diff options
Diffstat (limited to 'src/util-exception-policy.c')
| -rw-r--r-- | src/util-exception-policy.c | 377 |
1 files changed, 377 insertions, 0 deletions
diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c new file mode 100644 index 0000000..6c8ba0f --- /dev/null +++ b/src/util-exception-policy.c @@ -0,0 +1,377 @@ +/* Copyright (C) 2022-2023 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + */ + +#include "suricata-common.h" +#include "suricata.h" +#include "packet.h" +#include "util-exception-policy.h" +#include "util-misc.h" +#include "stream-tcp-reassemble.h" +#include "action-globals.h" + +enum ExceptionPolicy g_eps_master_switch = EXCEPTION_POLICY_NOT_SET; +/** true if exception policy was defined in config */ +static bool g_eps_have_exception_policy = false; + +static const char *ExceptionPolicyEnumToString(enum ExceptionPolicy policy) +{ + switch (policy) { + case EXCEPTION_POLICY_NOT_SET: + return "ignore"; + case EXCEPTION_POLICY_AUTO: + return "auto"; + case EXCEPTION_POLICY_REJECT: + return "reject"; + case EXCEPTION_POLICY_BYPASS_FLOW: + return "bypass"; + case EXCEPTION_POLICY_DROP_FLOW: + return "drop-flow"; + case EXCEPTION_POLICY_DROP_PACKET: + return "drop-packet"; + case EXCEPTION_POLICY_PASS_PACKET: + return "pass-packet"; + case EXCEPTION_POLICY_PASS_FLOW: + return "pass-flow"; + } + // TODO we shouldn't reach this, but if we do, better not to leave this as simply null... + return "not set"; +} + +void SetMasterExceptionPolicy(void) +{ + g_eps_master_switch = ExceptionPolicyParse("exception-policy", true); +} + +static enum ExceptionPolicy GetMasterExceptionPolicy(const char *option) +{ + return g_eps_master_switch; +} + +void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason) +{ + SCLogDebug("start: pcap_cnt %" PRIu64 ", policy %u", p->pcap_cnt, policy); + switch (policy) { + case EXCEPTION_POLICY_AUTO: + break; + case EXCEPTION_POLICY_NOT_SET: + break; + case EXCEPTION_POLICY_REJECT: + SCLogDebug("EXCEPTION_POLICY_REJECT"); + PacketDrop(p, ACTION_REJECT, drop_reason); + if (!EngineModeIsIPS()) { + break; + } + /* fall through */ + case EXCEPTION_POLICY_DROP_FLOW: + SCLogDebug("EXCEPTION_POLICY_DROP_FLOW"); + if (p->flow) { + p->flow->flags |= FLOW_ACTION_DROP; + FlowSetNoPayloadInspectionFlag(p->flow); + FlowSetNoPacketInspectionFlag(p->flow); + StreamTcpDisableAppLayer(p->flow); + } + /* fall through */ + case EXCEPTION_POLICY_DROP_PACKET: + SCLogDebug("EXCEPTION_POLICY_DROP_PACKET"); + DecodeSetNoPayloadInspectionFlag(p); + DecodeSetNoPacketInspectionFlag(p); + PacketDrop(p, ACTION_DROP, drop_reason); + break; + case EXCEPTION_POLICY_BYPASS_FLOW: + PacketBypassCallback(p); + /* fall through */ + case EXCEPTION_POLICY_PASS_FLOW: + SCLogDebug("EXCEPTION_POLICY_PASS_FLOW"); + if (p->flow) { + p->flow->flags |= FLOW_ACTION_PASS; + FlowSetNoPacketInspectionFlag(p->flow); // TODO util func + } + /* fall through */ + case EXCEPTION_POLICY_PASS_PACKET: + SCLogDebug("EXCEPTION_POLICY_PASS_PACKET"); + DecodeSetNoPayloadInspectionFlag(p); + DecodeSetNoPacketInspectionFlag(p); + break; + } + SCLogDebug("end"); +} + +static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionPolicy p) +{ + switch (p) { + case EXCEPTION_POLICY_DROP_FLOW: + SCLogWarning( + "flow actions not supported for %s, defaulting to \"drop-packet\"", option); + return EXCEPTION_POLICY_DROP_PACKET; + case EXCEPTION_POLICY_PASS_FLOW: + SCLogWarning( + "flow actions not supported for %s, defaulting to \"pass-packet\"", option); + return EXCEPTION_POLICY_PASS_PACKET; + case EXCEPTION_POLICY_BYPASS_FLOW: + SCLogWarning("flow actions not supported for %s, defaulting to \"ignore\"", option); + return EXCEPTION_POLICY_NOT_SET; + /* add all cases, to make sure new cases not handle will raise + * errors */ + case EXCEPTION_POLICY_DROP_PACKET: + break; + case EXCEPTION_POLICY_PASS_PACKET: + break; + case EXCEPTION_POLICY_REJECT: + break; + case EXCEPTION_POLICY_NOT_SET: + break; + case EXCEPTION_POLICY_AUTO: + break; + } + return p; +} + +static enum ExceptionPolicy ExceptionPolicyConfigValueParse( + const char *option, const char *value_str) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + if (strcmp(value_str, "drop-flow") == 0) { + policy = EXCEPTION_POLICY_DROP_FLOW; + } else if (strcmp(value_str, "pass-flow") == 0) { + policy = EXCEPTION_POLICY_PASS_FLOW; + } else if (strcmp(value_str, "bypass") == 0) { + policy = EXCEPTION_POLICY_BYPASS_FLOW; + } else if (strcmp(value_str, "drop-packet") == 0) { + policy = EXCEPTION_POLICY_DROP_PACKET; + } else if (strcmp(value_str, "pass-packet") == 0) { + policy = EXCEPTION_POLICY_PASS_PACKET; + } else if (strcmp(value_str, "reject") == 0) { + policy = EXCEPTION_POLICY_REJECT; + } else if (strcmp(value_str, "ignore") == 0) { // TODO name? + policy = EXCEPTION_POLICY_NOT_SET; + } else if (strcmp(value_str, "auto") == 0) { + policy = EXCEPTION_POLICY_AUTO; + } else { + FatalErrorOnInit( + "\"%s\" is not a valid exception policy value. Valid options are drop-flow, " + "pass-flow, bypass, reject, drop-packet, pass-packet, ignore or auto.", + value_str); + } + + return policy; +} + +/* Select an exception policy in case the configuration value was set to 'auto' */ +static enum ExceptionPolicy ExceptionPolicyPickAuto(bool midstream_enabled, bool support_flow) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + if (!midstream_enabled && EngineModeIsIPS()) { + if (support_flow) { + policy = EXCEPTION_POLICY_DROP_FLOW; + } else { + policy = EXCEPTION_POLICY_DROP_PACKET; + } + } + return policy; +} + +static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value) +{ + enum ExceptionPolicy policy = ExceptionPolicyConfigValueParse("exception-policy", value); + if (!EngineModeIsIPS() && + (policy == EXCEPTION_POLICY_DROP_PACKET || policy == EXCEPTION_POLICY_DROP_FLOW)) { + policy = EXCEPTION_POLICY_NOT_SET; + } + g_eps_have_exception_policy = true; + + SCLogInfo("master exception-policy set to: %s", ExceptionPolicyEnumToString(policy)); + + return policy; +} + +static enum ExceptionPolicy ExceptionPolicyGetDefault( + const char *option, bool support_flow, bool midstream) +{ + enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET; + if (g_eps_have_exception_policy) { + p = GetMasterExceptionPolicy(option); + + if (p == EXCEPTION_POLICY_AUTO) { + p = ExceptionPolicyPickAuto(midstream, support_flow); + } + + if (!support_flow) { + p = PickPacketAction(option, p); + } + SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option, + ExceptionPolicyEnumToString(p)); + return p; + } else if (EngineModeIsIPS() && !midstream) { + p = EXCEPTION_POLICY_DROP_FLOW; + } + SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option, + ExceptionPolicyEnumToString(p), EngineModeIsIPS() ? "IPS" : "IDS"); + + return p; +} + +enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + const char *value_str = NULL; + + if ((ConfGet(option, &value_str) == 1) && value_str != NULL) { + if (strcmp(option, "exception-policy") == 0) { + policy = ExceptionPolicyMasterParse(value_str); + } else { + policy = ExceptionPolicyConfigValueParse(option, value_str); + if (policy == EXCEPTION_POLICY_AUTO) { + policy = ExceptionPolicyPickAuto(false, support_flow); + } + if (!support_flow) { + policy = PickPacketAction(option, policy); + } + SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy)); + } + } else { + policy = ExceptionPolicyGetDefault(option, support_flow, false); + } + + return policy; +} + +enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + const char *value_str = NULL; + /* policy was set directly */ + if ((ConfGet("stream.midstream-policy", &value_str)) == 1 && value_str != NULL) { + policy = ExceptionPolicyConfigValueParse("midstream-policy", value_str); + if (policy == EXCEPTION_POLICY_AUTO) { + policy = ExceptionPolicyPickAuto(midstream_enabled, true); + } else if (midstream_enabled) { + if (policy != EXCEPTION_POLICY_NOT_SET && policy != EXCEPTION_POLICY_PASS_FLOW) { + FatalErrorOnInit( + "Error parsing stream.midstream-policy from config file. \"%s\" is " + "not a valid exception policy when midstream is enabled. Valid options " + "are pass-flow and ignore.", + value_str); + } + } + if (!EngineModeIsIPS()) { + if (policy == EXCEPTION_POLICY_DROP_FLOW) { + FatalErrorOnInit( + "Error parsing stream.midstream-policy from config file. \"%s\" is " + "not a valid exception policy in IDS mode. See our documentation for a " + "list of all possible values.", + value_str); + } + } + } else { + policy = ExceptionPolicyGetDefault("stream.midstream-policy", true, midstream_enabled); + } + + if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) { + FatalErrorOnInit("Error parsing stream.midstream-policy from config file. \"%s\" is " + "not valid for this exception policy. See our documentation for a list of " + "all possible values.", + value_str); + } + + return policy; +} + +#ifndef DEBUG + +int ExceptionSimulationCommandLineParser(const char *name, const char *arg) +{ + return 0; +} + +#else + +/* exception policy simulation (eps) handling */ + +uint64_t g_eps_applayer_error_offset_ts = UINT64_MAX; +uint64_t g_eps_applayer_error_offset_tc = UINT64_MAX; +uint64_t g_eps_pcap_packet_loss = UINT64_MAX; +uint64_t g_eps_stream_ssn_memcap = UINT64_MAX; +uint64_t g_eps_stream_reassembly_memcap = UINT64_MAX; +uint64_t g_eps_flow_memcap = UINT64_MAX; +uint64_t g_eps_defrag_memcap = UINT64_MAX; +bool g_eps_is_alert_queue_fail_mode = false; + +/* 1: parsed, 0: not for us, -1: error */ +int ExceptionSimulationCommandLineParser(const char *name, const char *arg) +{ + if (strcmp(name, "simulate-applayer-error-at-offset-ts") == 0) { + BUG_ON(arg == NULL); + uint64_t offset = 0; + if (ParseSizeStringU64(arg, &offset) < 0) { + return -1; + } + g_eps_applayer_error_offset_ts = offset; + } else if (strcmp(name, "simulate-applayer-error-at-offset-tc") == 0) { + BUG_ON(arg == NULL); + uint64_t offset = 0; + if (ParseSizeStringU64(arg, &offset) < 0) { + return TM_ECODE_FAILED; + } + g_eps_applayer_error_offset_tc = offset; + } else if (strcmp(name, "simulate-packet-loss") == 0) { + BUG_ON(arg == NULL); + uint64_t pkt_num = 0; + if (ParseSizeStringU64(arg, &pkt_num) < 0) { + return TM_ECODE_FAILED; + } + g_eps_pcap_packet_loss = pkt_num; + } else if (strcmp(name, "simulate-packet-tcp-reassembly-memcap") == 0) { + BUG_ON(arg == NULL); + uint64_t pkt_num = 0; + if (ParseSizeStringU64(arg, &pkt_num) < 0) { + return TM_ECODE_FAILED; + } + g_eps_stream_reassembly_memcap = pkt_num; + } else if (strcmp(name, "simulate-packet-tcp-ssn-memcap") == 0) { + BUG_ON(arg == NULL); + uint64_t pkt_num = 0; + if (ParseSizeStringU64(arg, &pkt_num) < 0) { + return TM_ECODE_FAILED; + } + g_eps_stream_ssn_memcap = pkt_num; + } else if (strcmp(name, "simulate-packet-flow-memcap") == 0) { + BUG_ON(arg == NULL); + uint64_t pkt_num = 0; + if (ParseSizeStringU64(arg, &pkt_num) < 0) { + return TM_ECODE_FAILED; + } + g_eps_flow_memcap = pkt_num; + } else if (strcmp(name, "simulate-packet-defrag-memcap") == 0) { + BUG_ON(arg == NULL); + uint64_t pkt_num = 0; + if (ParseSizeStringU64(arg, &pkt_num) < 0) { + return TM_ECODE_FAILED; + } + g_eps_defrag_memcap = pkt_num; + } else if (strcmp(name, "simulate-alert-queue-realloc-failure") == 0) { + g_eps_is_alert_queue_fail_mode = true; + } else { + // not for us + return 0; + } + return 1; +} +#endif |