gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

管控策略命中通过版本

Browse Source 
1. 添加安全策略table_info文件
2. 修改管控策略命中问题
3. 安全策略存在无法多命中
This commit is contained in:
fengweihao
2020-01-17 18:57:51 +08:00
parent 7740e213da
commit faf21bde42
7 changed files with 467 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
common/include/verify_policy.h
View File

@@ -11,7 +11,7 @@
#include <event2/event.h>
#include "verify_policy_utils.h"
enum policy_type
enum tsg_policy_type
{
PXY_TABLE_SECURITY,
PXY_TABLE_MANIPULATION,
@@ -106,8 +106,9 @@ extern struct verify_proxy * g_verify_proxy;
void * pangu_http_ctx_new(unsigned int thread_id);
void pangu_http_ctx_free(void * pme);
void http_scan(const char * value, enum policy_type type, int protocol_field, void *pme, cJSON *data_obj, struct ipaddr *ip_addr);
void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol_field, struct ipaddr *ip_addr, cJSON *data_obj, void *pme);
int security_policy_init(struct verify_proxy * verify, const char* profile_path);

3
conf/verify_policy.conf
View File

@@ -12,12 +12,13 @@ thread-nu = 4
# 0:json 1: redis 2: iris
maat_input_mode=1
table_info=./resource/table_info.conf
table_info_tsg=./resource/tsg_static_tableinfo.conf
json_cfg_file=./resource/pangu_http.json
stat_file=logs/verify-policy.status
full_cfg_dir=verify-policy/
inc_cfg_dir=verify-policy/
maat_redis_server=192.168.40.120
maat_redis_server=192.168.40.131
maat_redis_port_range=7002
maat_redis_db_index=0
effect_interval_s=1

179
platform/src/verify_policy.cpp
View File

@@ -30,31 +30,22 @@
struct verify_proxy * g_verify_proxy = NULL;
struct keyword_obj
struct policy_table_obj
{
int protocol_field;
char *content_type;
char *content;
char *protocol_field_name;
char *keyword;
char *keyword_scope;
struct ipaddr *ip_addr;
int addr_type;
int protocol;
char *clientIp1;
unsigned int clientPort1;
char *serverIp1;
unsigned int serverPort1;
char *subscriberid;
};
struct verify_policy_query
struct policy_query_list
{
int c_num;
enum policy_type type;
char *policy_type_name;
struct keyword_obj keywords[32];
enum tsg_policy_type type;
struct policy_table_obj table_obj[32];
};
/* VERSION STRING */
@@ -87,7 +78,7 @@ static int verify_policy_init(struct verify_proxy * verify, const char *profile)
return xret;
}
enum policy_type policy_type_str2idx(const char *action_str)
enum tsg_policy_type tsg_policy_type_str2idx(const char *action_str)
{
const char * policy_name[__SCAN_POLICY_MAX];
policy_name[PXY_TABLE_SECURITY] = "tsg_security";
@@ -101,10 +92,11 @@ enum policy_type policy_type_str2idx(const char *action_str)
if (0 == strcasecmp(action_str, policy_name[i]))
break;
}
return (enum policy_type)i;
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] policyType= %s", action_str);
return (enum tsg_policy_type)i;
}
int field_type_str2idx(enum policy_type type, const char *action_str)
int protoco_field_type_str2idx(enum tsg_policy_type type, const char *action_str, char *buff, char *p)
{
const char * table_name[__SECURITY_TABLE_MAX] ={0};
@@ -158,45 +150,11 @@ int field_type_str2idx(enum policy_type type, const char *action_str)
if (0 == strcasecmp(action_str, table_name[i]))
break;
}
p += snprintf(p, sizeof(buff) - (p - buff), "protocolField=%s,%d",action_str, (int)i);
return i;
}
void verify_policy_query(struct verify_policy_query *policy_query, int thread_id, cJSON *data_obj)
{
int i = 0;
char buff[VERIFY_STRING_MAX], *p = NULL;;
void *ctx = pangu_http_ctx_new(thread_id);
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Query policy table is %s", policy_query->policy_type_name);
for (i = 0; i < policy_query->c_num; i++)
{
p = buff;
if(0 == strcasecmp(policy_query->keywords[i].content_type, "ip"))
{
http_scan(policy_query->keywords[i].content, policy_query->type, PXY_CTRL_IP, ctx, data_obj, policy_query->keywords[i].ip_addr);
}
else if(0 == strcasecmp(policy_query->keywords[i].content_type, "subscriberid"))
{
p += snprintf(p, sizeof(buff) - (p - buff), "contentType=%s, subscriberid=%s", policy_query->keywords[i].content_type,
policy_query->keywords[i].subscriberid);
http_scan(policy_query->keywords[i].content, policy_query->type, PXY_CTRL_SUBSCRIBE_ID, ctx, data_obj, NULL);
}else
{
p += snprintf(p, sizeof(buff) - (p - buff), "contentType=%s, protocolField=%s content=%s", policy_query->keywords[i].content_type,
policy_query->keywords[i].protocol_field_name, policy_query->keywords[i].content);
http_scan(policy_query->keywords[i].content, policy_query->type, policy_query->keywords[i].protocol_field, ctx, data_obj, NULL);
}
*p = '\0';
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", buff);
}
FREE(&ctx);
return;
}
struct ipaddr *ip_to_stream_addr(char *clientIp1, unsigned int clientPort1, char *serverIp1, unsigned int serverPort1, int addr_type)
{
struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1);
@@ -220,12 +178,16 @@ struct ipaddr *ip_to_stream_addr(char *clientIp1, unsigned int clientPort1, char
v6_addr->dest=htons(serverPort1);
ip_addr->v6=v6_addr;
}
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] contentType = ip, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type = %d",
clientIp1, clientPort1, serverIp1, serverPort1, addr_type);
return ip_addr;
}
cJSON *get_query_from_request(const char *data, int thread_id)
{
int c_num = 0, i = 0;
int i = 0;
char buff[VERIFY_STRING_MAX], *p = NULL;;
cJSON* data_json = cJSON_Parse(data);
if(data_json == NULL)
@@ -233,7 +195,6 @@ cJSON *get_query_from_request(const char *data, int thread_id)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter");
return NULL;
}
cJSON *policy_obj=NULL, *data_obj=NULL;
policy_obj=cJSON_CreateObject();
@@ -248,97 +209,90 @@ cJSON *get_query_from_request(const char *data, int thread_id)
item = cJSON_GetObjectItem(data_json,"verifyList");
if(item && item->type==cJSON_Array)
{
c_num=cJSON_GetArraySize(item);
for (subitem = item->child; subitem != NULL; subitem = subitem->next)
{
struct verify_policy_query *query_ctx = ALLOC(struct verify_policy_query, 1);
struct policy_query_list *query_list = ALLOC(struct policy_query_list, 1);
item = cJSON_GetObjectItem(subitem,"policyType");
if(item && item->type==cJSON_String)
{
query_ctx->type = policy_type_str2idx(item->valuestring);
query_ctx->policy_type_name = item->valuestring;
query_list->type = tsg_policy_type_str2idx(item->valuestring);
}
item = cJSON_GetObjectItem(subitem,"verifyConditions");
if(item && item->type==cJSON_Array)
{
query_ctx->c_num=c_num=cJSON_GetArraySize(item);
void *ctx = pangu_http_ctx_new(thread_id);
for (subchild = item->child; subchild != NULL; subchild = subchild->next)
{
p = buff;
item = cJSON_GetObjectItem(subchild, "contentType");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].content_type = item->valuestring;
query_list->table_obj[i].keyword_scope = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), "contentType = %s",query_list->table_obj[i].keyword_scope);
}
if(0 == strcasecmp(query_ctx->keywords[i].content_type, "subscriberid"))
if(0 == strcasecmp(query_list->table_obj[i].keyword_scope, "subscriberid"))
{
item = cJSON_GetObjectItem(subchild,"subscriberid");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].subscriberid = item->valuestring;
query_list->table_obj[i].subscriberid = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), "subscriberid = %s",query_list->table_obj[i].subscriberid);
}
http_scan(query_list->table_obj[i].keyword, query_list->type, EV_HTTP_SUBSCRIBE_ID, NULL, data_obj, ctx);
i++;
continue;
}
if(0 == strcasecmp(query_ctx->keywords[i].content_type, "ip"))
if(0 == strcasecmp(query_list->table_obj[i].keyword_scope, "ip"))
{
int addr_type=0, protocol=0;
char *clientIp1=NULL,*serverIp1=NULL;
unsigned int clientPort1=0,serverPort1=0;
item = cJSON_GetObjectItem(subchild,"clientIp");
if(item && item->type==cJSON_String)
{
clientIp1 = item->valuestring;
}
item = cJSON_GetObjectItem(subchild,"serverIp");
if(item && item->type==cJSON_String)
{
serverIp1 = (item->valuestring);
}
item = cJSON_GetObjectItem(subchild,"clientPort");
if(item && item->type==cJSON_String)
{
clientPort1 =atoi(item->valuestring);
}
item = cJSON_GetObjectItem(subchild,"serverPort");
if(item && item->type==cJSON_String)
{
serverPort1 =atoi(item->valuestring);
}
item = cJSON_GetObjectItem(subchild,"protocol");
if(item && item->type==cJSON_Number)
{
protocol = item->valueint;
}
item=cJSON_GetObjectItem(subchild,"addrType");
if(item && item->type==cJSON_Number)
{
addr_type = item->valueint;
}
query_ctx->keywords[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type);
item = cJSON_GetObjectItem(subchild,"clientIp");
if(item && item->type==cJSON_String) clientIp1 = item->valuestring;
item = cJSON_GetObjectItem(subchild,"serverIp");
if(item && item->type==cJSON_String) serverIp1 = (item->valuestring);
item = cJSON_GetObjectItem(subchild,"clientPort");
if(item && item->type==cJSON_String) clientPort1 =atoi(item->valuestring);
item = cJSON_GetObjectItem(subchild,"serverPort");
if(item && item->type==cJSON_String) serverPort1 =atoi(item->valuestring);
item = cJSON_GetObjectItem(subchild,"protocol");
if(item && item->type==cJSON_Number) protocol = item->valueint;
item=cJSON_GetObjectItem(subchild,"addrType");
if(item && item->type==cJSON_Number) addr_type = item->valueint;
query_list->table_obj[i].ip_addr = ip_to_stream_addr(clientIp1, clientPort1, serverIp1, serverPort1, addr_type);
http_scan(NULL, query_list->type, PXY_CTRL_IP, query_list->table_obj[i].ip_addr, data_obj, ctx);
i++;
continue;
}
item = cJSON_GetObjectItem(subchild, "protocolField");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].protocol_field = field_type_str2idx(query_ctx->type, item->valuestring);
query_ctx->keywords[i].protocol_field_name = item->valuestring;
query_list->table_obj[i].protocol_field = protoco_field_type_str2idx(query_list->type, item->valuestring, buff, p);
}
item = cJSON_GetObjectItem(subchild, "content");
if(item && item->type==cJSON_String)
{
query_ctx->keywords[i].content = item->valuestring;
}
i++;
}
query_list->table_obj[i].keyword = item->valuestring;
p += snprintf(p, sizeof(buff) - (p - buff), " content = %s",query_list->table_obj[i].keyword);
}
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] %s", buff);
verify_policy_query(query_ctx, thread_id, data_obj);
http_scan(query_list->table_obj[i].keyword, query_list->type, query_list->table_obj[i].protocol_field, NULL, data_obj, ctx);
i++;
memset(buff, 0, VERIFY_STRING_MAX);
}
pangu_http_ctx_free(ctx);
}
i=0;
FREE(&query_ctx);
FREE(&query_list);
}
}
cJSON_Delete(data_json);
@@ -396,27 +350,12 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
}
policy_payload = cJSON_PrintUnformatted(policy_obj);
printf("%s\n", policy_payload);
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[O] %s", policy_payload);
evhttp_socket_send(evh_req, policy_payload);
cJSON_Delete(policy_obj);
free(policy_payload);
#if 0
if (policy_query == NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Data parsing failed.");
goto error;
}
policy_payload = verify_policy_scan(policy_query, thread_ctx->id);
if (policy_payload)
{
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "%s", policy_payload);
evhttp_socket_send(evh_req, policy_payload);
free(policy_payload);
}
#endif
goto finish;
error:

323
resource/pangu_http.json Normal file
View File

@@ -0,0 +1,323 @@
{
"compile_table": "PXY_CTRL_COMPILE",
"group_table": "PXY_CTRL_GROUP",
"rules": [
{
"compile_id": 1021,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.baidu.com/index.html\"}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "www.rbc.ru",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1022,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\",\"html_profile\":101}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "bing.com",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1023,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\",\"html_profile\":102}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "pc.wps.cn",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1024,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"比特币\",\"replace_with\":\"硬币\"}]}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "edu.csdn.net/course/detail/6998",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1025,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"hijack\",\"hijack_profile\":201}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "www.wireshark.org/download/win32/WiresharkPortable_2.6.8.paf.exe",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1026,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"hijack\",\"hijack_profile\":201}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "www.downcc.com/ajax.asp",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1027,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"hijack\",\"hijack_profile\":202}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "dldir1.qq.com/foxmail/windows/FoxmailSetup_7.2.10.151.exe",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1028,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"insert\",\"insert_profile\":302}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "mirror.hoster.kz/centos",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1029,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"insert\",\"insert_profile\":303,\"position\":\"after-page-load\"}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "100wa.com/music",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1030,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"insert\",\"insert_profile\":303,\"position\":\"before-page-load\"}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "www.youku.com",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 1031,
"service": 1,
"action": 48,
"do_blacklist": 1,
"do_log": 1,
"effective_range": 0,
"user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_req_uri\",\"find\":\"(?<=\\\\\\?|^|&)q=([^&|^#]*)(?=&|$)\",\"replace_with\":\"q=find\"},{\"search_in\":\"http_req_uri\",\"find\":\"(?<=\\\\\\?|^|&)ei=([^&|^#]*)(?=&|$)\",\"replace_with\":\"ei=chaxun\"}]}",
"is_valid": "yes",
"groups": [
{
"regions": [
{
"table_name": "PXY_CTRL_HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "www.google.com/search?",
"expr_type": "regex",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
}
],
"plugin_table": [
{
"table_name": "PXY_PROFILE_RESPONSE_PAGES",
"table_content": [
"101\t404\thtml\t./resource/pangu/policy_file/404.html\t1",
"102\tHTTP403\ttemplate\t./resource/pangu/HTTP403.html\t1"
]
},
{
"table_name": "PXY_PROFILE_HIJACK_FILES",
"table_content": [
"201\tchakanqi\tchakanqi-947KB.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/chakanqi-947KB.exe\t1",
"202\tWPS8648\tWPS8648-132M.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/WPS8648-132M.exe\t1"
]
},
{
"table_name": "PXY_PROFILE_INSERT_SCRIPTS",
"table_content": [
"301\ttime\tjs\t./resource/pangu/policy_file/time.js\tbefore_page_load\t1",
"302\tu1\tcss\t./resource/pangu/policy_file/u1.css\tbefore_page_load\t1",
"303\tu1\tjs\t./resource/pangu/policy_file/alert.js\tbefore_page_load\t1"
]
},
{
"table_name": "TSG_SECURITY_COMPILE",
"table_content": [
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL/HTTP\",\"keyring\":765,\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"decrypt_mirror\":{\"enable\":0}}\t1\t2",
"1\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL/HTTP\",\"keyring\":0,\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"pass-through\"},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1},\"decrypt_mirror\":{\"enable\":1,\"mirror_profile\":4}}\t1\t2"
]
}
]
}

17
resource/table_info.conf
View File

@@ -30,20 +30,3 @@
11 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS --
12 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS --
13 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon
14 TSG_FIELD_SSL_SNI virtual TSG_OBJ_FQDN --
15 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN --
16 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN --
17 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN --
18 TSG_OBJ_ACCOUNT expr UTF8 UTF8 yes 0
19 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
20 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
21 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
22 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
23 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
24 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
25 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
26 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
27 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
28 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --

42
resource/tsg_static_tableinfo.conf Normal file
View File

@@ -0,0 +1,42 @@
#each collumn seperate with '\t'
#id (0~65535)
#name string
#type one of ip,expr,expr_plus,digest,intval,compile or plugin
#src_charset one of GBK,BIG5,UNICODE,UTF8
#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
#do_merege yes or no
#cross cache 0~max
#quickswitch quickon or quick off
#id name type src_charset dst_charset do_merge cross_cache quickswitch
0 TSG_SECURITY_COMPILE compile escape --
1 GROUP_COMPILE_RELATION group UTF8 UTF8 no 0
2 TSG_OBJ_IP_ADDR ip_plus UTF8 UTF8 no 0
3 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0
4 TSG_OBJ_ACCOUNT expr UTF8 UTF8 yes 0
5 TSG_OBJ_URL expr UTF8 UTF8/GBK yes 0
6 TSG_OBJ_FQDN expr UTF8 UTF8 yes 0
6 TSG_OBJ_FQDN_CAT expr UTF8 UTF8 yes 0
7 TSG_OBJ_KEYWORDS expr UTF8 UTF8/GBK yes 0
8 TSG_OBJ_APP_ID expr UTF8 UTF8 yes 0
9 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8/GBK yes 0
10 TSG_FIELD_HTTP_HOST virtual TSG_OBJ_FQDN --
11 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL --
12 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
13 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
14 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS --
15 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS --
16 TSG_FIELD_SSL_SNI virtual TSG_OBJ_FQDN --
17 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN --
18 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN --
19 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN --
20 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
21 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
22 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
23 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
24 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
25 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
26 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
27 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
28 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
29 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
30 FW_PROFILE_DNS_RECORDS plugin {"key":1,"valid":5} --

35
scan/src/pangu_http.cpp
View File

@@ -74,6 +74,21 @@ void * pangu_http_ctx_new(unsigned int thread_id)
return (void *)ctx;
}
void pangu_http_ctx_free(void * pme)
{
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
FREE(&ctx->enforce_rules);
Maat_clean_status(&(ctx->scan_mid));
ctx->scan_mid = NULL;
if(ctx->sp)
{
Maat_stream_scan_string_end(&(ctx->sp));
}
FREE(&ctx);
}
static int pangu_action_weight[__PG_ACTION_MAX] = {0};
void __pangu_action_weight_init() __attribute__((constructor, used));
void __pangu_action_weight_init()
@@ -218,18 +233,16 @@ char *web_json_table_add(void *pme)
return policy_payload;
}
void http_scan(const char * value, enum policy_type type, int protocol_field, void *pme, cJSON *data_obj, struct ipaddr *ip_addr)
void http_scan(const char *value, enum tsg_policy_type policy_type, int protocol_field, struct ipaddr *ip_addr, cJSON *data_obj, void *pme)
{
int scan_ret = 0, table_id = 0;
struct Maat_rule_t result[MAX_SCAN_RESULT];
char buff[VERIFY_STRING_MAX], * p = NULL;
size_t hit_cnt = 0, i = 0;
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
if (protocol_field == PXY_CTRL_IP)
{
scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat[type], g_pangu_rt->scan_table_id[type][protocol_field], ip_addr, 0,
scan_ret = Maat_scan_proto_addr(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_IP], ip_addr, 0,
ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
@@ -240,13 +253,13 @@ void http_scan(const char * value, enum policy_type type, int protocol_field, vo
if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || (protocol_field == PXY_CTRL_HTTP_RES_HDR))
{
table_id = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_RES_HDR];
table_id = (protocol_field == PXY_CTRL_HTTP_REQ_HDR) ? g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_REQ_HDR] : g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_RES_HDR];
const char * str_field_name = NULL;
scan_ret = Maat_set_scan_status(g_pangu_rt->maat[type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
scan_ret = Maat_set_scan_status(g_pangu_rt->maat[policy_type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
str_field_name, strlen(str_field_name));
assert(scan_ret == 0);
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[type], table_id,
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], table_id,
CHARSET_UTF8, value, strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
@@ -259,8 +272,8 @@ void http_scan(const char * value, enum policy_type type, int protocol_field, vo
if ((protocol_field == PXY_CTRL_HTTP_REQ_BODY) || protocol_field == PXY_CTRL_HTTP_RES_BODY)
{
assert(ctx->sp == NULL);
table_id = protocol_field == PXY_CTRL_HTTP_REQ_BODY ? g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[type][PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat[type], table_id, ctx->thread_id);
table_id = protocol_field == PXY_CTRL_HTTP_REQ_BODY ? g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_REQ_BODY] : g_pangu_rt->scan_table_id[policy_type][PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_pangu_rt->maat[policy_type], table_id, ctx->thread_id);
scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) value, (int) strlen(value),
ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
if (scan_ret > 0)
@@ -272,7 +285,7 @@ void http_scan(const char * value, enum policy_type type, int protocol_field, vo
goto decide;
}
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[type], g_pangu_rt->scan_table_id[type][protocol_field],
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][protocol_field],
CHARSET_UTF8, value, strlen(value),
ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
&(ctx->scan_mid), ctx->thread_id);
@@ -456,6 +469,7 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
g_pangu_rt->thread_num = verify->nr_work_threads;
g_pangu_rt->local_logger = verify->logger;
#if 1
g_pangu_rt->maat[PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat[PXY_TABLE_MANIPULATION])
{
@@ -502,6 +516,7 @@ int pangu_policy_init(struct verify_proxy * verify, const char* profile_path)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Pangu HTTP Dynamic Maat TSG_DYN_SUBSCRIBER_IP EX data register failed.");
goto error_out;
}
#endif
ret = 0;
error_out:
return ret;