< Flag specific to the stream e.g. Timestamp */ + /* coccinelle: TcpStream:flags:STREAMTCP_STREAM_FLAG_ */ + uint16_t wscale:4; /**< wscale setting in this direction, 4 bits as max val is 15 */ + uint8_t os_policy; /**< target based OS policy used for reassembly and handling packets*/ + uint8_t tcp_flags; /**< TCP flags seen */ + + uint32_t isn; /**< initial sequence number */ + uint32_t next_seq; /**< next expected sequence number */ + uint32_t last_ack; /**< last ack'd sequence number in this stream */ + uint32_t next_win; /**< next max seq within window */ + uint32_t window; /**< current window setting, after wscale is applied */ + + uint32_t last_ts; /**< Time stamp (TSVAL) of the last seen packet for this stream*/ + uint32_t last_pkt_ts; /**< Time of last seen packet for this stream (needed for PAWS update) + This will be used to validate the last_ts, when connection has been idle for + longer time.(RFC 1323)*/ + /* reassembly */ + uint32_t ra_app_base_seq; /**< reassembled seq. We've reassembled up to this point. */ + uint32_t ra_raw_base_seq; /**< reassembled seq. We've reassembled up to this point. */ + + TcpSegment *seg_list; /**< list of TCP segments that are not yet (fully) used in reassembly */ + TcpSegment *seg_list_tail; /**< Last segment in the reassembled stream seg list*/ + + StreamTcpSackRecord *sack_head; /**< head of list of SACK records */ + StreamTcpSackRecord *sack_tail; /**< tail of list of SACK records */ +} TcpStream; + +/* from /usr/include/netinet/tcp.h */ +enum +{ + TCP_NONE, + TCP_LISTEN, + TCP_SYN_SENT, + TCP_SYN_RECV, + TCP_ESTABLISHED, + TCP_FIN_WAIT1, + TCP_FIN_WAIT2, + TCP_TIME_WAIT, + TCP_LAST_ACK, + TCP_CLOSE_WAIT, + TCP_CLOSING, + TCP_CLOSED, +}; + +/* + * Per SESSION flags + */ + +/** Flag for mid stream session */ +#define STREAMTCP_FLAG_MIDSTREAM 0x0001 +/** Flag for mid stream established session */ +#define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED 0x0002 +/** Flag for mid session when syn/ack is received */ +#define STREAMTCP_FLAG_MIDSTREAM_SYNACK 0x0004 +/** Flag for TCP Timestamp option */ +#define STREAMTCP_FLAG_TIMESTAMP 0x0008 +/** Server supports wscale (even though it can be 0) */ +#define STREAMTCP_FLAG_SERVER_WSCALE 0x0010 +/** 'Raw' reassembly is disabled for this ssn. */ +#define STREAMTCP_FLAG_DISABLE_RAW 0x0020 +/** Flag to indicate that the session is handling asynchronous stream.*/ +#define STREAMTCP_FLAG_ASYNC 0x0040 +/** Flag to indicate we're dealing with 4WHS: SYN, SYN, SYN/ACK, ACK + * (http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie) */ +#define STREAMTCP_FLAG_4WHS 0x0080 +/** Flag to indicate that this session is possible trying to evade the detection + * (http://www.packetstan.com/2010/06/recently-ive-been-on-campaign-to-make.html) */ +#define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT 0x0100 +/** Flag to indicate the client (SYN pkt) permits SACK */ +#define STREAMTCP_FLAG_CLIENT_SACKOK 0x0200 +/** Flag to indicate both sides of the session permit SACK (SYN + SYN/ACK) */ +#define STREAMTCP_FLAG_SACKOK 0x0400 +/** Flag for triggering RAW reassembly before the size limit is reached or + the stream reaches EOF. */ +#define STREAMTCP_FLAG_TRIGGER_RAW_REASSEMBLY 0x0800 +/** 3WHS confirmed by server -- if suri sees 3whs ACK but server doesn't (pkt + * is lost on the way to server), SYN/ACK is retransmitted. If server sends + * normal packet we assume 3whs to be completed. Only used for SYN/ACK resend + * event. */ +#define STREAMTCP_FLAG_3WHS_CONFIRMED 0x1000 +/** App Layer tracking/reassembly is disabled */ +#define STREAMTCP_FLAG_APP_LAYER_DISABLED 0x2000 + +/* + * Per STREAM flags + */ + +/** stream is in a gap state */ +#define STREAMTCP_STREAM_FLAG_GAP 0x0001 +/** Flag to avoid stream reassembly/app layer inspection for the stream */ +#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY 0x0002 +/** we received a keep alive */ +#define STREAMTCP_STREAM_FLAG_KEEPALIVE 0x0004 +/** Stream has reached it's reassembly depth, all further packets are ignored */ +#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED 0x0008 +// vacancy +/** Stream supports TIMESTAMP -- used to set ssn STREAMTCP_FLAG_TIMESTAMP + * flag. */ +#define STREAMTCP_STREAM_FLAG_TIMESTAMP 0x0020 +/** Flag to indicate the zero value of timestamp */ +#define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP 0x0040 +/** App proto detection completed */ +#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED 0x0080 +/** App proto detection skipped */ +#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED 0x0100 +/** Raw reassembly disabled for new segments */ +#define STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED 0x0200 +// vacancy 2x +/** NOTE: flags field is 12 bits */ + + +/* + * Per SEGMENT flags + */ +/** Flag to indicate that the current segment has been processed by the + * reassembly code and should be deleted after app layer protocol has been + * detected. */ +#define SEGMENTTCP_FLAG_RAW_PROCESSED 0x01 +/** App Layer reassembly code is done with this segment */ +#define SEGMENTTCP_FLAG_APPLAYER_PROCESSED 0x02 +/** Log API (streaming) has processed this segment */ +#define SEGMENTTCP_FLAG_LOGAPI_PROCESSED 0x04 + + +#define PAWS_24DAYS 2073600 /**< 24 days in seconds */ + +#define PKT_IS_IN_RIGHT_DIR(ssn, p) ((ssn)->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK ? \ + PKT_IS_TOSERVER(p) ? (p)->flowflags &= ~FLOW_PKT_TOSERVER \ + (p)->flowflags |= FLOW_PKT_TOCLIENT : (p)->flowflags &= ~FLOW_PKT_TOCLIENT \ + (p)->flowflags |= FLOW_PKT_TOSERVER : 0) + +/* Macro's for comparing Sequence numbers + * Page 810 from TCP/IP Illustrated, Volume 2. */ +#define SEQ_EQ(a,b) ((int32_t)((a) - (b)) == 0) +#define SEQ_LT(a,b) ((int32_t)((a) - (b)) < 0) +#define SEQ_LEQ(a,b) ((int32_t)((a) - (b)) <= 0) +#define SEQ_GT(a,b) ((int32_t)((a) - (b)) > 0) +#define SEQ_GEQ(a,b) ((int32_t)((a) - (b)) >= 0) + +#define STREAMTCP_SET_RA_BASE_SEQ(stream, seq) { \ + do { \ + (stream)->ra_raw_base_seq = (seq); \ + (stream)->ra_app_base_seq = (seq); \ + } while(0); \ +} + +#define StreamTcpSetEvent(p, e) { \ + SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")", (e), p, (p)->pcap_cnt); \ + ENGINE_SET_EVENT((p), (e)); \ +} + +typedef struct TcpSession_ { + PoolThreadReserved res; + uint8_t state; + uint8_t queue_len; /**< length of queue list below */ + int8_t data_first_seen_dir; + /** track all the tcp flags we've seen */ + uint8_t tcp_packet_flags; + /* coccinelle: TcpSession:flags:STREAMTCP_FLAG */ + uint16_t flags; + TcpStream server; + TcpStream client; + struct StreamMsg_ *toserver_smsg_head; /**< list of stream msgs (for detection inspection) */ + struct StreamMsg_ *toserver_smsg_tail; /**< list of stream msgs (for detection inspection) */ + struct StreamMsg_ *toclient_smsg_head; /**< list of stream msgs (for detection inspection) */ + struct StreamMsg_ *toclient_smsg_tail; /**< list of stream msgs (for detection inspection) */ + + TcpStateQueue *queue; /**< list of SYN/ACK candidates */ +} TcpSession; + +#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \ + ((stream)->flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) +#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream) \ + ((stream)->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) +#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream) \ + ((stream)->flags &= ~STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED); +#define StreamTcpDisableAppLayerReassembly(ssn) do { \ + SCLogDebug("setting STREAMTCP_FLAG_APP_LAYER_DISABLED on ssn %p", ssn); \ + ((ssn)->flags |= STREAMTCP_FLAG_APP_LAYER_DISABLED); \ + } while (0); + +#endif /* __STREAM_TCP_PRIVATE_H__ */ |