00001 #ifndef __STREAM_H__ 00002 #define __STREAM_H__ 00003 00004 #include "snort_packet_header.h" 00005 #include "ubi_SplayTree.h" 00006 00007 /* Toggle's whether to use the HASH_TABLE for 00008 * session cache -- versus a SplayTree. 00009 */ 00010 #define USE_HASH_TABLE 00011 //#define USE_SPLAY_TREE 00012 00013 /* Only track a certain number of alerts per session */ 00014 #define MAX_SESSION_ALERTS 8 00015 00016 /* Session flags for stream4 data */ 00017 #define SSNFLAG_SEEN_CLIENT 0x00000001 00018 #define SSNFLAG_SEEN_SERVER 0x00000002 00019 #define SSNFLAG_ESTABLISHED 0x00000004 00020 #define SSNFLAG_NMAP 0x00000008 00021 #define SSNFLAG_ECN_CLIENT_QUERY 0x00000010 00022 #define SSNFLAG_ECN_SERVER_REPLY 0x00000020 00023 #define SSNFLAG_HTTP_1_1 0x00000040 /* has this stream seen HTTP 1.1? */ 00024 #define SSNFLAG_SEEN_PMATCH 0x00000080 /* has this stream seen 00025 pattern match? */ 00026 #define SSNFLAG_MIDSTREAM 0x00000100 /* picked up midstream */ 00027 #define SSNFLAG_CLIENT_FIN 0x00000200 /* server sent fin */ 00028 #define SSNFLAG_SERVER_FIN 0x00000400 /* client sent fin */ 00029 00030 #define SSNFLAG_ALL 0xFFFFFFFF /* all that and a bag of chips */ 00031 00032 #define SSNPREPROC_HTTP 0x01 00033 #define SSNPREPROC_TELNET 0x02 00034 #define SSNPREPROC_FTP 0x03 00035 #define SSNPREPROC_SMTP 0x04 00036 00037 typedef struct _Stream 00038 { 00039 u_int32_t ip; /* IP addr */ 00040 u_int16_t port; /* port number */ 00041 u_int8_t state; /* stream state */ 00042 u_int32_t isn; /* initial sequence number */ 00043 u_int32_t base_seq; /* base seq num for this packet set */ 00044 u_int32_t last_ack; /* last segment ack'd */ 00045 u_int16_t win_size; /* window size */ 00046 u_int32_t next_seq; /* next sequence we expect to see -- used on reassemble */ 00047 u_int32_t pkts_sent; /* track the number of packets in this stream */ 00048 u_int32_t bytes_sent; /* track the number of bytes in this stream */ 00049 u_int32_t bytes_tracked; /* track the total number of bytes on this side */ 00050 u_int8_t state_queue; /* queued state transition */ 00051 u_int8_t expected_flags; /* tcp flag needed to accept transition */ 00052 u_int32_t trans_seq; /* sequence number of transition packet */ 00053 u_int8_t stq_chk_seq; /* flag to see if we need to check the seq 00054 num of the state transition packet */ 00055 u_int32_t overlap_pkts; /* track the number of packets with duplicate seq #s */ 00056 u_int32_t bytes_inspected; /* track the number of bytes seen since last 00057 * data from other side */ 00058 00059 ubi_trRoot data; 00060 00061 u_int32_t last_trunc_time; /* last time this session was truncated. (stream4inline) */ 00062 } Stream; 00063 00064 #ifdef USE_HASH_TABLE 00065 typedef struct _SessionHashKey 00066 { 00067 u_int32_t lowIP; 00068 u_int32_t highIP; 00069 u_int16_t port; /* If IPs are the same, this will be the lower of 00070 * the two ports. Otherwise, it will be the port 00071 * corresponding to lowIP. */ 00072 #if defined(_LP64) 00073 u_int16_t pad1; 00074 #endif 00075 u_int16_t port2; 00076 #if defined(_LP64) 00077 u_int16_t pad2; 00078 #endif 00079 } SessionHashKey; 00080 #else /* USE_SPLAY_TREE */ 00081 #endif 00082 00083 typedef struct _Session 00084 { 00085 #ifdef USE_HASH_TABLE 00086 #else /* USE_SPLAY_TREE */ 00087 ubi_trNode Node; /* Record keeper for the ubx stuff */ 00088 #endif 00089 Stream server; 00090 Stream client; 00091 00092 time_t start_time; /* unix second the session started */ 00093 time_t last_session_time; /* last time this session got a packet */ 00094 00095 u_int32_t session_flags; /* special little flags we keep */ 00096 u_int32_t http_alert_flags; 00097 00098 u_int32_t flush_point; 00099 u_int8_t ttl; /* track the ttl of this current session ( only done on client side ) */ 00100 00101 u_int32_t alert_gid[MAX_SESSION_ALERTS]; /* flag alerts seen in a session */ 00102 u_int32_t alert_sid[MAX_SESSION_ALERTS]; /* flag alerts seen in a session */ 00103 u_int8_t alert_count; /* count alerts seen in a session */ 00104 00105 u_int8_t preproc_proto; 00106 void *preproc_data; /* preprocessor layer data structure */ 00107 void (*preproc_free)(void *); /* function to free preproc_data */ 00108 #ifdef USE_HASH_TABLE 00109 SessionHashKey hashKey; 00110 #else /* USE_SPLAY_TREE */ 00111 #endif 00112 00113 /* tag this session to know it is already dumped */ 00114 u_int8_t dumptag; 00115 00116 } Session; 00117 00118 /* used for the StreamPacketData chuck field */ 00119 #define SEG_UNASSEMBLED 0x00 00120 #define SEG_FULL 0x01 00121 #define SEG_PARTIAL 0x02 00122 00123 typedef struct _StreamPacketData 00124 { 00125 ubi_trNode Node; 00126 u_int8_t *pktOrig; 00127 u_int8_t *pkt; 00128 u_int8_t *payload; 00129 SnortPktHeader pkth; 00130 u_int32_t seq_num; 00131 u_int16_t payload_size; 00132 u_int16_t pkt_size; 00133 u_int32_t cksum; 00134 u_int8_t chuck; /* mark the spd for chucking if it's 00135 * been reassembled 00136 */ 00137 } StreamPacketData; 00138 00139 typedef struct _Stream4Data 00140 { 00141 char stream4_active; 00142 00143 char stateful_inspection_flag; 00144 u_int32_t timeout; 00145 char state_alerts; 00146 char evasion_alerts; 00147 u_int32_t memcap; 00148 u_int32_t max_sessions; 00149 double cache_clean_percent; 00150 u_int16_t cache_clean_sessions; 00151 00152 char log_flushed_streams; 00153 00154 char ps_alerts; 00155 00156 char track_stats_flag; 00157 char *stats_file; 00158 00159 u_int32_t last_prune_time; 00160 00161 char reassemble_client; 00162 char reassemble_server; 00163 char reassembly_alerts; 00164 char state_protection; 00165 char zero_flushed_packets; 00166 char flush_on_alert; 00167 u_int32_t overlap_limit; 00168 00169 u_int8_t assemble_ports[65536]; 00170 u_int8_t emergency_ports[65536]; /* alternate port set for self-preservation mode */ 00171 00172 u_int32_t sp_threshold; 00173 u_int32_t sp_period; 00174 00175 u_int32_t suspend_threshold; 00176 u_int32_t suspend_period; 00177 00178 00179 u_int8_t stop_traverse; 00180 u_int32_t stop_seq; 00181 00182 u_int8_t min_ttl; /* min TTL we'll accept to insert a packet */ 00183 u_int8_t ttl_limit; /* the largest difference we'll accept in the 00184 course of a TTL conversation */ 00185 u_int16_t path_mtu; /* max segment size we'll accept */ 00186 u_int8_t reassy_method; 00187 u_int32_t ps_memcap; 00188 int flush_data_diff_size; 00189 00190 00191 char asynchronous_link; /* used when you can only see part of the conversation 00192 it can't be anywhere NEAR as robust */ 00193 char enforce_state; 00194 char ms_inline_alerts; 00195 00196 u_int32_t server_inspect_limit; 00197 00198 // Random flush points 00199 u_int32_t flush_base; 00200 u_int32_t flush_range; 00201 int32_t flush_behavior; 00202 u_int32_t flush_seed; 00203 00204 #ifdef GIDS 00205 /* stream4inline extra vars */ 00206 char stream4inline_mode; 00207 00208 /* sliding window size */ 00209 u_int32_t stream4inline_window_size; 00210 00211 char truncate; /* truncate (1) or prune (0) when SafeMalloc needs mem */ 00212 char truncate_cut_off_perc; /* cut of this part off of the stream when truncating */ 00213 00214 char drop_out_of_window; 00215 char drop_data_on_unest; 00216 char drop_no_tcp_on_est; 00217 char drop_not_in_limits; 00218 char drop_ttl_evasion; 00219 00220 char store_state_to_disk; 00221 char state_file[255]; 00222 #endif /* GIDS */ 00223 00224 } Stream4Data; 00225 00226 #endif // __STREAM_H__
1.4.2