diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp index 32efbf6..b0fe106 100644 --- a/src/tsg_action.cpp +++ b/src/tsg_action.cpp @@ -574,18 +574,13 @@ static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule return STATE_DROPME|STATE_DROPPKT; } -static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data) +static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data, enum ACTION_RETURN_TYPE type) { if(g_tsg_para.feature_tamper==0) { do_action_drop(a_stream, p_result, user_region, protocol, user_data); return STATE_DROPME|STATE_DROPPKT; } - - if(user_region==NULL) - { - return do_action_drop(a_stream, p_result, user_region, protocol, user_data); - } struct tcpall_context * _context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id); if(_context==NULL) @@ -594,30 +589,26 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_ru memset(_context, 0, sizeof(struct tcpall_context)); set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context); _context->method_type=TSG_METHOD_TYPE_TAMPER; - _context->tamper_count = -1; - }else{ - if(_context->method_type != TSG_METHOD_TYPE_TAMPER) - { - _context->method_type = TSG_METHOD_TYPE_TAMPER; - _context->tamper_count = -1; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - __FUNCTION__, - "Tamper is been processed, _context->method_type : %d", - _context->method_type); - return STATE_GIVEME; - } + _context->tamper_count = 0; + } + else + { + _context->method_type = TSG_METHOD_TYPE_TAMPER; + _context->tamper_count = 0; } - if(a_stream->type != STREAM_TYPE_TCP){ - if(0 == send_tamper_xxx(a_stream, &_context->tamper_count, user_data)){ - return STATE_GIVEME|STATE_DROPPKT; - } + //当前为tsg_master_plug暂时不处理在tsg_master_all_entry处理,防止命中发两次 + if(ACTION_RETURN_TYPE_APP == type) + { + return STATE_GIVEME|STATE_DROPPKT|STATE_KILL_OTHER; } - return STATE_GIVEME; + + //TCP这里发送的话,tsg_master_all_entry仍会处理发送,UDP没有这个情况,所以加该判断 + if(a_stream->type == STREAM_TYPE_UDP) + { + send_tamper_xxx(a_stream, &_context->tamper_count, user_data); + } + return STATE_DROPME|STATE_DROPPKT; } static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data) @@ -849,7 +840,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc local_state=do_action_ratelimit(a_stream, p_result, user_region, type); break; case TSG_METHOD_TYPE_TAMPER: - local_state=do_action_tamper(a_stream, p_result, user_region, protocol, user_data); + local_state = do_action_tamper(a_stream, p_result, user_region, protocol, user_data, type); break; case TSG_METHOD_TYPE_DEFAULT: local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data); diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index ee19c85..106e7a1 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -92,7 +92,10 @@ id2field_t g_tsg_fs2_field[TSG_FS2_MAX]={{0, TSG_FS2_TCP_LINKS, "tcp_links"}, {0, TSG_FS2_APPEND_LOG_HANDLE, "append_log_cnt"}, {0, TSG_FS2_FREE_LOG_HANDLE, "free_log_cnt"}, {0, TSG_FS2_FREE_RAPID_SIZE, "free_rapid_size"}, - {0, TSG_FS2_FREE_RAPID_CAPACITY, "free_rapid_capacity"} + {0, TSG_FS2_FREE_RAPID_CAPACITY, "free_rapid_capacity"}, + {0, TSG_FS2_SUCESS_TAMPER, "tamper_sucess"}, + {0, TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4, "tamper_nopload"}, + {0, TSG_FS2_TAMPER_FAILED_NOSWOP, "tamper_noswop"} }; id2field_t g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, "unknown"}, @@ -760,45 +763,6 @@ void free_gather_app_result(int thread_seq, void *project_req_value) } } -static int is_tamper_action(struct Maat_rule_t *p_result){ - struct compile_user_region *user_region=NULL; - user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]); - if(user_region == NULL){ - return 0; - }else if(user_region->method_type != TSG_METHOD_TYPE_TAMPER){ - return 0 ; - } - return 1; -} - -static void copy_tamper_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, struct Maat_rule_t *result, int result_num, int thread_seq) -{ - int i=0; - - if(!is_tamper_action(p_result)){ - return; - } - - if(context->result==NULL){ - context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)*MAX_RESULT_NUM); - } - - for(i=0; ihit_cntresult+context->hit_cnt, &result[i], sizeof(struct Maat_rule_t)); - context->hit_cnt+=1; - } - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "TAMPER", - "Hit tamper policy, policy_id: %d service: %d action: %d addr: %s", - result[0].config_id, - result[0].service_id, - (unsigned char)result[0].action, - PRINTADDR(a_stream, g_tsg_para.level)); - return; -} - static void copy_monitor_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int result_num, int thread_seq) { int i=0; @@ -1648,11 +1612,10 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, state=tsg_deal_deny_action(a_stream, p_result, context->proto, ACTION_RETURN_TYPE_APP, a_packet); } - if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER) || is_tamper_action(p_result)) + if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER)) { context->hit_cnt=0; master_send_log(a_stream, p_result, 1, context, a_stream->threadnum); - copy_tamper_result(a_stream, context, p_result, result, hit_num, a_stream->threadnum); copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum); MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, @@ -2022,10 +1985,8 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns } break; case TSG_METHOD_TYPE_TAMPER: - if(a_stream->opstate != OP_STATE_PENDING){ - if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){ - state|=APP_STATE_GIVEME|APP_STATE_DROPPKT; - } + if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){ + state|=APP_STATE_GIVEME|APP_STATE_DROPPKT; } break; case TSG_METHOD_TYPE_DEFAULT: diff --git a/src/tsg_entry.h b/src/tsg_entry.h index 89ada10..7e33e42 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -129,6 +129,9 @@ enum TSG_FS2_TYPE{ TSG_FS2_FREE_LOG_HANDLE, TSG_FS2_FREE_RAPID_SIZE, TSG_FS2_FREE_RAPID_CAPACITY, + TSG_FS2_SUCESS_TAMPER, + TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4, + TSG_FS2_TAMPER_FAILED_NOSWOP, TSG_FS2_MAX }; diff --git a/src/tsg_tamper.cpp b/src/tsg_tamper.cpp index 80f5ef6..897e6dd 100644 --- a/src/tsg_tamper.cpp +++ b/src/tsg_tamper.cpp @@ -32,7 +32,7 @@ #define IPV6_UDP_PALYLOAD_START_INDEX 48 //ipv6_len(40) + udp_len(8) #define IPV6_IP_PAYLOAD_INDEX 4 //ipv6_payload_index(4) -int tamper_calc(char *str, int endlen) +int swop_payload2byte(char *str, int endlen) { int i = 0; int j = 0; @@ -42,6 +42,7 @@ int tamper_calc(char *str, int endlen) return 0; } + //这样交换是别面校验和不对的问题 for(i=1; iptcpdetail->pdata; trans_layload_len = a_stream->ptcpdetail->datalen; + if((p_trans_payload==NULL)||(trans_layload_len<=4)){ + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4], 0, FS_OP_ADD, 1); MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, __FUNCTION__, @@ -86,30 +83,33 @@ int send_tamper_xxx(const struct streaminfo *a_stream, long *tamper_count, const p_trans_payload, trans_layload_len, raw_pkt); + return -1; } memcpy(tamper_buf, p_trans_payload, trans_layload_len); - tamper_index = tamper_calc(tamper_buf, trans_layload_len); - if(tamper_index > 0){ - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - __FUNCTION__, - "Addr: %s, try send num %ld ptcpdetail->pdata %p, ptcpdetail->datalen %d rawpkt %p, modify the index(%d) position of the payload:(old: %02x %02x %02x %02x, new: %02x %02x %02x %02x)", - PRINTADDR(a_stream, g_tsg_para.level), - *tamper_count, - p_trans_payload, - trans_layload_len, - raw_pkt, - tamper_index, - (uint8_t)p_trans_payload[tamper_index-1], (uint8_t)p_trans_payload[tamper_index], (uint8_t)p_trans_payload[tamper_index+1], (uint8_t)p_trans_payload[tamper_index+2], - (uint8_t)tamper_buf[tamper_index-1], (uint8_t)tamper_buf[tamper_index], (uint8_t)tamper_buf[tamper_index+1], (uint8_t)tamper_buf[tamper_index+2]); - + tamper_index = swop_payload2byte(tamper_buf, trans_layload_len); + if(tamper_index > 0 ){ if(0 == tsg_send_inject_packet(a_stream, SIO_DEFAULT, tamper_buf, trans_layload_len, a_stream->routedir)){ - ret = 0; + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SUCESS_TAMPER], 0, FS_OP_ADD, 1); + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + __FUNCTION__, + "Addr: %s, try send num %ld ptcpdetail->pdata %p, ptcpdetail->datalen %d rawpkt %p, modify the index(%d) position of the payload:(old: %02x %02x %02x %02x, new: %02x %02x %02x %02x)", + PRINTADDR(a_stream, g_tsg_para.level), + *tamper_count, + p_trans_payload, + trans_layload_len, + raw_pkt, + tamper_index, + (uint8_t)p_trans_payload[tamper_index-1], (uint8_t)p_trans_payload[tamper_index], (uint8_t)p_trans_payload[tamper_index+1], (uint8_t)p_trans_payload[tamper_index+2], + (uint8_t)tamper_buf[tamper_index-1], (uint8_t)tamper_buf[tamper_index], (uint8_t)tamper_buf[tamper_index+1], (uint8_t)tamper_buf[tamper_index+2]); + return 0; } - }else{ - MESA_handle_runtime_log(g_tsg_para.logger, + } + + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_TAMPER_FAILED_NOSWOP], 0, FS_OP_ADD, 1); + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, __FUNCTION__, "Addr: %s, try send num %ld ptcpdetail->pdata %p, ptcpdetail->datalen %d rawpkt %p, payload tamper failed because payload data same", @@ -118,7 +118,6 @@ int send_tamper_xxx(const struct streaminfo *a_stream, long *tamper_count, const p_trans_payload, trans_layload_len, raw_pkt); - } - return ret; + return -1; }