TSG-10101: 修复其他插件命中后处理tamper导致重启并重构业务流程
This commit is contained in:
杨文林
@@ -574,18 +574,13 @@ static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
||||
static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data, enum ACTION_RETURN_TYPE type)
|
||||
{
|
||||
if(g_tsg_para.feature_tamper==0)
|
||||
{
|
||||
do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
if(user_region==NULL)
|
||||
{
|
||||
return do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
||||
}
|
||||
|
||||
struct tcpall_context * _context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||
if(_context==NULL)
|
||||
@@ -594,30 +589,26 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_ru
|
||||
memset(_context, 0, sizeof(struct tcpall_context));
|
||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||
_context->method_type=TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = -1;
|
||||
}else{
|
||||
if(_context->method_type != TSG_METHOD_TYPE_TAMPER)
|
||||
{
|
||||
_context->method_type = TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = -1;
|
||||
}
|
||||
else
|
||||
{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"Tamper is been processed, _context->method_type : %d",
|
||||
_context->method_type);
|
||||
return STATE_GIVEME;
|
||||
}
|
||||
_context->tamper_count = 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
_context->method_type = TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = 0;
|
||||
}
|
||||
|
||||
if(a_stream->type != STREAM_TYPE_TCP){
|
||||
if(0 == send_tamper_xxx(a_stream, &_context->tamper_count, user_data)){
|
||||
return STATE_GIVEME|STATE_DROPPKT;
|
||||
}
|
||||
//当前为tsg_master_plug暂时不处理在tsg_master_all_entry处理,防止命中发两次
|
||||
if(ACTION_RETURN_TYPE_APP == type)
|
||||
{
|
||||
return STATE_GIVEME|STATE_DROPPKT|STATE_KILL_OTHER;
|
||||
}
|
||||
return STATE_GIVEME;
|
||||
|
||||
//TCP这里发送的话,tsg_master_all_entry仍会处理发送,UDP没有这个情况,所以加该判断
|
||||
if(a_stream->type == STREAM_TYPE_UDP)
|
||||
{
|
||||
send_tamper_xxx(a_stream, &_context->tamper_count, user_data);
|
||||
}
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
||||
@@ -849,7 +840,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
||||
local_state=do_action_ratelimit(a_stream, p_result, user_region, type);
|
||||
break;
|
||||
case TSG_METHOD_TYPE_TAMPER:
|
||||
local_state=do_action_tamper(a_stream, p_result, user_region, protocol, user_data);
|
||||
local_state = do_action_tamper(a_stream, p_result, user_region, protocol, user_data, type);
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
|
||||
|
||||
@@ -92,7 +92,10 @@ id2field_t g_tsg_fs2_field[TSG_FS2_MAX]={{0, TSG_FS2_TCP_LINKS, "tcp_links"},
|
||||
{0, TSG_FS2_APPEND_LOG_HANDLE, "append_log_cnt"},
|
||||
{0, TSG_FS2_FREE_LOG_HANDLE, "free_log_cnt"},
|
||||
{0, TSG_FS2_FREE_RAPID_SIZE, "free_rapid_size"},
|
||||
{0, TSG_FS2_FREE_RAPID_CAPACITY, "free_rapid_capacity"}
|
||||
{0, TSG_FS2_FREE_RAPID_CAPACITY, "free_rapid_capacity"},
|
||||
{0, TSG_FS2_SUCESS_TAMPER, "tamper_sucess"},
|
||||
{0, TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4, "tamper_nopload"},
|
||||
{0, TSG_FS2_TAMPER_FAILED_NOSWOP, "tamper_noswop"}
|
||||
};
|
||||
|
||||
id2field_t g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, "unknown"},
|
||||
@@ -760,45 +763,6 @@ void free_gather_app_result(int thread_seq, void *project_req_value)
|
||||
}
|
||||
}
|
||||
|
||||
static int is_tamper_action(struct Maat_rule_t *p_result){
|
||||
struct compile_user_region *user_region=NULL;
|
||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||
if(user_region == NULL){
|
||||
return 0;
|
||||
}else if(user_region->method_type != TSG_METHOD_TYPE_TAMPER){
|
||||
return 0 ;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void copy_tamper_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, struct Maat_rule_t *result, int result_num, int thread_seq)
|
||||
{
|
||||
int i=0;
|
||||
|
||||
if(!is_tamper_action(p_result)){
|
||||
return;
|
||||
}
|
||||
|
||||
if(context->result==NULL){
|
||||
context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)*MAX_RESULT_NUM);
|
||||
}
|
||||
|
||||
for(i=0; i<result_num && context->hit_cnt<MAX_RESULT_NUM; i++){
|
||||
memcpy(context->result+context->hit_cnt, &result[i], sizeof(struct Maat_rule_t));
|
||||
context->hit_cnt+=1;
|
||||
}
|
||||
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"TAMPER",
|
||||
"Hit tamper policy, policy_id: %d service: %d action: %d addr: %s",
|
||||
result[0].config_id,
|
||||
result[0].service_id,
|
||||
(unsigned char)result[0].action,
|
||||
PRINTADDR(a_stream, g_tsg_para.level));
|
||||
return;
|
||||
}
|
||||
|
||||
static void copy_monitor_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int result_num, int thread_seq)
|
||||
{
|
||||
int i=0;
|
||||
@@ -1648,11 +1612,10 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
state=tsg_deal_deny_action(a_stream, p_result, context->proto, ACTION_RETURN_TYPE_APP, a_packet);
|
||||
}
|
||||
|
||||
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER) || is_tamper_action(p_result))
|
||||
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER))
|
||||
{
|
||||
context->hit_cnt=0;
|
||||
master_send_log(a_stream, p_result, 1, context, a_stream->threadnum);
|
||||
copy_tamper_result(a_stream, context, p_result, result, hit_num, a_stream->threadnum);
|
||||
copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum);
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
@@ -2022,10 +1985,8 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
||||
}
|
||||
break;
|
||||
case TSG_METHOD_TYPE_TAMPER:
|
||||
if(a_stream->opstate != OP_STATE_PENDING){
|
||||
if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){
|
||||
state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
|
||||
}
|
||||
if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){
|
||||
state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
|
||||
}
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
|
||||
@@ -129,6 +129,9 @@ enum TSG_FS2_TYPE{
|
||||
TSG_FS2_FREE_LOG_HANDLE,
|
||||
TSG_FS2_FREE_RAPID_SIZE,
|
||||
TSG_FS2_FREE_RAPID_CAPACITY,
|
||||
TSG_FS2_SUCESS_TAMPER,
|
||||
TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4,
|
||||
TSG_FS2_TAMPER_FAILED_NOSWOP,
|
||||
TSG_FS2_MAX
|
||||
};
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@
|
||||
#define IPV6_UDP_PALYLOAD_START_INDEX 48 //ipv6_len(40) + udp_len(8)
|
||||
#define IPV6_IP_PAYLOAD_INDEX 4 //ipv6_payload_index(4)
|
||||
|
||||
int tamper_calc(char *str, int endlen)
|
||||
int swop_payload2byte(char *str, int endlen)
|
||||
{
|
||||
int i = 0;
|
||||
int j = 0;
|
||||
@@ -42,6 +42,7 @@ int tamper_calc(char *str, int endlen)
|
||||
return 0;
|
||||
}
|
||||
|
||||
//这样交换是别面校验和不对的问题
|
||||
for(i=1; i<endlen; i=i+2){
|
||||
for (j=i+2; j<endlen; j=j+2){
|
||||
if(str[i] != str[j]){
|
||||
@@ -61,22 +62,18 @@ int send_tamper_xxx(const struct streaminfo *a_stream, long *tamper_count, const
|
||||
int trans_layload_len = 0;
|
||||
char tamper_buf[MTU_LEN] = {0};
|
||||
int tamper_index = 0;
|
||||
int ret = -1;
|
||||
|
||||
if(a_stream==NULL || raw_pkt==NULL){
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(*tamper_count == -1){
|
||||
*tamper_count = 1;
|
||||
}else{
|
||||
*tamper_count = *tamper_count + 1;
|
||||
}
|
||||
|
||||
*tamper_count = *tamper_count + 1;
|
||||
p_trans_payload = (char *)a_stream->ptcpdetail->pdata;
|
||||
trans_layload_len = a_stream->ptcpdetail->datalen;
|
||||
|
||||
|
||||
if((p_trans_payload==NULL)||(trans_layload_len<=4)){
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4], 0, FS_OP_ADD, 1);
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
@@ -86,30 +83,33 @@ int send_tamper_xxx(const struct streaminfo *a_stream, long *tamper_count, const
|
||||
p_trans_payload,
|
||||
trans_layload_len,
|
||||
raw_pkt);
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
memcpy(tamper_buf, p_trans_payload, trans_layload_len);
|
||||
tamper_index = tamper_calc(tamper_buf, trans_layload_len);
|
||||
if(tamper_index > 0){
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"Addr: %s, try send num %ld ptcpdetail->pdata %p, ptcpdetail->datalen %d rawpkt %p, modify the index(%d) position of the payload:(old: %02x %02x %02x %02x, new: %02x %02x %02x %02x)",
|
||||
PRINTADDR(a_stream, g_tsg_para.level),
|
||||
*tamper_count,
|
||||
p_trans_payload,
|
||||
trans_layload_len,
|
||||
raw_pkt,
|
||||
tamper_index,
|
||||
(uint8_t)p_trans_payload[tamper_index-1], (uint8_t)p_trans_payload[tamper_index], (uint8_t)p_trans_payload[tamper_index+1], (uint8_t)p_trans_payload[tamper_index+2],
|
||||
(uint8_t)tamper_buf[tamper_index-1], (uint8_t)tamper_buf[tamper_index], (uint8_t)tamper_buf[tamper_index+1], (uint8_t)tamper_buf[tamper_index+2]);
|
||||
|
||||
tamper_index = swop_payload2byte(tamper_buf, trans_layload_len);
|
||||
if(tamper_index > 0 ){
|
||||
if(0 == tsg_send_inject_packet(a_stream, SIO_DEFAULT, tamper_buf, trans_layload_len, a_stream->routedir)){
|
||||
ret = 0;
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SUCESS_TAMPER], 0, FS_OP_ADD, 1);
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"Addr: %s, try send num %ld ptcpdetail->pdata %p, ptcpdetail->datalen %d rawpkt %p, modify the index(%d) position of the payload:(old: %02x %02x %02x %02x, new: %02x %02x %02x %02x)",
|
||||
PRINTADDR(a_stream, g_tsg_para.level),
|
||||
*tamper_count,
|
||||
p_trans_payload,
|
||||
trans_layload_len,
|
||||
raw_pkt,
|
||||
tamper_index,
|
||||
(uint8_t)p_trans_payload[tamper_index-1], (uint8_t)p_trans_payload[tamper_index], (uint8_t)p_trans_payload[tamper_index+1], (uint8_t)p_trans_payload[tamper_index+2],
|
||||
(uint8_t)tamper_buf[tamper_index-1], (uint8_t)tamper_buf[tamper_index], (uint8_t)tamper_buf[tamper_index+1], (uint8_t)tamper_buf[tamper_index+2]);
|
||||
return 0;
|
||||
}
|
||||
}else{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
}
|
||||
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_TAMPER_FAILED_NOSWOP], 0, FS_OP_ADD, 1);
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"Addr: %s, try send num %ld ptcpdetail->pdata %p, ptcpdetail->datalen %d rawpkt %p, payload tamper failed because payload data same",
|
||||
@@ -118,7 +118,6 @@ int send_tamper_xxx(const struct streaminfo *a_stream, long *tamper_count, const
|
||||
p_trans_payload,
|
||||
trans_layload_len,
|
||||
raw_pkt);
|
||||
}
|
||||
|
||||
return ret;
|
||||
return -1;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user