suricata
stream-tcp-private.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __STREAM_TCP_PRIVATE_H__
25 #define __STREAM_TCP_PRIVATE_H__
26 
27 #include "util-pool-thread.h"
28 #include "util-streaming-buffer.h"
29 
30 #define STREAMTCP_QUEUE_FLAG_TS 0x01
31 #define STREAMTCP_QUEUE_FLAG_WS 0x02
32 #define STREAMTCP_QUEUE_FLAG_SACK 0x04
33 
34 /** currently only SYN/ACK */
35 typedef struct TcpStateQueue_ {
36  uint8_t flags;
37  uint8_t wscale;
38  uint16_t win;
39  uint32_t seq;
40  uint32_t ack;
41  uint32_t ts;
42  uint32_t pkt_ts;
45 
46 typedef struct StreamTcpSackRecord {
47  uint32_t le; /**< left edge, host order */
48  uint32_t re; /**< right edge, host order */
51 
53 
54 /* red-black tree prototype for SACK records */
57 
58 #define TCPSEG_PKT_HDR_DEFAULT_SIZE 64
59 
60 /*
61  * Struct to add the additional information required to use TcpSegments to dump
62  * a packet capture to file with the stream-pcap-log output option. This is only
63  * used if the session-dump option is enabled.
64  */
65 typedef struct TcpSegmentPcapHdrStorage_ {
66  struct timeval ts;
67  uint32_t pktlen;
68  uint32_t alloclen;
69  uint8_t *pkt_hdr;
71 
72 typedef struct TcpSegment {
74  uint16_t payload_len; /**< actual size of the payload */
75  uint32_t seq;
76  RB_ENTRY(TcpSegment) __attribute__((__packed__)) rb;
77  StreamingBufferSegment sbseg;
79 } __attribute__((__packed__)) TcpSegment;
80 
81 /** \brief compare function for the Segment tree
82  *
83  * Main sort point is the sequence number. When sequence numbers
84  * are equal compare payload_len as well. This way the tree is
85  * sorted by seq, and in case of duplicate seqs we are sorted
86  * small to large.
87  */
88 int TcpSegmentCompare(struct TcpSegment *a, struct TcpSegment *b);
89 
90 /* red-black tree prototype for TcpSegment */
93 
94 #define TCP_SEG_LEN(seg) (seg)->payload_len
95 #define TCP_SEG_OFFSET(seg) (seg)->sbseg.stream_offset
96 
97 #define SEG_SEQ_RIGHT_EDGE(seg) ((seg)->seq + TCP_SEG_LEN((seg)))
98 
99 /* get right edge of sequence space of seen segments.
100  * Only use if STREAM_HAS_SEEN_DATA is true. */
101 #define STREAM_SEQ_RIGHT_EDGE(stream) (stream)->segs_right_edge
102 #define STREAM_RIGHT_EDGE(stream) (STREAM_BASE_OFFSET((stream)) + (STREAM_SEQ_RIGHT_EDGE((stream)) - (stream)->base_seq))
103 /* return true if we have seen data segments. */
104 #define STREAM_HAS_SEEN_DATA(stream) (!RB_EMPTY(&(stream)->sb.sbb_tree) || (stream)->sb.stream_offset || (stream)->sb.buf_offset)
105 
106 typedef struct TcpStream_ {
107  uint16_t flags:12; /**< Flag specific to the stream e.g. Timestamp */
108  /* coccinelle: TcpStream:flags:STREAMTCP_STREAM_FLAG_ */
109  uint16_t wscale:4; /**< wscale setting in this direction, 4 bits as max val is 15 */
110  uint8_t os_policy; /**< target based OS policy used for reassembly and handling packets*/
111  uint8_t tcp_flags; /**< TCP flags seen */
112 
113  uint32_t isn; /**< initial sequence number */
114  uint32_t next_seq; /**< next expected sequence number */
115  uint32_t last_ack; /**< last ack'd sequence number in this stream */
116  uint32_t next_win; /**< next max seq within window */
117  uint32_t window; /**< current window setting, after wscale is applied */
118 
119  uint32_t last_ts; /**< Time stamp (TSVAL) of the last seen packet for this stream*/
120  uint32_t last_pkt_ts; /**< Time of last seen packet for this stream (needed for PAWS update)
121  This will be used to validate the last_ts, when connection has been idle for
122  longer time.(RFC 1323)*/
123  /* reassembly */
124  uint32_t base_seq; /**< seq where we are left with reassebly. Matches STREAM_BASE_OFFSET below. */
125 
126  uint32_t app_progress_rel; /**< app-layer progress relative to STREAM_BASE_OFFSET */
127  uint32_t raw_progress_rel; /**< raw reassembly progress relative to STREAM_BASE_OFFSET */
128  uint32_t log_progress_rel; /**< streaming logger progress relative to STREAM_BASE_OFFSET */
129 
130  uint32_t min_inspect_depth; /**< min inspect size set by the app layer, to make sure enough data
131  * remains available for inspection together with app layer buffers */
132  uint32_t data_required; /**< data required from STREAM_APP_PROGRESS before calling app-layer again */
133 
135  struct TCPSEG seg_tree; /**< red black tree of TCP segments. Data is stored in TcpStream::sb */
136  uint32_t segs_right_edge;
137 
138  uint32_t sack_size; /**< combined size of the SACK ranges currently in our tree. Updated
139  * at INSERT/REMOVE time. */
140  struct TCPSACK sack_tree; /**< red back tree of TCP SACK records. */
142 
143 #define STREAM_BASE_OFFSET(stream) ((stream)->sb.stream_offset)
144 #define STREAM_APP_PROGRESS(stream) (STREAM_BASE_OFFSET((stream)) + (stream)->app_progress_rel)
145 #define STREAM_RAW_PROGRESS(stream) (STREAM_BASE_OFFSET((stream)) + (stream)->raw_progress_rel)
146 #define STREAM_LOG_PROGRESS(stream) (STREAM_BASE_OFFSET((stream)) + (stream)->log_progress_rel)
147 
148 /* from /usr/include/netinet/tcp.h */
149 enum TcpState {
150  TCP_NONE = 0,
151  // TCP_LISTEN = 1,
162 };
163 
164 /*
165  * Per SESSION flags
166  */
167 
168 /** Flag for mid stream session */
169 #define STREAMTCP_FLAG_MIDSTREAM 0x0001
170 /** Flag for mid stream established session */
171 #define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED 0x0002
172 /** Flag for mid session when syn/ack is received */
173 #define STREAMTCP_FLAG_MIDSTREAM_SYNACK 0x0004
174 /** Flag for TCP Timestamp option */
175 #define STREAMTCP_FLAG_TIMESTAMP 0x0008
176 /** Server supports wscale (even though it can be 0) */
177 #define STREAMTCP_FLAG_SERVER_WSCALE 0x0010
178 /** Closed by RST */
179 #define STREAMTCP_FLAG_CLOSED_BY_RST 0x0020
180 /** Flag to indicate that the session is handling asynchronous stream.*/
181 #define STREAMTCP_FLAG_ASYNC 0x0040
182 /** Flag to indicate we're dealing with 4WHS: SYN, SYN, SYN/ACK, ACK
183  * (http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie) */
184 #define STREAMTCP_FLAG_4WHS 0x0080
185 /** Flag to indicate that this session is possible trying to evade the detection
186  * (http://www.packetstan.com/2010/06/recently-ive-been-on-campaign-to-make.html) */
187 #define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT 0x0100
188 /** Flag to indicate the client (SYN pkt) permits SACK */
189 #define STREAMTCP_FLAG_CLIENT_SACKOK 0x0200
190 /** Flag to indicate both sides of the session permit SACK (SYN + SYN/ACK) */
191 #define STREAMTCP_FLAG_SACKOK 0x0400
192 // vacancy
193 /** 3WHS confirmed by server -- if suri sees 3whs ACK but server doesn't (pkt
194  * is lost on the way to server), SYN/ACK is retransmitted. If server sends
195  * normal packet we assume 3whs to be completed. Only used for SYN/ACK resend
196  * event. */
197 #define STREAMTCP_FLAG_3WHS_CONFIRMED 0x1000
198 /** App Layer tracking/reassembly is disabled */
199 #define STREAMTCP_FLAG_APP_LAYER_DISABLED 0x2000
200 /** Stream can be bypass */
201 #define STREAMTCP_FLAG_BYPASS 0x4000
202 /** SSN uses TCP Fast Open */
203 #define STREAMTCP_FLAG_TCP_FAST_OPEN 0x8000
204 
205 /*
206  * Per STREAM flags
207  */
208 
209 // bit 0 vacant
210 /** Flag to avoid stream reassembly/app layer inspection for the stream */
211 #define STREAMTCP_STREAM_FLAG_NOREASSEMBLY BIT_U16(1)
212 /** we received a keep alive */
213 #define STREAMTCP_STREAM_FLAG_KEEPALIVE BIT_U16(2)
214 /** Stream has reached it's reassembly depth, all further packets are ignored */
215 #define STREAMTCP_STREAM_FLAG_DEPTH_REACHED BIT_U16(3)
216 /** Trigger reassembly next time we need 'raw' */
217 #define STREAMTCP_STREAM_FLAG_TRIGGER_RAW BIT_U16(4)
218 /** Stream supports TIMESTAMP -- used to set ssn STREAMTCP_FLAG_TIMESTAMP
219  * flag. */
220 #define STREAMTCP_STREAM_FLAG_TIMESTAMP BIT_U16(5)
221 /** Flag to indicate the zero value of timestamp */
222 #define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP BIT_U16(6)
223 /** App proto detection completed */
224 #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED BIT_U16(7)
225 /** App proto detection skipped */
226 #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED BIT_U16(8)
227 /** Raw reassembly disabled for new segments */
228 #define STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED BIT_U16(9)
229 /** Raw reassembly disabled completely */
230 #define STREAMTCP_STREAM_FLAG_DISABLE_RAW BIT_U16(10)
231 
232 #define STREAMTCP_STREAM_FLAG_RST_RECV BIT_U16(11)
233 
234 /** NOTE: flags field is 12 bits */
235 
236 
237 
238 
239 #define PAWS_24DAYS 2073600 /**< 24 days in seconds */
240 
241 #define PKT_IS_IN_RIGHT_DIR(ssn, p) ((ssn)->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK ? \
242  PKT_IS_TOSERVER(p) ? (p)->flowflags &= ~FLOW_PKT_TOSERVER \
243  (p)->flowflags |= FLOW_PKT_TOCLIENT : (p)->flowflags &= ~FLOW_PKT_TOCLIENT \
244  (p)->flowflags |= FLOW_PKT_TOSERVER : 0)
245 
246 /* Macro's for comparing Sequence numbers
247  * Page 810 from TCP/IP Illustrated, Volume 2. */
248 #define SEQ_EQ(a,b) ((int32_t)((a) - (b)) == 0)
249 #define SEQ_LT(a,b) ((int32_t)((a) - (b)) < 0)
250 #define SEQ_LEQ(a,b) ((int32_t)((a) - (b)) <= 0)
251 #define SEQ_GT(a,b) ((int32_t)((a) - (b)) > 0)
252 #define SEQ_GEQ(a,b) ((int32_t)((a) - (b)) >= 0)
253 
254 #define STREAMTCP_SET_RA_BASE_SEQ(stream, seq) { \
255  do { \
256  (stream)->base_seq = (seq) + 1; \
257  } while(0); \
258 }
259 
260 #define StreamTcpSetEvent(p, e) { \
261  if ((p)->flags & PKT_STREAM_NO_EVENTS) { \
262  SCLogDebug("not setting event %d on pkt %p (%"PRIu64"), " \
263  "stream in known bad condition", (e), p, (p)->pcap_cnt); \
264  } else { \
265  SCLogDebug("setting event %d on pkt %p (%"PRIu64")", \
266  (e), p, (p)->pcap_cnt); \
267  ENGINE_SET_EVENT((p), (e)); \
268  } \
269 }
270 
271 typedef struct TcpSession_ {
273  uint8_t state:4; /**< tcp state from state enum */
274  uint8_t pstate:4; /**< previous state */
275  uint8_t queue_len; /**< length of queue list below */
277  /** track all the tcp flags we've seen */
279  /* coccinelle: TcpSession:flags:STREAMTCP_FLAG */
280  uint16_t flags;
281  uint32_t reassembly_depth; /**< reassembly depth for the stream */
285  TcpStateQueue *queue; /**< list of SYN/ACK candidates */
287 
288 #define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \
289  ((stream)->flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED)
290 #define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream) \
291  ((stream)->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED)
292 #define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream) \
293  ((stream)->flags &= ~STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED);
294 #define StreamTcpDisableAppLayerReassembly(ssn) do { \
295  SCLogDebug("setting STREAMTCP_FLAG_APP_LAYER_DISABLED on ssn %p", ssn); \
296  ((ssn)->flags |= STREAMTCP_FLAG_APP_LAYER_DISABLED); \
297  } while (0);
298 
299 #endif /* __STREAM_TCP_PRIVATE_H__ */
TcpStateQueue_::next
struct TcpStateQueue_ * next
Definition: stream-tcp-private.h:43
TCP_SYN_RECV
@ TCP_SYN_RECV
Definition: stream-tcp-private.h:153
TcpStream_
Definition: stream-tcp-private.h:106
TcpSession_::pstate
uint8_t pstate
Definition: stream-tcp-private.h:274
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:113
TcpStateQueue
struct TcpStateQueue_ TcpStateQueue
TCP_SYN_SENT
@ TCP_SYN_SENT
Definition: stream-tcp-private.h:152
RB_PROTOTYPE
RB_PROTOTYPE(TCPSACK, StreamTcpSackRecord, rb, TcpSackCompare)
TcpSegmentCompare
int TcpSegmentCompare(struct TcpSegment *a, struct TcpSegment *b)
compare function for the Segment tree
Definition: stream-tcp-list.c:51
TcpStream_::seg_tree
struct TCPSEG seg_tree
Definition: stream-tcp-private.h:135
TcpStream_::log_progress_rel
uint32_t log_progress_rel
Definition: stream-tcp-private.h:128
util-pool-thread.h
TCP_FIN_WAIT2
@ TCP_FIN_WAIT2
Definition: stream-tcp-private.h:156
TcpStream_::os_policy
uint8_t os_policy
Definition: stream-tcp-private.h:110
TcpSegment::sbseg
StreamingBufferSegment sbseg
Definition: stream-tcp-private.h:77
TcpSegmentPcapHdrStorage
struct TcpSegmentPcapHdrStorage_ TcpSegmentPcapHdrStorage
TCP_FIN_WAIT1
@ TCP_FIN_WAIT1
Definition: stream-tcp-private.h:155
TCP_LAST_ACK
@ TCP_LAST_ACK
Definition: stream-tcp-private.h:158
TcpStateQueue_::win
uint16_t win
Definition: stream-tcp-private.h:38
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:154
TcpSegment::seq
uint32_t seq
Definition: stream-tcp-private.h:75
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
TcpSession_::lossy_be_liberal
bool lossy_be_liberal
Definition: stream-tcp-private.h:282
TcpStateQueue_::flags
uint8_t flags
Definition: stream-tcp-private.h:36
StreamTcpSackRecord::RB_ENTRY
RB_ENTRY(StreamTcpSackRecord) rb
TcpStream_::data_required
uint32_t data_required
Definition: stream-tcp-private.h:132
TcpStateQueue_
Definition: stream-tcp-private.h:35
TcpSegmentPcapHdrStorage_::pktlen
uint32_t pktlen
Definition: stream-tcp-private.h:67
RB_HEAD
RB_HEAD(TCPSACK, StreamTcpSackRecord)
StreamTcpSackRecord::le
uint32_t le
Definition: stream-tcp-private.h:47
TcpSession_::flags
uint16_t flags
Definition: stream-tcp-private.h:280
TcpState
TcpState
Definition: stream-tcp-private.h:149
TcpSession_::queue
TcpStateQueue * queue
Definition: stream-tcp-private.h:285
__attribute__
struct TcpSegment __attribute__((__packed__)) TcpSegment
DNP3 link header.
Definition: decode-vlan.c:117
TcpStream_::last_ack
uint32_t last_ack
Definition: stream-tcp-private.h:115
TCP_NONE
@ TCP_NONE
Definition: stream-tcp-private.h:150
TcpSession_::reassembly_depth
uint32_t reassembly_depth
Definition: stream-tcp-private.h:281
TCP_CLOSE_WAIT
@ TCP_CLOSE_WAIT
Definition: stream-tcp-private.h:159
TcpStream_::last_ts
uint32_t last_ts
Definition: stream-tcp-private.h:119
TcpStateQueue_::seq
uint32_t seq
Definition: stream-tcp-private.h:39
TcpStream
struct TcpStream_ TcpStream
TcpSession
struct TcpSession_ TcpSession
TcpStream_::min_inspect_depth
uint32_t min_inspect_depth
Definition: stream-tcp-private.h:130
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:273
TcpStream_::segs_right_edge
uint32_t segs_right_edge
Definition: stream-tcp-private.h:136
TcpSession_::tcp_packet_flags
uint8_t tcp_packet_flags
Definition: stream-tcp-private.h:278
TcpStream_::sack_tree
struct TCPSACK sack_tree
Definition: stream-tcp-private.h:140
TcpStream_::next_win
uint32_t next_win
Definition: stream-tcp-private.h:116
PoolThreadReserved
uint16_t PoolThreadReserved
Definition: util-pool-thread.h:59
TcpSegment
Definition: stream-tcp-private.h:72
TcpStream_::window
uint32_t window
Definition: stream-tcp-private.h:117
TcpSegment::payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:74
TcpStream_::sack_size
uint32_t sack_size
Definition: stream-tcp-private.h:138
TcpStream_::raw_progress_rel
uint32_t raw_progress_rel
Definition: stream-tcp-private.h:127
StreamTcpSackRecord
struct StreamTcpSackRecord StreamTcpSackRecord
TcpSegment::res
PoolThreadReserved res
Definition: stream-tcp-private.h:73
StreamingBuffer_
Definition: util-streaming-buffer.h:93
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:161
TcpStateQueue_::wscale
uint8_t wscale
Definition: stream-tcp-private.h:37
TcpSegmentPcapHdrStorage_
Definition: stream-tcp-private.h:65
util-streaming-buffer.h
TcpSegmentPcapHdrStorage_::ts
struct timeval ts
Definition: stream-tcp-private.h:66
TcpStream_::base_seq
uint32_t base_seq
Definition: stream-tcp-private.h:124
TcpStream_::sb
StreamingBuffer sb
Definition: stream-tcp-private.h:134
TcpSegmentPcapHdrStorage_::alloclen
uint32_t alloclen
Definition: stream-tcp-private.h:68
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:284
TCP_CLOSING
@ TCP_CLOSING
Definition: stream-tcp-private.h:160
TcpSackCompare
int TcpSackCompare(struct StreamTcpSackRecord *a, struct StreamTcpSackRecord *b)
Definition: stream-tcp-sack.c:34
TcpStream_::next_seq
uint32_t next_seq
Definition: stream-tcp-private.h:114
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:283
TcpSegmentPcapHdrStorage_::pkt_hdr
uint8_t * pkt_hdr
Definition: stream-tcp-private.h:69
TcpSegment::pcap_hdr_storage
TcpSegmentPcapHdrStorage * pcap_hdr_storage
Definition: stream-tcp-private.h:78
TcpStream_::app_progress_rel
uint32_t app_progress_rel
Definition: stream-tcp-private.h:126
TcpStateQueue_::ts
uint32_t ts
Definition: stream-tcp-private.h:41
TcpStateQueue_::pkt_ts
uint32_t pkt_ts
Definition: stream-tcp-private.h:42
TcpStream_::last_pkt_ts
uint32_t last_pkt_ts
Definition: stream-tcp-private.h:120
TCP_TIME_WAIT
@ TCP_TIME_WAIT
Definition: stream-tcp-private.h:157
TcpSegment::RB_ENTRY
RB_ENTRY(TcpSegment) __attribute__((__packed__)) rb
TcpSession_::queue_len
uint8_t queue_len
Definition: stream-tcp-private.h:275
TcpSession_
Definition: stream-tcp-private.h:271
TcpSession_::data_first_seen_dir
int8_t data_first_seen_dir
Definition: stream-tcp-private.h:276
TcpSession_::res
PoolThreadReserved res
Definition: stream-tcp-private.h:272
StreamTcpSackRecord::re
uint32_t re
Definition: stream-tcp-private.h:48
TcpStream_::tcp_flags
uint8_t tcp_flags
Definition: stream-tcp-private.h:111
StreamTcpSackRecord
Definition: stream-tcp-private.h:46
TcpStream_::wscale
uint16_t wscale
Definition: stream-tcp-private.h:109
TcpStateQueue_::ack
uint32_t ack
Definition: stream-tcp-private.h:40