/* * ftpp_si.c * * Copyright (C) 2004 Sourcefire,Inc * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation.  You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Description: * * This file contains functions to select server configurations * and begin the FTPTelnet process. * * The Session Inspection Module interfaces with the Stream Inspection  * Module and the User Interface Module to select the appropriate  * FTPTelnet configuration and in the case of stateful inspection the * Session Inspection Module retrieves the user-data from the Stream * Module.  For stateless inspection, the Session Inspection Module uses * the same structure for use by each packet. * * The main responsibility of this module is to supply the appropriate * data structures and configurations for the rest of the FTPTelnet * process.  The module also determines what type of data is being * inspected, whether it is client, server, or neither. * * NOTES: * - 20.09.04:  Initial Development.  SAS * */#include <stdlib.h>#include <stdio.h>#include <string.h>#include "ftpp_return_codes.h"#include "ftpp_ui_config.h"#include "ftpp_ui_client_lookup.h"#include "ftpp_ui_server_lookup.h"#include "ftpp_si.h"#include "stream_api.h"#ifndef WIN32#include <ctype.h>#endif/* * Function: PortMatch(PROTO_CONF *Conf, unsigned short port) * * Purpose: Given a configuration and a port number, we decide if *          the port is in the port list. * * Arguments: PROTO_CONF    => pointer to the client or server configuration *            port          => the port number to check for * * Returns: int => 0 indicates the port is not a client/server port. *                 1 indicates the port is one of the client/server ports. * */static int PortMatch(PROTO_CONF *Conf, unsigned short port){    if(Conf->ports[port])    {        return 1;    }    return 0;}/* * Function: TelnetFreeSession(void *preproc_session) * * Purpose: This function frees the data that is associated with a session. *  * Arguments: preproc_session   => pointer to the session to free *  * Returns: None */static void TelnetFreeSession(void *preproc_session){    TELNET_SESSION *TelnetSession = preproc_session;    free(TelnetSession);}/* * Function: TelnetResetSession(TELNET_SESSION *Session) * * Purpose: This function resets all the variables that need to be *          initialized for a new Session.  I've tried to keep this to *          a minimum, so we don't have to worry about initializing big *          structures. *  * Arguments: Session         => pointer to the session to reset *  * Returns: int => return code indicating error or success * */static INLINE int TelnetResetSession(TELNET_SESSION *Session){    Session->telnet_conf = NULL;    Session->global_conf = NULL;    Session->consec_ayt = 0;    Session->encr_state = NO_STATE;    Session->event_list.stack_count = 0;    return FTPP_SUCCESS;}/* * Function: TelnetStatefulSessionInspection(Packet *p, *                              FTPTELNET_GLOBAL_CONF *GlobalConf, *                              TELNET_SESSION **TelnetSession, *                              FTPP_SI_INPUT *SiInput) * * Purpose: Initialize the session and server configurations for *          this packet/stream.  In this function, we set the Session *          pointer (which includes the correct server configuration). *          The actual processing to find which IP is the server and *          which is the client, is done in the InitServerConf() function. * * Arguments: p             => pointer to the packet/stream *            GlobalConf    => pointer to the global configuration *            Session       => double pointer to the Session structure *            SiInput       => pointer to the session information * * Returns: int => return code indicating error or success * */static int TelnetStatefulSessionInspection(SFSnortPacket *p,        FTPTELNET_GLOBAL_CONF *GlobalConf,        TELNET_SESSION **TelnetSession,        FTPP_SI_INPUT *SiInput){    TELNET_SESSION *NewSession;    /*     * First, check if there is already a session pointer.     */    if (p->stream_session_ptr)    {        *TelnetSession =            _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_TELNET);        if (*TelnetSession)            return FTPP_SUCCESS;    }    /*     * If not, create a new one, and initialize it.     */    NewSession = (TELNET_SESSION *)calloc(1, sizeof(TELNET_SESSION));    if (NewSession == NULL)    {        DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for new Telnet session\n",                                        *(_dpd.config_file), *(_dpd.config_line));    }        TelnetResetSession(NewSession);    NewSession->telnet_conf = &GlobalConf->global_telnet;    NewSession->global_conf = GlobalConf;    *TelnetSession = NewSession;    return FTPP_SUCCESS;}/* * Function: TelnetStatelessSessionInspection(Packet *p, *                              FTPTELNET_GLOBAL_CONF *GlobalConf, *                              TELNET_SESSION **TelnetSession, *                              FTPP_SI_INPUT *SiInput) * * Purpose: Initialize the session and server configurations for this *          packet/stream.  It is important to note in stateless mode that *          we assume no knowledge of the state of a connection, other *          than the knowledge that we can glean from an individual packet. *          So in essence, each packet is it's own session and there *          is no knowledge retained from one packet to another.  If you *          want to track a telnet session for real, use stateful mode. * *          In this function, we set the Session pointer (which includes *          the correct server configuration).  The actual processing to *          find which IP is the server and which is the client, is done in *          the InitServerConf() function. * * Arguments: p             => pointer to the packet/stream *            GlobalConf    => pointer to the global configuration *            Session       => double pointer to the Session structure *            SiInput       => pointer to the session information * * Returns: int => return code indicating error or success * */static int TelnetStatelessSessionInspection(SFSnortPacket *p,        FTPTELNET_GLOBAL_CONF *GlobalConf,        TELNET_SESSION **Session,        FTPP_SI_INPUT *SiInput){    static TELNET_SESSION StaticSession;    TelnetResetSession(&StaticSession);    StaticSession.telnet_conf = &GlobalConf->global_telnet;    StaticSession.global_conf = GlobalConf;    *Session = &StaticSession;    return FTPP_SUCCESS;}    /* * Function: TelnetSessionInspection(Packet *p, *                          FTPTELNET_GLOBAL_CONF *GlobalConf, *                          FTPP_SI_INPUT *SiInput, *                          int *piInspectMode) * * Purpose: The Session Inspection module selects the appropriate *          configuration for the session, and the type of inspection *          to be performed (client or server.) * *          When the Session Inspection module is in stateful mode, it *          checks to see if there is a TELNET_SESSION pointer already *          associated with the stream.  If there is, then it uses that *          session pointer, otherwise it calculates the server configuration *          using the FTP_SI_INPUT and returns a TELNET_SESSION pointer.  In *          stateful mode, this means that memory is allocated, but in *          stateless mode, the same session pointer is used for all packets *          to reduce the allocation overhead. * *          The inspection mode can be either client or server. * * Arguments: p             => pointer to the packet/stream *            GlobalConf    => pointer to the global configuration *            Session       => double pointer to the Session structure *            SiInput       => pointer to the session information *            piInspectMode => pointer for setting inspection mode * * Returns: int => return code indicating error or success * */int TelnetSessionInspection(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf,        FTPP_SI_INPUT *SiInput, int *piInspectMode){    TELNET_SESSION *TelnetSession;    int iRet;    int iTelnetSip;    int iTelnetDip;    iTelnetSip = PortMatch((PROTO_CONF*)&GlobalConf->global_telnet,                           SiInput->sport);    iTelnetDip = PortMatch((PROTO_CONF*)&GlobalConf->global_telnet,                           SiInput->dport);    if (iTelnetSip)    {        *piInspectMode = FTPP_SI_SERVER_MODE;    }    else if (iTelnetDip)    {        *piInspectMode = FTPP_SI_CLIENT_MODE;    }    else    {        return FTPP_INVALID_PROTO;    }    SiInput->pproto = FTPP_SI_PROTO_TELNET;    /*     * We get the server configuration and the session structure differently      * depending on what type of inspection we are doing.  In the case of      * stateful processing, we may get the session structure from the Stream     * Reassembly module (which includes the server configuration) or the      * structure will be allocated and added to the stream pointer for the     * rest of the session.     *     * In stateless mode, we just use a static variable that is contained in     * the function here.     */    if(GlobalConf->inspection_type == FTPP_UI_CONFIG_STATEFUL)    {        iRet = TelnetStatefulSessionInspection(p, GlobalConf, &TelnetSession, SiInput);        if (iRet)        {            return iRet;        }        if (p->stream_session_ptr)        {            _dpd.streamAPI->set_application_data(p->stream_session_ptr,                    PP_TELNET, TelnetSession, &TelnetFreeSession);        }        else        {