Merge branch 'main' of https://github.com/Montimage/mmt-security into…

… main

.github/workflows/c-cpp.yml

@@ -26,7 +26,7 @@ jobs:
     - uses: actions/checkout@v2
     - name: build-from-source
       run: |
-         wget --no-verbose -O mmt-dpi.deb https://github.com/Montimage/mmt-dpi/releases/download/v1.7.3/mmt-dpi_1.7.3_92ce380_Linux_x86_64.deb
+         wget --no-verbose -O mmt-dpi.deb https://github.com/Montimage/mmt-dpi/releases/download/v1.7.7/mmt-dpi_1.7.7_bb5a717_Linux_x86_64.deb
          sudo dpkg -i mmt-dpi.deb
          sudo apt-get update -y && sudo apt-get install -y libxml2-dev libpcap-dev libconfuse-dev libpcap-dev
          make clean-all && make DEBUG=1 && make deb && make check VERBOSE=1  && sudo make install
@@ -67,4 +67,4 @@ jobs:
         upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps 
         asset_path: ${{ env.ARTIFACT_PATHNAME }}
         asset_name: ${{ env.ARTIFACT_NAME }}
-        asset_content_type: application/zip
+        asset_content_type: application/zip

CHANGELOG.md

@@ -1,2 +1,9 @@
+# Version 1.2.17 (17 May 2023)
+- Add 2 security rules, 96, 97 to detect attacks concerning HTTP2
+
+# Version 1.2.16 (23 Mar 2023)
+- Add prefix`MMT_SEC_` to the env variable in rule 95
+- Add security rule to detect Slowloris DoS attack
+
 # Version 1.2.15 (06 Jan 2023)
 - Add two rules, 94 and 95, to detect DoS in 5G control plane traffic

Makefile

@@ -25,15 +25,15 @@ MMT_DPI_DIR := $(MMT_BASE)/dpi
 
 #get git version abbrev
 GIT_VERSION := $(shell git log --format="%h" -n 1)
-VERSION     := 1.2.15
+VERSION     := 1.2.17
 
 CACHE_LINESIZE := 64 #$(shell getconf LEVEL1_DCACHE_LINESIZE)
 
 #set of library
-LIBS     += -ldl -lpthread -lxml2
+LIBS     += -ldl -lpthread -lxml2  -l:libmmt_tcpip.so   # -l:libmmt_http2.so
 
-CFLAGS   += -fPIC -Wall -DINSTALL_DIR=\"$(INSTALL_DIR)\" -DVERSION_NUMBER=\"$(VERSION)\" -DGIT_VERSION=\"$(GIT_VERSION)\" -DLEVEL1_DCACHE_LINESIZE=$(CACHE_LINESIZE) -Wno-unused-variable -Wno-unused-function -Wuninitialized -I/usr/include/libxml2/  -I$(MMT_DPI_DIR)/include  
-CLDFLAGS += -I$(MMT_DPI_DIR)/include -L$(MMT_DPI_DIR)/lib -L/usr/local/lib
+CFLAGS   += -fPIC -Wall -DINSTALL_DIR=\"$(INSTALL_DIR)\" -DVERSION_NUMBER=\"$(VERSION)\" -DGIT_VERSION=\"$(GIT_VERSION)\" -DLEVEL1_DCACHE_LINESIZE=$(CACHE_LINESIZE) -Wno-unused-variable -Wno-unused-function -Wuninitialized -I/usr/include/libxml2/  -I$(MMT_DPI_DIR)/include    #-I/usr/include/nghttp2 -lnghttp2
+CLDFLAGS += -I$(MMT_DPI_DIR)/include -L$(MMT_DPI_DIR)/lib -L/usr/local/lib #-I/usr/include/nghttp2 -lnghttp2
 
 #a specific flag for each .o file
 CFLAGS += $(CFLAGS-$@)
@@ -127,15 +127,15 @@ perf.%: $(LIB_OBJS) test/perf/%.o
 
 compile_rule: $(LIB_OBJS) $(SRCDIR)/main_gen_plugin.o
 	@echo "[COMPILE] $(MAIN_GEN_PLUGIN)"
-	$(QUIET) $(CC) -o $(MAIN_GEN_PLUGIN) $(CLDFLAGS) $^ $(LIBS)
+	$(QUIET) $(CC) -o $(MAIN_GEN_PLUGIN) $(CLDFLAGS) $^ $(LIBS) 
 
 sec_server: $(LIB_OBJS)  $(SRCDIR)/main_sec_server.o
 	@echo "[COMPILE] $@"
 	$(QUIET) $(CC) -Wl,--export-dynamic -o $(MAIN_SEC_SERVER)  $(CFLAGS)  $(CLDFLAGS) $^ $(LIBS)
 
 standalone:  $(MMT_DPI_DIR) $(LIB_OBJS)  $(SRCDIR)/main_sec_standalone.o $(RULE_OBJS) --refresh-plugin-engine
 	@echo "[COMPILE] $@"
-	$(QUIET) $(CC) -Wl,--export-dynamic -o $(MAIN_STAND_ALONE) $(CLDFLAGS) $(LIB_OBJS)  $(RULE_OBJS)  $(SRCDIR)/main_sec_standalone.o $(LIBS) -lpcap  -l:libmmt_core.so
+	$(QUIET) $(CC) -Wl,--export-dynamic -o $(MAIN_STAND_ALONE) $(CLDFLAGS) $(LIB_OBJS)  $(RULE_OBJS)  $(SRCDIR)/main_sec_standalone.o $(LIBS) -lpcap  -l:libmmt_core.so 
 
 rule_info: $(LIB_OBJS) $(SRCDIR)/main_plugin_info.o
 	@echo "[COMPILE] $(MAIN_PLUGIN_INFO)"

mmt-security.conf

@@ -1,5 +1,5 @@
 # maximum size, in bytes, of a report received from mmt-probe
-input.max_message_size 3000
+input.max_message_size 32824
 
 # number of fsm instances of one rule
 security.max_instances 100000
@@ -23,4 +23,4 @@ mempool.max_elements_per_pool 1000
 
 # This parameter set the Maximum bytes of a pool
 # 2 GBytes
-mempool.max_bytes 2000000000
+mempool.max_bytes 2000000000

rules/95.5g_dos_total_ngap_initialuemessage.xml

@@ -2,7 +2,7 @@
 
 <!--
 This rule detects whether 5G traffic in control plane overpasses the following limit:
-- total number of NGAP InitialUEMessage per millisecond >= 5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT  
+- total number of NGAP InitialUEMessage per millisecond >= MMT_SEC_5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT  
 
 Note: in the boolean_expression below, we use: 
 - ngap.procedure_code == 15: indicate InitialUEMessage
@@ -13,7 +13,7 @@ Note: in the boolean_expression below, we use:
 
 
 <property value="THEN" delay_units="ms" delay_min="0" delay_max="0" property_id="95" type_property="ATTACK" 
-    description="5G DoS attack in the control plane: total number of InitialUEMessage is greater than the limit fixed by the 5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT environment variable">
+    description="5G DoS attack in the control plane: total number of InitialUEMessage is greater than the limit fixed by the MMT_SEC_5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT environment variable">
     <event value="COMPUTE" event_id="1" 
         description="NGAP InitialUEMessage"
            boolean_expression="(( ngap.procedure_code == 15) &amp;&amp; ((sctp.dest_port == 38412) &amp;&amp;( ip.src != ip.dst )) )"/>
@@ -32,13 +32,13 @@ Note: in the boolean_expression below, we use:
 static unsigned long int limit_5g_dos_ngap_initialuemessage_per_ms = 0;
 
 void on_load(){
-	const char *str = getenv("5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT");
+	const char *str = getenv("MMT_SEC_5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT");
 	if( str == NULL ){
-		mmt_info("Rule 95: no value of 5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT" );
+		mmt_info("Rule 95: no value of MMT_SEC_5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT" );
 		return;
 	}
 	limit_5g_dos_ngap_initialuemessage_per_ms = strtoul( str, NULL, 0 );
-	mmt_info("Rule 95: set 5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT=%ld", 
+	mmt_info("Rule 95: set MMT_SEC_5G_DOS_NGAP_INITIALUEMESSAGE_MS_LIMIT=%ld", 
 		limit_5g_dos_ngap_initialuemessage_per_ms );
 }
 
@@ -69,4 +69,4 @@ static inline bool em_5g_check_msg_throughput( const void *data ){
 }
 ]]></embedded_functions>
 
-</beginning>
+</beginning>

rules/96.http2_dos_recognition.xml

@@ -0,0 +1,67 @@
+<beginning>
+
+<!--This rule counts how many packets arrive in interval of time include in [0,100] milliseconds. If the amount of packets that come in that time goes over a threshold decided by the user, then an alert is raised. Note that in order to set the threshold an environment variable called  MMT_SEC_5G_DOS_HTTP2_MS_LIMIT must be declared and set.
+If that variable is not declared a default value will be given.
+
+-->
+<embedded_functions><![CDATA[
+#include <stdlib.h>
+#include <mmt_core.h>
+
+
+#include<math.h>
+
+static unsigned long int limit_5g_dos_http2_per_ms = 0;
+
+void on_load(){
+	const char *str = getenv("MMT_SEC_5G_DOS_HTTP2_MS_LIMIT");
+	if( str == NULL ){
+		mmt_info("Rule 96: no value of MMT_SEC_5G_DOS_HTTP2_MS_LIMIT" );
+		limit_5g_dos_http2_per_ms=80;
+		
+	}
+	else
+		limit_5g_dos_http2_per_ms = strtoul( str, NULL, 0 );
+	mmt_info("Rule 96: set MMT_SEC_5G_DOS_HTTP2_MS_LIMIT=%ld", 
+		limit_5g_dos_http2_per_ms );
+}
+
+/*
+To detect DoS, we group messages by windows of millissecond,
+that is, all messages having the same millisecond number will be in the same window.
+We then check the number of message in a window to ensure that it is less than the given limit. 
+*/
+static inline bool em_5g_check_msg_throughput( const void *data ){
+	static int last_ms = 0; //current ms window
+	static unsigned long int counter = 0; //number of msg in the current ms window
+	
+	struct timeval *time = (struct timeval *) data;
+	// no limit
+	if( limit_5g_dos_http2_per_ms == 0 )
+		return true;
+
+	int millisecond = round( time->tv_usec / 1000.0 ); //microsecond to millisecond
+	
+	//new window => reset the counter
+	if( last_ms != millisecond ){
+		counter = 0;
+		last_ms = millisecond;
+	}
+	
+	counter ++;
+	//if(counter >= limit_5g_dos_http2_per_ms)
+		//printf("Rule 96 Dos recognized\n");
+	return (counter >= limit_5g_dos_http2_per_ms);
+}
+]]></embedded_functions>
+<property value="THEN" delay_units="ms" delay_min="0" delay_max="100" property_id="96" type_property="ATTACK" 
+    description="5G Http2 DoS attack Recognition">
+    <event value="COMPUTE" event_id="1" 
+        description="HTTP2 check on the methods/ types that can realize a flooding"
+           boolean_expression="(((( http2.header_method == 131) || (http2.header_method==130))  || (http2.type==8)) &amp;&amp; (ip.src != ip.dst) )"/>
+
+   <event value="COMPUTE" event_id="2" 
+        description="Calculate total"
+           boolean_expression="( #em_5g_check_msg_throughput( meta.utime ) )"/>
+</property>
+</beginning>

rules/97.http2_compression_attack_recognition.xml

@@ -0,0 +1,36 @@
+<beginning>
+<!-- 
+Compression attack involve the use of the compression in order to put a great amount of data in a single packet, in order to use a huge amount of 
+computational resources by the server after the decompression. In this case the rule checks the length of the packet. 
+Since http2 tends to merge multiple packets, an upper limit is also set so as not to confuse the attack with the coalescing operated by the protocol
+-->
+<embedded_functions><![CDATA[
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mmt_lib.h"
+#include "tcpip/mmt_tcpip_protocols.h"
+#include "pre_embedded_functions.h"
+
+
+static int em_check( double header_length,double packet_id){
+
+	//printf( " Rule 97:Recognized suspect packet. Length %f , packet id %d\n",header_length,(int)packet_id);
+	return 0;
+	
+}
+
+]]></embedded_functions>
+
+<property value="THEN"  property_id="97" type_property="ATTACK" 
+    description="5G Http2 DoS attack Recognition" if_satisfied="">
+    <event value="COMPUTE" event_id="1" 
+        description="HTTP2 Compression attack"
+           boolean_expression="(( ((((http2.header_length>350) &amp;&amp; (16384>http2.header_length )) &amp;&amp; ( http2.header_method == 131)) &amp;&amp;  #em_check(http2.header_length,meta.packet_index)) &amp;&amp; (2800>meta.packet_len)) &amp;&amp; (ip.src != ip.dst))"/>
+
+ <event value="COMPUTE" event_id="2" 
+           description="Nothing"
+           boolean_expression="( http2.header_method != 0)"/>  
+</property>
+</beginning>