mirror of https://github.com/OISF/suricata
rust/ldap: implement app-layer
Giuseppe Longo
1 year ago
committed by
Victor Julien
parent
ce7e190501
commit
93da339975
@ -0,0 +1,428 @@
|
||||
/* Copyright (C) 2024 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
// written by Giuseppe Longo <giuseppe@glongo.it>
|
||||
|
||||
use crate::applayer::{self, *};
|
||||
use crate::conf::conf_get;
|
||||
use crate::core::*;
|
||||
use nom7 as nom;
|
||||
use std;
|
||||
use std::collections::VecDeque;
|
||||
use std::ffi::CString;
|
||||
use std::os::raw::{c_char, c_int, c_void};
|
||||
|
||||
use crate::ldap::types::*;
|
||||
|
||||
static mut LDAP_MAX_TX: usize = 256;
|
||||
|
||||
static mut ALPROTO_LDAP: AppProto = ALPROTO_UNKNOWN;
|
||||
|
||||
#[derive(AppLayerEvent)]
|
||||
enum LdapEvent {
|
||||
TooManyTransactions,
|
||||
InvalidData,
|
||||
RequestNotFound,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct LdapTransaction {
|
||||
pub tx_id: u64,
|
||||
pub request: Option<LdapMessage>,
|
||||
pub responses: VecDeque<LdapMessage>,
|
||||
complete: bool,
|
||||
|
||||
tx_data: AppLayerTxData,
|
||||
}
|
||||
|
||||
impl Default for LdapTransaction {
|
||||
fn default() -> Self {
|
||||
Self::new()
|
||||
}
|
||||
}
|
||||
|
||||
impl LdapTransaction {
|
||||
pub fn new() -> LdapTransaction {
|
||||
Self {
|
||||
tx_id: 0,
|
||||
request: None,
|
||||
responses: VecDeque::new(),
|
||||
complete: false,
|
||||
tx_data: AppLayerTxData::new(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Transaction for LdapTransaction {
|
||||
fn id(&self) -> u64 {
|
||||
self.tx_id
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Default)]
|
||||
pub struct LdapState {
|
||||
state_data: AppLayerStateData,
|
||||
tx_id: u64,
|
||||
transactions: VecDeque<LdapTransaction>,
|
||||
tx_index_completed: usize,
|
||||
}
|
||||
|
||||
impl State<LdapTransaction> for LdapState {
|
||||
fn get_transaction_count(&self) -> usize {
|
||||
self.transactions.len()
|
||||
}
|
||||
|
||||
fn get_transaction_by_index(&self, index: usize) -> Option<&LdapTransaction> {
|
||||
self.transactions.get(index)
|
||||
}
|
||||
}
|
||||
|
||||
impl LdapState {
|
||||
pub fn new() -> Self {
|
||||
Self {
|
||||
state_data: AppLayerStateData::new(),
|
||||
tx_id: 0,
|
||||
transactions: VecDeque::new(),
|
||||
tx_index_completed: 0,
|
||||
}
|
||||
}
|
||||
|
||||
// Free a transaction by ID.
|
||||
fn free_tx(&mut self, tx_id: u64) {
|
||||
let len = self.transactions.len();
|
||||
let mut found = false;
|
||||
let mut index = 0;
|
||||
for i in 0..len {
|
||||
let tx = &self.transactions[i];
|
||||
if tx.tx_id == tx_id + 1 {
|
||||
found = true;
|
||||
index = i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if found {
|
||||
self.transactions.remove(index);
|
||||
}
|
||||
}
|
||||
|
||||
pub fn get_tx(&mut self, tx_id: u64) -> Option<&LdapTransaction> {
|
||||
self.transactions.iter().find(|tx| tx.tx_id == tx_id + 1)
|
||||
}
|
||||
|
||||
pub fn new_tx(&mut self) -> LdapTransaction {
|
||||
let mut tx = LdapTransaction::new();
|
||||
self.tx_id += 1;
|
||||
tx.tx_id = self.tx_id;
|
||||
if self.transactions.len() > unsafe { LDAP_MAX_TX } {
|
||||
let mut index = self.tx_index_completed;
|
||||
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
|
||||
index += 1;
|
||||
if !tx_old.complete {
|
||||
tx_old.complete = true;
|
||||
tx_old
|
||||
.tx_data
|
||||
.set_event(LdapEvent::TooManyTransactions as u8);
|
||||
break;
|
||||
}
|
||||
}
|
||||
self.tx_index_completed = index;
|
||||
}
|
||||
return tx;
|
||||
}
|
||||
|
||||
fn set_event(&mut self, e: LdapEvent) {
|
||||
if let Some(tx) = self.transactions.back_mut() {
|
||||
tx.tx_data.set_event(e as u8);
|
||||
}
|
||||
}
|
||||
|
||||
fn find_request(&mut self, message_id: MessageID) -> Option<&mut LdapTransaction> {
|
||||
self.transactions.iter_mut().find(|tx| {
|
||||
tx.request
|
||||
.as_ref()
|
||||
.map_or(false, |req| req.message_id == message_id)
|
||||
})
|
||||
}
|
||||
|
||||
fn parse_request(&mut self, input: &[u8]) -> AppLayerResult {
|
||||
if input.is_empty() {
|
||||
return AppLayerResult::ok();
|
||||
}
|
||||
|
||||
let mut start = input;
|
||||
while !start.is_empty() {
|
||||
match ldap_parse_msg(start) {
|
||||
Ok((rem, msg)) => {
|
||||
start = rem;
|
||||
let mut tx = self.new_tx();
|
||||
let request = LdapMessage::from(msg);
|
||||
tx.complete = match request.protocol_op {
|
||||
ProtocolOp::UnbindRequest => true,
|
||||
_ => false,
|
||||
};
|
||||
tx.request = Some(request);
|
||||
self.transactions.push_back(tx);
|
||||
}
|
||||
Err(nom::Err::Incomplete(_)) => {
|
||||
let consumed = input.len() - start.len();
|
||||
let needed = start.len() + 1;
|
||||
return AppLayerResult::incomplete(consumed as u32, needed as u32);
|
||||
}
|
||||
Err(_) => {
|
||||
return AppLayerResult::err();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return AppLayerResult::ok();
|
||||
}
|
||||
|
||||
fn parse_response(&mut self, input: &[u8]) -> AppLayerResult {
|
||||
if input.is_empty() {
|
||||
return AppLayerResult::ok();
|
||||
}
|
||||
let mut start = input;
|
||||
while !start.is_empty() {
|
||||
match ldap_parse_msg(start) {
|
||||
Ok((rem, msg)) => {
|
||||
start = rem;
|
||||
|
||||
let response = LdapMessage::from(msg);
|
||||
if let Some(tx) = self.find_request(response.message_id) {
|
||||
tx.complete = match response.protocol_op {
|
||||
ProtocolOp::SearchResultDone(_)
|
||||
| ProtocolOp::BindResponse(_)
|
||||
| ProtocolOp::ModifyResponse(_)
|
||||
| ProtocolOp::AddResponse(_)
|
||||
| ProtocolOp::DelResponse(_)
|
||||
| ProtocolOp::ModDnResponse(_)
|
||||
| ProtocolOp::CompareResponse(_)
|
||||
| ProtocolOp::ExtendedResponse(_) => true,
|
||||
_ => false,
|
||||
};
|
||||
tx.responses.push_back(response);
|
||||
} else if let ProtocolOp::ExtendedResponse(_) = response.protocol_op {
|
||||
// this is an unsolicited notification, which means
|
||||
// there is no request
|
||||
let mut tx = self.new_tx();
|
||||
tx.complete = true;
|
||||
tx.responses.push_back(response);
|
||||
self.transactions.push_back(tx);
|
||||
} else {
|
||||
let mut tx = self.new_tx();
|
||||
tx.complete = true;
|
||||
tx.responses.push_back(response);
|
||||
self.transactions.push_back(tx);
|
||||
self.set_event(LdapEvent::RequestNotFound);
|
||||
};
|
||||
}
|
||||
Err(nom::Err::Incomplete(_)) => {
|
||||
let consumed = input.len() - start.len();
|
||||
let needed = start.len() + 1;
|
||||
return AppLayerResult::incomplete(consumed as u32, needed as u32);
|
||||
}
|
||||
Err(_) => {
|
||||
self.set_event(LdapEvent::InvalidData);
|
||||
return AppLayerResult::err();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return AppLayerResult::ok();
|
||||
}
|
||||
}
|
||||
|
||||
fn probe(input: &[u8], direction: Direction, rdir: *mut u8) -> AppProto {
|
||||
match ldap_parse_msg(input) {
|
||||
Ok((_, msg)) => {
|
||||
let ldap_msg = LdapMessage::from(msg);
|
||||
if ldap_msg.is_unknown() {
|
||||
return unsafe { ALPROTO_FAILED };
|
||||
}
|
||||
if direction == Direction::ToServer && !ldap_msg.is_request() {
|
||||
unsafe {
|
||||
*rdir = Direction::ToClient.into();
|
||||
}
|
||||
}
|
||||
if direction == Direction::ToClient && !ldap_msg.is_response() {
|
||||
unsafe {
|
||||
*rdir = Direction::ToServer.into();
|
||||
}
|
||||
}
|
||||
return unsafe { ALPROTO_LDAP };
|
||||
}
|
||||
Err(nom::Err::Incomplete(_)) => {
|
||||
return ALPROTO_UNKNOWN;
|
||||
}
|
||||
Err(_e) => {
|
||||
return unsafe { ALPROTO_FAILED };
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapProbingParser(
|
||||
_flow: *const Flow, direction: u8, input: *const u8, input_len: u32, rdir: *mut u8,
|
||||
) -> AppProto {
|
||||
if input_len > 1 && !input.is_null() {
|
||||
let slice = build_slice!(input, input_len as usize);
|
||||
return probe(slice, direction.into(), rdir);
|
||||
}
|
||||
return ALPROTO_UNKNOWN;
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
extern "C" fn SCLdapStateNew(_orig_state: *mut c_void, _orig_proto: AppProto) -> *mut c_void {
|
||||
let state = LdapState::new();
|
||||
let boxed = Box::new(state);
|
||||
return Box::into_raw(boxed) as *mut c_void;
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapStateFree(state: *mut c_void) {
|
||||
std::mem::drop(Box::from_raw(state as *mut LdapState));
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapStateTxFree(state: *mut c_void, tx_id: u64) {
|
||||
let state = cast_pointer!(state, LdapState);
|
||||
state.free_tx(tx_id);
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapParseRequest(
|
||||
_flow: *const Flow, state: *mut c_void, pstate: *mut c_void, stream_slice: StreamSlice,
|
||||
_data: *const c_void,
|
||||
) -> AppLayerResult {
|
||||
if stream_slice.is_empty() {
|
||||
if AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS) > 0 {
|
||||
return AppLayerResult::ok();
|
||||
} else {
|
||||
return AppLayerResult::err();
|
||||
}
|
||||
}
|
||||
let state = cast_pointer!(state, LdapState);
|
||||
state.parse_request(stream_slice.as_slice());
|
||||
|
||||
AppLayerResult::ok()
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapParseResponse(
|
||||
_flow: *const Flow, state: *mut c_void, pstate: *mut c_void, stream_slice: StreamSlice,
|
||||
_data: *const c_void,
|
||||
) -> AppLayerResult {
|
||||
if stream_slice.is_empty() {
|
||||
if AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TC) > 0 {
|
||||
return AppLayerResult::ok();
|
||||
} else {
|
||||
return AppLayerResult::err();
|
||||
}
|
||||
}
|
||||
let state = cast_pointer!(state, LdapState);
|
||||
state.parse_response(stream_slice.as_slice());
|
||||
|
||||
AppLayerResult::ok()
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapStateGetTx(state: *mut c_void, tx_id: u64) -> *mut c_void {
|
||||
let state = cast_pointer!(state, LdapState);
|
||||
match state.get_tx(tx_id) {
|
||||
Some(tx) => {
|
||||
return tx as *const _ as *mut _;
|
||||
}
|
||||
None => {
|
||||
return std::ptr::null_mut();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapStateGetTxCount(state: *mut c_void) -> u64 {
|
||||
let state = cast_pointer!(state, LdapState);
|
||||
return state.tx_id;
|
||||
}
|
||||
|
||||
#[no_mangle]
|
||||
unsafe extern "C" fn SCLdapTxGetAlstateProgress(tx: *mut c_void, _direction: u8) -> c_int {
|
||||
let tx = cast_pointer!(tx, LdapTransaction);
|
||||
if tx.complete {
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
export_tx_data_get!(SCLdapGetTxData, LdapTransaction);
|
||||
export_state_data_get!(SCLdapGetStateData, LdapState);
|
||||
|
||||
const PARSER_NAME: &[u8] = b"ldap\0";
|
||||
|
||||
#[no_mangle]
|
||||
pub unsafe extern "C" fn rs_ldap_register_parser() {
|
||||
let default_port = CString::new("389").unwrap();
|
||||
let parser = RustParser {
|
||||
name: PARSER_NAME.as_ptr() as *const c_char,
|
||||
default_port: default_port.as_ptr(),
|
||||
ipproto: IPPROTO_TCP,
|
||||
probe_ts: Some(SCLdapProbingParser),
|
||||
probe_tc: Some(SCLdapProbingParser),
|
||||
min_depth: 0,
|
||||
max_depth: 16,
|
||||
state_new: SCLdapStateNew,
|
||||
state_free: SCLdapStateFree,
|
||||
tx_free: SCLdapStateTxFree,
|
||||
parse_ts: SCLdapParseRequest,
|
||||
parse_tc: SCLdapParseResponse,
|
||||
get_tx_count: SCLdapStateGetTxCount,
|
||||
get_tx: SCLdapStateGetTx,
|
||||
tx_comp_st_ts: 1,
|
||||
tx_comp_st_tc: 1,
|
||||
tx_get_progress: SCLdapTxGetAlstateProgress,
|
||||
get_eventinfo: Some(LdapEvent::get_event_info),
|
||||
get_eventinfo_byid: Some(LdapEvent::get_event_info_by_id),
|
||||
localstorage_new: None,
|
||||
localstorage_free: None,
|
||||
get_tx_files: None,
|
||||
get_tx_iterator: Some(applayer::state_get_tx_iterator::<LdapState, LdapTransaction>),
|
||||
get_tx_data: SCLdapGetTxData,
|
||||
get_state_data: SCLdapGetStateData,
|
||||
apply_tx_config: None,
|
||||
flags: APP_LAYER_PARSER_OPT_ACCEPT_GAPS,
|
||||
get_frame_id_by_name: None,
|
||||
get_frame_name_by_id: None,
|
||||
};
|
||||
|
||||
let ip_proto_str = CString::new("tcp").unwrap();
|
||||
|
||||
if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
|
||||
let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
|
||||
ALPROTO_LDAP = alproto;
|
||||
if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
|
||||
let _ = AppLayerRegisterParser(&parser, alproto);
|
||||
}
|
||||
if let Some(val) = conf_get("app-layer.protocols.ldap.max-tx") {
|
||||
if let Ok(v) = val.parse::<usize>() {
|
||||
LDAP_MAX_TX = v;
|
||||
} else {
|
||||
SCLogError!("Invalid value for ldap.max-tx");
|
||||
}
|
||||
}
|
||||
} else {
|
||||
SCLogDebug!("Protocol detection and parser disabled for LDAP.");
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue