#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "hi_return_codes.h"
#include "hi_ui_config.h"
#include "hi_ui_server_lookup.h"
#include "hi_si.h"
#include "hi_ad.h"
Go to the source code of this file.
Functions | |
| static int | IsServer (HTTPINSPECT_CONF *ServerConf, unsigned short port) |
| static int | InitServerConf (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HTTPINSPECT_CONF **ServerConf, HTTPINSPECT_CONF **ClientConf, HI_SI_INPUT *SiInput, int *piInspectMode) |
| static int | StatefulSessionInspection (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectType) |
| static INLINE int | ResetSession (HI_SESSION *Session) |
| static int | StatelessSessionInspection (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectMode) |
| int | hi_si_session_inspection (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectMode) |
The main responsibility of this module is to supply the appropriate data structures and configurations for the rest of the HttpInspect process. The module also determines what type of data is being inspected, whether it is client, server, or neither.
NOTES:
Definition in file hi_si.c.
|
||||||||||||||||||||
|
The Session Inspection module selects the appropriate server configuration for the session, and the type of inspection to be performed (client or server.) When the Session Inspection module is in stateful mode, it checks to see if there is a HI_SESSION pointer already associated with the stream. If there is, then it uses that session pointer, otherwise it calculates the server configuration using the HI_SI_INPUT and returns a HI_SESSION pointer. In stateful mode, this means that memory is allocated, but in stateless mode, the same session pointer is used for all packets to reduce the allocation overhead. The inspection mode can be either client, server, or neither. In the case of neither, the packet is inspected for rogue HTTP servers and HTTP tunneling.
Definition at line 322 of file hi_si.c. References HI_SUCCESS, HI_UI_CONFIG_STATEFUL, s_HTTPINSPECT_GLOBAL_CONF::inspection_type, StatefulSessionInspection(), and StatelessSessionInspection(). Referenced by SnortHttpInspect(). |
|
||||||||||||||||||||||||
|
When a session is initialized, we must select the appropriate server configuration and select the type of inspection based on the source and destination ports. IMPORTANT NOTE: We should check to make sure that there are some unique configurations, otherwise we can just default to the global default and work some magic that way.
Definition at line 86 of file hi_si.c. References s_HI_SI_INPUT::dip, s_HI_SI_INPUT::dport, s_HTTPINSPECT_GLOBAL_CONF::global_server, HI_SI_CLIENT_MODE, HI_SI_NO_MODE, HI_SI_SERVER_MODE, HI_SUCCESS, hi_ui_server_lookup_find(), IsServer(), NULL, s_HI_SI_INPUT::pdir, s_HTTPINSPECT_GLOBAL_CONF::server_lookup, s_HI_SI_INPUT::sip, and s_HI_SI_INPUT::sport. Referenced by StatelessSessionInspection(). |
|
||||||||||||
|
Given a server configuration and a port number, we decide if the port is in the HTTP server port list.
Definition at line 52 of file hi_si.c. References s_HTTPINSPECT_CONF::ports. Referenced by InitServerConf(), PortscanPreprocFunction(), and SnortXLINK2STATE(). |
|
|
This function resets all the variables that need to be initialized for a new Session. I've tried to keep this to a minimum, so we don't have to worry about initializing big structures.
Definition at line 222 of file hi_si.c. References s_HI_SESSION::anom_server, s_HI_SESSION::client, s_HI_ANOM_SERVER::event_list, s_HI_CLIENT::event_list, HI_SUCCESS, NULL, s_HI_CLIENT_REQ::pipeline_req, s_HI_CLIENT::request, s_HI_ANOM_SERVER_EVENTS::stack_count, s_HI_CLIENT_EVENTS::stack_count, s_HI_CLIENT_REQ::uri, s_HI_CLIENT_REQ::uri_norm, s_HI_CLIENT_REQ::uri_norm_size, and s_HI_CLIENT_REQ::uri_size. Referenced by StatelessSessionInspection(). |
|
||||||||||||||||||||
|
Definition at line 197 of file hi_si.c. References HI_NONFATAL_ERR. Referenced by hi_si_session_inspection(). |
|
||||||||||||||||||||
|
Initialize the session and server configurations for this packet/stream. It is important to note in stateless mode that we assume no knowledge of the state of a connection, other than the knowledge that we can glean from an individual packet. So in essence, each packet is it's own session and there is no knowledge retained from one packet to another. If you want to track an HTTP session for real, use stateful mode. In this function, we set the Session pointer (which includes the correct server configuration). The actual processing to find which IP is the server and which is the client, is done in the InitServerConf() function.
Definition at line 264 of file hi_si.c. References s_HI_SESSION::client_conf, s_HI_SESSION::global_conf, HI_SUCCESS, InitServerConf(), ResetSession(), and s_HI_SESSION::server_conf. Referenced by hi_si_session_inspection(). |
1.4.2