Merge branch 'main' of https://github.com/Montimage/mmt-security into…

… main

CHANGELOG.md

@@ -1,3 +1,11 @@
+# Version 1.2.19 (15 June 2023)
+- minor update in rules 96,97 and 98 concerining HTTP2 attacks detection
+
+# Version 1.2.18 (03 June 2023)
+- Add security rule 98 to detect attacks concerning HTTP2
+- Add warning messages when DPI payload points to outside of packet data
+- Print timeval in alert messages
+
 # Version 1.2.17 (17 May 2023)
 - Add 2 security rules, 96, 97 to detect attacks concerning HTTP2
 

Makefile

@@ -25,7 +25,7 @@ MMT_DPI_DIR := $(MMT_BASE)/dpi
 
 #get git version abbrev
 GIT_VERSION := $(shell git log --format="%h" -n 1)
-VERSION     := 1.2.17
+VERSION     := 1.2.19
 
 CACHE_LINESIZE := 64 #$(shell getconf LEVEL1_DCACHE_LINESIZE)
 

rules/96.http2_dos_recognition.xml

@@ -58,10 +58,10 @@ static inline bool em_5g_check_msg_throughput( const void *data ){
     description="5G Http2 DoS attack Recognition">
     <event value="COMPUTE" event_id="1" 
         description="HTTP2 check on the methods/ types that can realize a flooding"
-           boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130))  || (http2.type==8)) &amp;&amp; (ip.src != ip.dst) )"/>
+        boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130))  || (http2.type==8)) &amp;&amp; (ip.src != ip.dst) )"/>
 
    <event value="COMPUTE" event_id="2" 
         description="Calculate total"
-           boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
+        boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
 </property>
 </beginning>

rules/97.http2_compression_attack_recognition.xml

@@ -14,23 +14,24 @@ Since http2 tends to merge multiple packets, an upper limit is also set so as no
 #include "pre_embedded_functions.h"
 
 
-static int em_check( double header_length,double packet_id){
+static int em_check(
+	double header_length,double packet_id){	
 
 	//printf( " Rule 97:Recognized suspect packet. Length %f , packet id %d\n",header_length,(int)packet_id);
 	return 0;
-	
 }
 
+
 ]]></embedded_functions>
 
 <property value="THEN"  property_id="97" type_property="ATTACK" 
-    description="5G Http2 DoS attack Recognition" if_satisfied="">
+    description="5G Http2 Compression Attack" if_satisfied="">
     <event value="COMPUTE" event_id="1" 
-        description="HTTP2 Compression attack"
-           boolean_expression="(( ((((http2.header_length>350) &amp;&amp; (16384>http2.header_length )) &amp;&amp; ( http2.header_method == 131)) &amp;&amp;  #em_check(http2.header_length,meta.packet_index)) &amp;&amp; (2800>meta.packet_len)) &amp;&amp; (ip.src != ip.dst))"/>
+        description="Rule checks the dimension of the header length. If it is greater then a threshold an alert is launched"
+        boolean_expression="( ((http2.header_length>350) &amp;&amp; (16384>http2.header_length ) &amp;&amp; ( http2.header_method == 131)) &amp;&amp; ( ip.src != ip.dst ) )"/>
 
  <event value="COMPUTE" event_id="2" 
-           description="Nothing"
-           boolean_expression="( http2.header_method != 0)"/>  
+        description="Nothing"
+        boolean_expression="( http2.header_method != 0)"/>  
 </property>
 </beginning>

rules/98.http2_payload_fuzzing.xml

@@ -0,0 +1,45 @@
+<beginning>
+<!--
+This rule analizes char by char in order to find unusual characters in the payload of the packet that can indicate a possible fuzzing attack.Note that the format of the payload is json, and only post requests have a body,so there is a check on the header method.
+
+-->
+
+<embedded_functions><![CDATA[
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mmt_lib.h"
+
+static bool em_check_fuzzing(int payload_length, const char* payload, double packet_id){
+
+	//char*data;
+	//data=(char*)payload_data;
+	bool result=false;
+	for (int i = 9; i < payload_length; i++) {
+		//printf("  %02hhX ",payload[i]);
+		//printf("  %c",payload[i]);
+		if((payload[i]=='\\')|| payload[i]=='#' || (payload[i]=='%') || (payload[i]=='$')){
+			result=true;
+
+			// printf( " Rule 98:Recognized suspect fuzzing. Length %d  %f\n",payload_length,packet_id);
+			 break;
+			}
+	}
+	//printf("\n");
+	return result;
+}
+
+
+]]></embedded_functions>
+
+<property value="THEN"  property_id="98" type_property="ATTACK" 
+    description="5G Http2 fuzzing Payload Recognition">
+     <event value="COMPUTE" event_id="1" 
+        description="Nothing"
+        boolean_expression=" true"/>  
+    <event value="COMPUTE" event_id="2" 
+        description="HTTP2 fuzzing"
+        boolean_expression="(  (( http2.header_method == 131)  &amp;&amp; #em_check_fuzzing(http2.payload_length , http2.p_payload,meta.packet_index) )  &amp;&amp; (ip.src != ip.dst))"/>
+</property>
+</beginning>

src/dpi/mmt_dpi.h

@@ -1,4 +1,4 @@
-/* This code is generated automatically on 2023-05-05 11:55:39 using MMT-DPI v1.7.7 (bb5a7176). */
+/* This code is generated automatically on 2023-06-02 12:19:50 using MMT-DPI v1.7.8 (68bd7d93). */
 /* If you want to modify something, goto /home/frank/mmt-security/src/main_gen_dpi.c */
  #ifndef __MMT_SEC_DPI_H_
  #define __MMT_SEC_DPI_H_
@@ -9783,6 +9783,6 @@ static inline long get_attribute_index( uint32_t p_id, uint32_t a_id ){
 	return -1;
 }
  static inline const char* mmt_version(){
-    return "1.7.7 (bb5a7176)";
+    return "1.7.8 (68bd7d93)";
 }
 #endif //__MMT_SEC_DPI_H_

src/lib/dpi_message_t.h

@@ -55,8 +55,17 @@ static inline size_t dpi_get_payload_len(const ipacket_t * ipacket, uint32_t pro
 			//get header offset of the proto after #proto_id
 			if ( (i+1) <= ipacket->proto_hierarchy->len){
 				offset +=ipacket->proto_headers_offset->proto_path[i+1];
+				//this condition occurs only when we have bug in DPI
+				// as it indicates that the header of the next protocol is outside of the packet data
+				//However we check it anyway to ensure no error in mmt-security
+				//We  also raise an alert
+				if( offset > ipacket->p_hdr->caplen ){
+					mmt_warn("In %"PRIu64"-th packet: incorrect header of %d-th protocol which is after the protocol having ID=%"PRIu32" is at %"PRIu32". "
+							"It is outside of packet as packet length=%"PRIu32".",
+							ipacket->packet_id, (i+1), proto_id, offset, ipacket->p_hdr->caplen );
+					return 0;
+				}
 				length = ipacket->p_hdr->caplen - offset;
-
 				return length;
 			}
 			return 0;
@@ -81,8 +90,18 @@ static inline size_t dpi_get_data_len( const ipacket_t * ipacket, uint32_t proto
 	for (i = 1; i < ipacket->proto_hierarchy->len; i++){
 		offset +=ipacket->proto_headers_offset->proto_path[i];
 		if ( ipacket->proto_hierarchy->proto_path[i] == proto_id ){
-			length = ipacket->p_hdr->caplen - offset;
+			//this condition occurs only when we have bug in DPI
+			// as it indicates that the header of the next protocol is outside of the packet data
+			//However we check it anyway to ensure no error in mmt-security
+			//We  also raise an alert
+			if( offset > ipacket->p_hdr->caplen ){
+				mmt_warn("In %"PRIu64"-th packet: incorrect header of %d-th protocol which has ID=%"PRIu32" is at %"PRIu32". "
+						"It is outside of packet as packet length=%"PRIu32".",
+						ipacket->packet_id, (i), proto_id, offset, ipacket->p_hdr->caplen );
+				return 0;
+			}
 
+			length = ipacket->p_hdr->caplen - offset;
 			return length;
 		}
 	}

src/lib/mmt_security.c

@@ -432,7 +432,7 @@ static const char* _convert_execution_trace_to_json_string( const mmt_array_t *t
 	const message_t *msg;
 	const message_element_t *me;
 	bool is_first;
-	struct timeval time;
+	struct timeval time, *ptime;
 	const mmt_array_t *proto_atts_event; //proto_att of an event
 	const proto_attribute_t *pro_ptr;
 	double double_val;
@@ -535,6 +535,12 @@ static const char* _convert_execution_trace_to_json_string( const mmt_array_t *t
 				u8_ptr = NULL;
 
 				switch( pro_ptr->dpi_type ){
+				case MMT_DATA_TIMEVAL:
+					u8_ptr = (uint8_t *) me->data;
+					ptime  = (struct timeval *) me->data;
+					size   = snprintf(str_ptr, total_len, "%ld.%06ld",
+							ptime->tv_sec, ptime->tv_usec );
+					break;
 				case MMT_DATA_IP_NET: /**< ip network address constant value */
 				case MMT_DATA_IP_ADDR: /**< ip address constant value */
 						u8_ptr = (uint8_t *) me->data;