/* * snort_ftptelnet.c * * Copyright (C) 2004 Sourcefire,Inc * Steven A. Sturges <ssturges@sourcefire.com> * Daniel J. Roelker <droelker@sourcefire.com> * Marc A. Norton <mnorton@sourcefire.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation.  You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Description: * * This file wraps the FTPTelnet functionality for Snort * and starts the Normalization & Protocol checks. * * The file takes a Packet structure from the Snort IDS to start the * FTP/Telnet Normalization & Protocol checks.  It also uses the Stream * Interface Module which is also Snort-centric.  Mainly, just a wrapper * to FTP/Telnet functionality, but a key part to starting the basic flow. * * The main bulk of this file is taken up with user configuration and * parsing.  The reason this is so large is because FTPTelnet takes * very detailed configuration parameters for each specified FTP client, * to provide detailed control over an internal network and robust control * of the external network. *  * The main functions of note are: *   - FTPTelnetSnortConf()    the configuration portion *   - SnortFTPTelnet()        the actual normalization & inspection *   - LogEvents()             where we log the FTPTelnet events * * NOTES: * - 16.09.04:  Initial Development.  SAS * */#include <stdlib.h>#include <stdio.h>#include <string.h>#include <sys/types.h>#include "sf_ip.h"#ifndef WIN32#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <ctype.h>#endif#ifdef HAVE_CONFIG_H#include "config.h"#endif//#include "snort.h"//#include "detect.h"//#include "decode.h"//#include "log.h"//#include "event.h"//#include "generators.h"#include "debug.h"//#include "plugbase.h"//#include "util.h"//#include "event_queue.h"//#include "mstring.h"#define BUF_SIZE 1024#include "ftpp_return_codes.h"#include "ftpp_ui_config.h"#include "ftpp_ui_client_lookup.h"#include "ftpp_ui_server_lookup.h"#include "ftp_cmd_lookup.h"#include "ftp_bounce_lookup.h"#include "ftpp_si.h"#include "ftpp_eo_log.h"#include "pp_telnet.h"#include "pp_ftp.h"#include "stream_api.h"#include "profiler.h"#ifdef PERF_PROFILINGextern PreprocStats ftpPerfStats;extern PreprocStats telnetPerfStats;PreprocStats ftppDetectPerfStats;int ftppDetectCalled = 0;#endifextern FTPTELNET_GLOBAL_CONF FTPTelnetGlobalConf;//extern u_int8_t DecodeBuffer[DECODE_BLEN]; /* decode.c *//* * The definition of the configuration separators in the snort.conf * configure line. */#define CONF_SEPARATORS " \t\n\r"/* * These are the definitions of the parser section delimiting  * keywords to configure FtpTelnet.  When one of these keywords * are seen, we begin a new section. */#define GLOBAL        "global"#define TELNET        "telnet"#define FTP           "ftp"//#define GLOBAL_CLIENT "global_client"#define CLIENT        "client"#define SERVER        "server"/* * GLOBAL subkeyword values */#define ENCRYPTED_TRAFFIC "encrypted_traffic"#define CHECK_ENCRYPTED   "check_encrypted"#define INSPECT_TYPE      "inspection_type"#define INSPECT_TYPE_STATELESS "stateless"#define INSPECT_TYPE_STATEFUL  "stateful"/* * Protocol subkeywords. */#define PORTS             "ports"/* * Telnet subkeywords. */#define AYT_THRESHOLD     "ayt_attack_thresh"#define NORMALIZE         "normalize"#define DETECT_ANOMALIES  "detect_anomalies"/* * FTP SERVER subkeywords. */#define FTP_CMDS          "ftp_cmds"#define PRINT_CMDS        "print_cmds"#define MAX_PARAM_LEN     "def_max_param_len"#define ALT_PARAM_LEN     "alt_max_param_len"#define CMD_VALIDITY      "cmd_validity"#define STRING_FORMAT     "chk_str_fmt"#define TELNET_CMDS       "telnet_cmds"#define DATA_CHAN_CMD     "data_chan_cmds"#define DATA_XFER_CMD     "data_xfer_cmds"#define DATA_CHAN         "data_chan"#define LOGIN_CMD         "login_cmds"#define ENCR_CMD          "encr_cmds"#define DIR_CMD           "dir_cmds"/* * FTP CLIENT subkeywords */#define BOUNCE            "bounce"#define ALLOW_BOUNCE      "bounce_to"#define MAX_RESP_LEN      "max_resp_len"/* * Data type keywords */#define START_CMD_FORMAT    "<"#define END_CMD_FORMAT      ">"#define F_INT               "int"#define F_NUMBER            "number"#define F_CHAR              "char"#define F_DATE              "date"#define F_STRING            "string"#define F_STRING_FMT        "formated_string"#define F_HOST_PORT         "host_port"/* * Optional parameter delimiters */#define START_OPT_FMT       "["#define END_OPT_FMT         "]"#define START_CHOICE_FMT    "{"#define END_CHOICE_FMT      "}"#define OR_FMT              "|"/* * The cmd_validity keyword can be used with the format keyword to * restrict data types.  The interpretation is specific to the data * type.  'format' is only supported with date & char data types. * * A few examples: * * 1. Will perform validity checking of an FTP Mode command to * check for one of the characters A, S, B, or C. * * cmd_validity MODE char ASBC * * * 2. Will perform validity checking of an FTP MDTM command to * check for an optional date argument following the format * specified.  The date would uses the YYYYMMDDHHmmss+TZ format. * * cmd_validity MDTM [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string * * * 3. Will perform validity checking of an FTP ALLO command to * check for an integer, then optionally, the letter R and another * integer. * * cmd_validity ALLO int [ char R int ] *//* * The def_max_param_len & alt_max_param_len keywords can be used to * restrict parameter length for one or more commands.  The space * separated list of commands is enclosed in {}s. * * A few examples: * * 1. Restricts all command parameters to 100 characters * * def_max_param_len 100 * * 2. Overrides CWD pathname to 256 characters * * alt_max_param_len 256 { CWD }  * * 3. Overrides PWD & SYST to no parameters * * alt_max_param_len 0 { PWD SYST }  * *//* * Alert subkeywords */#define BOOL_YES     "yes"#define BOOL_NO      "no"/* * Port list delimiters */#define START_PORT_LIST "{"#define END_PORT_LIST   "}"/* * Keyword for the default client/server configuration */#define DEFAULT "default"/* * The default FTP server configuration for FTP command validation. * Most of this comes from RFC 959, with additional commands being * drawn from other RFCs/Internet Drafts that are in use. *  * Any of the below can be overridden in snort.conf. *  * This is here to eliminate most of it from snort.conf to * avoid an ugly configuration file.  The default_max_param_len * is somewhat arbitrary, but is taken from the majority of * the snort FTP rules that limit parameter size to 100 * characters, as of 18 Sep 2004. *  * The data_chan_cmds, data_xfer_cmds are used to track open * data channel connections. *  * The login_cmds and dir_cmds are used to track state of username * and current directory. */#define DEFAULT_FTP_CONF "hardcoded_config\ def_max_param_len 100 \ ftp_cmds { USER PASS ACCT CWD CDUP SMNT \   QUIT REIN PORT PASV TYPE STRU MODE RETR STOR STOU APPE ALLO REST \   RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT OPTS } \ ftp_cmds { MDTM REST SIZE MLST MLSD } \ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ cmd_validity MODE < char SBC > \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity PORT < host_port > \ data_chan_cmds { PASV PORT } \ data_xfer_cmds { RETR STOR STOU APPE LIST NLST } \ login_cmds { USER PASS } \ dir_cmds { CWD 250 CDUP 250 PWD 257 } \"static int printedFTPHeader = 0;static int gDefaultServerConfig = 0;static int gDefaultClientConfig = 0;static char *maxToken = NULL;char *NextToken(char *delimiters){    char *retTok = strtok(NULL, delimiters);    if (retTok > maxToken)        return NULL;    return retTok;}/* * Function: ProcessConfOpt(FTPTELNET_CONF_OPT *ConfOpt, *                          char *Option, *                          char *ErrorString, int ErrStrLen) * * Purpose: Set the CONF_OPT on and alert fields. * *          We check to make sure of valid parameters and then set *          the appropriate fields. * * Arguments: ConfOpt       => pointer to the configuration option *            Option        => character pointer to the option being configured *            ErrorString   => error string buffer *            ErrStrLen     => the length of the error string buffer * * Returns: int     => an error code integer (0 = success, *                     >0 = non-fatal error, <0 = fatal error) * */static int ProcessConfOpt(FTPTELNET_CONF_OPT *ConfOpt, char *Option,                          char *ErrorString, int ErrStrLen){    char *pcToken;    pcToken = NextToken(CONF_SEPARATORS);    if(pcToken == NULL)    {        snprintf(ErrorString, ErrStrLen,                "No argument to token '%s'.", Option);        return FTPP_FATAL_ERR;    }    /*     * Check for the alert value      */    if(!strcmp(BOOL_YES, pcToken))    {        ConfOpt->alert = 1;    }    else if(!strcmp(BOOL_NO, pcToken))    {        ConfOpt->alert = 0;    }    else    {        snprintf(ErrorString, ErrStrLen,                "Invalid argument to token '%s'.", Option);        return FTPP_FATAL_ERR;    }    ConfOpt->on = 1;    return FTPP_SUCCESS;}/* * Function: PrintConfOpt(FTPTELNET_CONF_OPT *ConfOpt, *                          char *Option) * * Purpose: Prints the CONF_OPT and alert fields. * * Arguments: ConfOpt       => pointer to the configuration option *            Option        => character pointer to the option being configured * * Returns: int     => an error code integer (0 = success, *                     >0 = non-fatal error, <0 = fatal error) * */static int PrintConfOpt(FTPTELNET_CONF_OPT *ConfOpt, char *Option){    if(!ConfOpt || !Option)    {        return FTPP_INVALID_ARG;    }    if(ConfOpt->on)    {        _dpd.logMsg("      %s: YES alert: %s\n", Option,               ConfOpt->alert ? "YES" : "NO");    }    else    {        _dpd.logMsg("      %s: OFF\n", Option);    }    return FTPP_SUCCESS;}/*  * Function: ProcessInspectType(FTPTELNET_CONF_OPT *ConfOpt, *                          char *ErrorString, int ErrStrLen) * * Purpose: Process the type of inspection. *          This sets the type of inspection for FTPTelnet to do. * * Arguments: GlobalConf    => pointer to the global configuration *            ErrorString   => error string buffer *            ErrStrLen     => the length of the error string buffer * * Returns: int     => an error code integer (0 = success, *                     >0 = non-fatal error, <0 = fatal error) * */static int ProcessInspectType(FTPTELNET_GLOBAL_CONF *GlobalConf,                              char *ErrorString, int ErrStrLen){    char *pcToken;    pcToken = NextToken(CONF_SEPARATORS);    if(pcToken == NULL)    {        snprintf(ErrorString, ErrStrLen,                "No argument to token '%s'.", INSPECT_TYPE);        return FTPP_FATAL_ERR;    }    if(!strcmp(INSPECT_TYPE_STATEFUL, pcToken))    {        GlobalConf->inspection_type = FTPP_UI_CONFIG_STATEFUL;    }    else if(!strcmp(INSPECT_TYPE_STATELESS, pcToken))    {        GlobalConf->inspection_type = FTPP_UI_CONFIG_STATELESS;    }    else    {        snprintf(ErrorString, ErrStrLen,                "Invalid argument to token '%s'.  Must be either "