{ "idle_timeout", Parameter::PT_INT, "1:max31", "3600",
"session deletion on idle " },
+ { "asymmetric_ids_flush_threshold", Parameter::PT_INT, "1:max31", "65535",
+ "max bytes queued on asymmetric flow before flush in IDS mode" },
+
+
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
else if ( v.is("max_segments") )
config->max_queued_segs = v.get_uint32();
+ else if ( v.is("asymmetric_ids_flush_threshold") )
+ config->asymmetric_ids_flush_threshold = v.get_uint32();
+
else if ( v.is("max_window") )
config->max_window = v.get_uint32();
&& !p->flow->searching_for_service();
}
-bool TcpReassembler::flush_on_asymmetric_flow(uint32_t flushed, snort::Packet *p)
+bool TcpReassembler::asymmetric_flow_flushed(uint32_t flushed, snort::Packet *p)
{
bool asymmetric = flushed && seglist.seg_count && !p->flow->two_way_traffic() && !p->ptrs.tcph->is_syn();
if ( asymmetric )
virtual int eval_flush_policy_on_ack(snort::Packet*) = 0;
virtual int eval_flush_policy_on_data(snort::Packet*) = 0;
+ virtual int eval_asymmetric_flush(snort::Packet*) = 0;
virtual int flush_stream(snort::Packet*, uint32_t dir, bool final_flush = false) = 0;
void flush_queued_segments(snort::Flow* flow, bool clear, snort::Packet* = nullptr);
void finish_and_final_flush(snort::Flow* flow, bool clear, snort::Packet*);
void check_first_segment_hole();
uint32_t perform_partial_flush(snort::Packet*, uint32_t flushed = 0);
bool final_flush_on_fin(int32_t flush_amt, snort::Packet*, FinSeqNumStatus);
- bool flush_on_asymmetric_flow(uint32_t flushed, snort::Packet *p);
+ bool asymmetric_flow_flushed(uint32_t flushed, snort::Packet *p);
ProtocolAwareFlusher paf;
TcpStreamTracker& tracker;
int eval_flush_policy_on_data(snort::Packet*) override
{ return 0; }
+ int eval_asymmetric_flush(snort::Packet*) override
+ { return 0; }
+
int flush_stream(snort::Packet*, uint32_t, bool) override
{ return 0; }
if ( tracker.is_retransmit_of_held_packet(p) )
flushed = perform_partial_flush(p, flushed);
- if ( flush_on_asymmetric_flow(flushed, p) )
+ if ( !p->flow->two_way_traffic() and
+ seglist.get_seg_bytes_total() > seglist.session->tcp_config->asymmetric_ids_flush_threshold )
{
- purge_to_seq(seglist.head->start_seq() + flushed);
- tracker.r_win_base = seglist.seglist_base_seq;
- tcpStats.flush_on_asymmetric_flow++;
+ seglist.skip_holes();
+ flushed += eval_asymmetric_flush(p);
}
return flushed;
}
+int TcpReassemblerIds::eval_asymmetric_flush(snort::Packet* p)
+{
+ // asymmetric flush in IDS mode.. advance r_win_base to end of in-order data
+ tracker.r_win_base = tracker.rcv_nxt;
+
+ uint32_t flushed = eval_flush_policy_on_ack(p);
+ if ( flushed )
+ tcpStats.flush_on_asymmetric_flow++;
+
+ return flushed;
+}
+
int TcpReassemblerIds::flush_stream(Packet* p, uint32_t dir, bool final_flush)
{
- if ( seglist.session->flow->two_way_traffic()
- or (tracker.get_tcp_state() == TcpStreamTracker::TCP_MID_STREAM_RECV) )
- {
- uint32_t bytes = get_q_footprint(); // num bytes in post-ack mode
- if ( bytes )
- return flush_to_seq(bytes, p, dir);
- }
+ uint32_t bytes = 0;
+
+ if ( seglist.session->flow->two_way_traffic() )
+ bytes = get_q_footprint();
+ else
+ bytes = get_q_sequenced();
+
+ if ( bytes )
+ return flush_to_seq(bytes, p, dir);
if ( final_flush )
return do_zero_byte_flush(p, dir);
int eval_flush_policy_on_ack(snort::Packet*) override;
int eval_flush_policy_on_data(snort::Packet*) override;
+ int eval_asymmetric_flush(snort::Packet*) override;
int flush_stream(snort::Packet*, uint32_t dir, bool final_flush = false) override;
FlushPolicy get_flush_policy() const override
if ( tracker.is_retransmit_of_held_packet(p) )
flushed = perform_partial_flush(p, flushed);
- if ( flush_on_asymmetric_flow(flushed, p) )
+ if ( asymmetric_flow_flushed(flushed, p) )
{
purge_to_seq(seglist.head->start_seq() + flushed);
tracker.r_win_base = seglist.seglist_base_seq;
return flushed;
}
+int TcpReassemblerIps::eval_asymmetric_flush(snort::Packet* p)
+{
+ return eval_flush_policy_on_data(p);
+}
+
int TcpReassemblerIps::flush_stream(Packet* p, uint32_t dir, bool final_flush)
{
if ( seglist.session->flow->two_way_traffic()
int eval_flush_policy_on_ack(snort::Packet*) override;
int eval_flush_policy_on_data(snort::Packet*) override;
+ int eval_asymmetric_flush(snort::Packet*) override;
+
int flush_stream(snort::Packet*, uint32_t dir, bool final_flush = false) override;
FlushPolicy get_flush_policy() const override
tracker->set_order(TcpStreamTracker::OUT_OF_SEQUENCE);
if (PacketTracer::is_active())
- PacketTracer::log("Stream: Skipped %u packets before seglist hole)\n", packets_skipped);
+ PacketTracer::log("Stream: Skipped %u packets before seglist hole\n", packets_skipped);
}
void TcpReassemblySegments::advance_rcv_nxt(TcpSegmentNode *tsn)
tcpStats.exceeded_max_bytes++;
bool ret_val = true;
- // if inline and this is an asymmetric flow then skip over any seglist holes
+ // if this is an asymmetric flow then skip over any seglist holes
// and flush to free up seglist space
- if ( tsd.is_ips_policy_inline() && !tsd.get_pkt()->flow->two_way_traffic() )
+ if ( !tsd.get_pkt()->flow->two_way_traffic() )
{
space_left = listener->kickstart_asymmetric_flow(tsd, tcp_config->max_queued_bytes);
if ( space_left >= (int32_t)tsd.get_len() )
{
tcpStats.exceeded_max_segs++;
- // if inline and this is an asymmetric flow then skip over any seglist holes
+ // if this is an asymmetric flow then skip over any seglist holes
// and flush to free up seglist space
- if ( tsd.is_ips_policy_inline() && !tsd.get_pkt()->flow->two_way_traffic() )
+ if ( !tsd.get_pkt()->flow->two_way_traffic() )
{
listener->kickstart_asymmetric_flow(tsd, tcp_config->max_queued_bytes);
if ( listener->seglist.get_seg_count() + 1 <= tcp_config->max_queued_segs )
}
trk.set_tcp_state(TcpStreamTracker::TCP_FIN_WAIT1);
}
+
return true;
}
str += std::to_string(max_queued_segs);
str += " }";
ConfigLogger::log_value("queue_limit", str.c_str());
-
+ str = "{ flush threshold = ";
+ str += std::to_string(asymmetric_ids_flush_threshold);
+ str += " }";
+ ConfigLogger::log_value("asymmetric_ids", str.c_str());
ConfigLogger::log_flag("reassemble_async", !(flags & STREAM_CONFIG_NO_ASYNC_REASSEMBLY));
ConfigLogger::log_limit("require_3whs", hs_timeout, -1, hs_timeout < 0 ? hs_timeout : -1);
ConfigLogger::log_value("session_timeout", session_timeout);
uint32_t max_queued_bytes = 4194304;
uint32_t max_queued_segs = 3072;
+ uint32_t asymmetric_ids_flush_threshold = 65535;
uint32_t max_consec_small_segs = STREAM_DEFAULT_CONSEC_SMALL_SEGS;
uint32_t max_consec_small_seg_size = STREAM_DEFAULT_MAX_SMALL_SEG_SIZE;
oaitw_reassembler = nullptr;
}
- reassembler->eval_flush_policy_on_ack(p);
-
- return 0;
+ return reassembler->eval_flush_policy_on_ack(p);
}
int TcpStreamTracker::eval_flush_policy_on_data(snort::Packet* p)
return 0;
}
+int TcpStreamTracker::eval_asymmetric_flush(snort::Packet* p)
+{
+ if( oaitw_reassembler )
+ {
+ delete oaitw_reassembler;
+ oaitw_reassembler = nullptr;
+ }
+
+ reassembler->eval_asymmetric_flush(p);
+
+ return 0;
+}
+
TcpStreamTracker::TcpEvent TcpStreamTracker::set_tcp_event(const TcpSegmentDescriptor& tsd)
{
bool talker;
//assert(server_side == to_server && server_side == !tracker.client_tracker);
#endif
+ if (PacketTracer::is_active())
+ PacketTracer::log("Stream: %s tracker fallback to the Atom splitter.\n",
+ client_tracker ? "client" : "server");
+
set_splitter(new AtomSplitter(!client_tracker));
tcpStats.partial_fallbacks++;
else
reassembler->reset_paf();
- eval_flush_policy_on_data(tsd.get_pkt());
+ eval_asymmetric_flush(tsd.get_pkt());
int32_t space_left = max_queued_bytes - seglist.get_seg_bytes_total();
int eval_flush_policy_on_ack(snort::Packet*);
int eval_flush_policy_on_data(snort::Packet*);
+ int eval_asymmetric_flush(snort::Packet*);
void update_stream_order(const TcpSegmentDescriptor&, bool aligned);
void fallback();
projects / thirdparty / snort3.git / commitdiff
