00001 /** 00002 ** @file hi_ad.c 00003 ** 00004 ** @author Daniel Roelker <droelker@sourcefire.com> 00005 ** 00006 ** @brief This is the server anomaly module file. Looks for anomalous 00007 ** servers and other stuff. Still thinking about it. 00008 ** 00009 ** NOTES: 00010 ** - 3.2.03: Initial development. DJR 00011 */ 00012 #include <stdlib.h> 00013 #include <sys/types.h> 00014 00015 #include "hi_ui_config.h" 00016 #include "hi_return_codes.h" 00017 #include "hi_eo_log.h" 00018 #include "hi_si.h" 00019 00020 /* 00021 ** NAME 00022 ** hi_server_anomaly_detection:: 00023 */ 00024 /** 00025 ** Inspect packet/streams for anomalous server detection and tunneling. 00026 ** 00027 ** This really checks for anything that we want to look at for rogue 00028 ** HTTP servers, HTTP tunneling in unknown servers, and detection of 00029 ** sessions that are actually talking HTTP. 00030 ** 00031 ** @param Session pointer to the session there is no server conf 00032 ** @param data unsigned char to payload/stream data 00033 ** @param dsize the size of the payload/stream data 00034 ** 00035 ** @return integer 00036 ** 00037 ** @retval HI_SUCCESS function successful 00038 */ 00039 int hi_server_anomaly_detection(void *S, u_char *data, int dsize) 00040 { 00041 HI_SESSION *Session = (HI_SESSION *)S; 00042 HTTPINSPECT_GLOBAL_CONF *GlobalConf; 00043 00044 if(data == NULL || dsize < 1) 00045 return HI_INVALID_ARG; 00046 00047 GlobalConf = Session->global_conf; 00048 00049 /* 00050 ** We are just going to look for server responses on non-HTTP 00051 ** ports. 00052 */ 00053 if(GlobalConf->anomalous_servers && dsize > 5) 00054 { 00055 /* 00056 ** We now do the checking for anomalous HTTP servers 00057 */ 00058 if(data[0]=='H' && data[1]=='T' && data[2]=='T' && data[3]=='P' && 00059 data[4]=='/') 00060 { 00061 hi_eo_anom_server_event_log(Session, HI_EO_ANOM_SERVER, 00062 NULL, NULL); 00063 } 00064 } 00065 00066 return HI_SUCCESS; 00067 }
1.4.2