Merge pull request #975 in SNORT/snort3 from delete_inspector to master

Squashed commit of the following:

commit bc33c5a6534764063530ab181422f6a0bb6ac9d1
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Wed Jul 26 11:05:30 2017 -0400

    control: delete inspector from the default inspection policy

diff --git a/src/framework/inspector.h b/src/framework/inspector.h
index b90a9ed9e1330cc42385b5c13411d72a1daeabef..b12c75f1e5c4b9e63794e3f6046802fbea3ef63c 100644 (file)
--- a/src/framework/inspector.h
+++ b/src/framework/inspector.h
@@ -64,6 +64,7 @@ public:
     // return verification status
     virtual bool configure(SnortConfig*) { return true; }
     virtual void show(SnortConfig*) { }
+    virtual void update(SnortConfig*, const char*) { }
 
     // packet thread functions
     // tinit, tterm called on default policy instance only

diff --git a/src/main.cc b/src/main.cc
index 52e341d4cac5a7e2c52d8297d8f641a365e536d6..c3a3cf7d008f4d70ab2b73d46892cde742da1fdd 100644 (file)
--- a/src/main.cc
+++ b/src/main.cc
@@ -353,7 +353,7 @@ int main_reload_policy(lua_State* L)
     }
 
     SnortConfig* old = snort_conf;
-    SnortConfig* sc = Snort::get_reloaded_policy(old, fname);
+    SnortConfig* sc = Snort::get_updated_policy(old, fname, nullptr);
 
     if ( !sc )
     {
@@ -417,6 +417,47 @@ int main_reload_hosts(lua_State* L)
     return 0;
 }
 
+int main_delete_inspector(lua_State* L)
+{
+    if ( Swapper::get_reload_in_progress() )
+    {
+        current_request->respond("== delete pending; retry\n");
+        return 0;
+    }
+    const char* iname =  nullptr;
+
+    if ( L )
+    {
+        Lua::ManageStack(L, 1);
+        iname = luaL_checkstring(L, 1);
+    }
+
+    if ( iname and *iname )
+        current_request->respond(".. deleting inspector\n");
+    else
+    {
+        current_request->respond("== inspector name required\n");
+        return 0;
+    }
+
+    SnortConfig* old = snort_conf;
+    SnortConfig* sc = Snort::get_updated_policy(old, nullptr, iname);
+
+    if ( !sc )
+    {
+        current_request->respond("== reload failed\n");
+        return 0;
+    }
+    snort_conf = sc;
+    proc_stats.inspector_deletions++;
+
+    bool from_shell = ( L != nullptr );
+    current_request->respond(".. deleted inspector\n", from_shell);
+    broadcast(get_command(new ACSwap(new Swapper(old, sc)), from_shell));
+
+    return 0;
+}
+
 int main_process(lua_State* L)
 {
     const char* f = lua_tostring(L, 1);

diff --git a/src/main.h b/src/main.h
index c9a7e88e3c93709c51434bfc7d2791840d95c626..006b7a917704575c458bfeddf2915fc8d72e7e2a 100644 (file)
--- a/src/main.h
+++ b/src/main.h
@@ -26,6 +26,7 @@ struct lua_State;
 const char* get_prompt();
 
 // commands provided by the snort module
+int main_delete_inspector(lua_State* = nullptr);
 int main_dump_stats(lua_State* = nullptr);
 int main_rotate_stats(lua_State* = nullptr);
 int main_reload_config(lua_State* = nullptr);

diff --git a/src/main/snort.cc b/src/main/snort.cc
index 485a07eb26757c980e04df8c91a47c8d50b10777..f102bd6c5109a61453a99622c2a4f5b4ffa680c7 100644 (file)
--- a/src/main/snort.cc
+++ b/src/main/snort.cc
@@ -631,22 +631,39 @@ SnortConfig* Snort::get_reload_config(const char* fname)
     return sc;
 }
 
-SnortConfig* Snort::get_reloaded_policy(SnortConfig* other_conf, const char* fname)
+SnortConfig* Snort::get_updated_policy(SnortConfig* other_conf, const char* fname, const char* iname)
 {
     reloading = true;
 
     SnortConfig* sc = new SnortConfig(other_conf);
-    Shell sh = Shell(fname);
-    sh.configure(sc);
 
-    if ( ModuleManager::get_errors() || !sc->verify() )
+    if ( fname )
     {
-        sc->cloned = true;
-        InspectorManager::update_policy(other_conf);
-        delete sc;
-        set_policies(other_conf);
-        reloading = false;
-        return nullptr;
+        Shell sh = Shell(fname);
+        sh.configure(sc);
+
+        if ( ModuleManager::get_errors() || !sc->verify() )
+        {
+            sc->cloned = true;
+            InspectorManager::update_policy(other_conf);
+            delete sc;
+            set_policies(other_conf);
+            reloading = false;
+            return nullptr;
+        }
+    }
+
+    if ( iname )
+    {
+        if ( !InspectorManager::delete_inspector(sc, iname) )
+        {
+            sc->cloned = true;
+            InspectorManager::update_policy(other_conf);
+            delete sc;
+            set_policies(other_conf);
+            reloading = false;
+            return nullptr;
+        }
     }
 
     if ( !InspectorManager::configure(sc, true) )

diff --git a/src/main/snort.h b/src/main/snort.h
index cb19533ca2497b11b432f7088a8a4fa62492c830..0be7708bc40c59d8821e1636287033ae11a66ee4 100644 (file)
--- a/src/main/snort.h
+++ b/src/main/snort.h
@@ -38,7 +38,7 @@ class Snort
 {
 public:
     static SnortConfig* get_reload_config(const char* fname);
-    static SnortConfig* get_reloaded_policy(SnortConfig*, const char* fname);
+    static SnortConfig* get_updated_policy(SnortConfig*, const char* fname, const char* iname);
     static void setup(int argc, char* argv[]);
     static bool drop_privileges();
     static void do_pidfile();

diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc
index b25cf1c967ac5d673d6c1df1ac60c3bb751ba626..7fb44042290d53f2c11060186644acf993cb5a3f 100644 (file)
--- a/src/main/snort_config.cc
+++ b/src/main/snort_config.cc
@@ -325,7 +325,6 @@ void SnortConfig::clone(SnortConfig* conf)
 
     if (conf->obfuscation_net.get_family() != 0)
         memcpy(&obfuscation_net, &conf->obfuscation_net, sizeof(obfuscation_net));
-
 }
 
 // merge in everything from the command line config

diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc
index fcb83a1badeeb015f33635bc5a6785e0ea6dbc3d..3b6a069262415d5ccfafc1fc2b2520700a669e88 100644 (file)
--- a/src/main/snort_module.cc
+++ b/src/main/snort_module.cc
@@ -59,9 +59,18 @@ static const Parameter s_reload[] =
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
 
+static const Parameter s_delete[] =
+{
+    { "inspector", Parameter::PT_STRING, nullptr, nullptr,
+      "name of inspector to delete" },
+
+    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
 static const Command snort_cmds[] =
 {
     { "show_plugins", main_dump_plugins, nullptr, "show available plugins" },
+    { "delete_inspector", main_delete_inspector, s_delete, "delete an inspector from the default policy" },
     { "dump_stats", main_dump_stats, nullptr, "show summary statistics" },
     { "rotate_stats", main_rotate_stats, nullptr, "roll perfmonitor log files" },
     { "reload_config", main_reload_config, s_reload, "load new configuration" },

diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc
index 61d4cfb1c92fad2aa6ee2b2cd02ecf1c032a420c..bc0878090c2ba4a2c43902de5b988863ff045e60 100644 (file)
--- a/src/managers/inspector_manager.cc
+++ b/src/managers/inspector_manager.cc
@@ -98,6 +98,7 @@ struct PHClass
 
 enum ReloadType {
     RELOAD_TYPE_NONE = 0,
+    RELOAD_TYPE_DELETED,
     RELOAD_TYPE_REENABLED,
     RELOAD_TYPE_NEW,
     RELOAD_TYPE_MAX
@@ -124,6 +125,7 @@ struct PHInstance
 
     bool is_reloaded()
     { return ((reload_type == RELOAD_TYPE_REENABLED) or
+            (reload_type == RELOAD_TYPE_DELETED) or
             (reload_type == RELOAD_TYPE_NEW)); }
 
     ReloadType get_reload_type()
@@ -513,6 +515,30 @@ InspectorType InspectorManager::get_type(const char* key)
     return p->get_api()->type;
 }
 
+bool InspectorManager::delete_inspector(SnortConfig* sc, const char* iname)
+{
+    bool ok = false;
+    if ( sc->policy_map->inspection_policy.size() )
+    {
+        FrameworkPolicy* fp = sc->policy_map->inspection_policy[0]->framework_policy;
+        std::vector<PHInstance*>::iterator old_it;
+
+        if ( get_instance(fp, iname, false, old_it) )
+        {
+            (*old_it)->set_reloaded(RELOAD_TYPE_DELETED);
+            fp->ilist.erase(old_it);
+            ok = true;
+            std::vector<PHInstance*>::iterator bind_it;
+            if ( get_instance(fp, "binder", false, bind_it) )
+            {
+                (*bind_it)->handler->update(sc, iname);
+            }
+        }
+    }
+
+    return ok;
+}
+
 void InspectorManager::free_inspector(Inspector* p)
 {
     p->get_api()->dtor(p);

diff --git a/src/managers/inspector_manager.h b/src/managers/inspector_manager.h
index d1fe4f0be4b8702321033a6996bd9dda2018722b..117c27ac5df3176d112e452fef13182cf74852f1 100644 (file)
--- a/src/managers/inspector_manager.h
+++ b/src/managers/inspector_manager.h
@@ -54,6 +54,7 @@ public:
     static void instantiate(
         const InspectApi*, Module*, SnortConfig*, const char* name = nullptr);
 
+    static bool delete_inspector(SnortConfig* sc, const char* iname);
     static void free_inspector(Inspector*);
     static InspectSsnFunc get_session(uint16_t proto);
 

diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc
index 8269b5bd2a4ab5912030447a2721bbcc3a42e3ec..cf1b7c90857ae1687cc7e26b0623b721e8da95f8 100644 (file)
--- a/src/network_inspectors/binder/binder.cc
+++ b/src/network_inspectors/binder/binder.cc
@@ -410,6 +410,8 @@ public:
     void show(SnortConfig*) override
     { LogMessage("Binder\n"); }
 
+    void update(SnortConfig*, const char*) override;
+
     bool configure(SnortConfig*) override;
 
     void eval(Packet*) override;
@@ -458,6 +460,26 @@ bool Binder::configure(SnortConfig* sc)
     return true;
 }
 
+void Binder::update(SnortConfig* sc, const char* name)
+{
+    vector<Binding*>::iterator it;
+    for ( it = bindings.begin(); it != bindings.end(); ++it )
+    {
+        const char* key;
+        Binding *pb = *it;
+        if ( pb->use.svc.empty() )
+            key = pb->use.name.c_str();
+        else
+            key = pb->use.svc.c_str();
+        if ( !strcmp(key, name) )
+        {
+            bindings.erase(it);
+            delete pb;
+            return;
+        }
+    }
+}
+
 // FIXIT-M need to consider binding of ips rules / policy
 // possibly split bindings into these categories
 void Binder::eval(Packet* p)

diff --git a/src/utils/stats.cc b/src/utils/stats.cc
index 67c102424d4cdcdecd6f4d7619b805174bdb5818..5d6a2f99a2e670ae8df9d9ca950cad49897e1593 100644 (file)
--- a/src/utils/stats.cc
+++ b/src/utils/stats.cc
@@ -219,6 +219,7 @@ const PegInfo proc_names[] =
     { "signals", "total signals processed" },
     { "conf_reloads", "number of times configuration was reloaded" },
     { "policy_reloads", "number of times policies were reloaded" },
+    { "inspector_deletions", "number of times inspectors were deleted" },
     { "daq_reloads", "number of times daq configuration was reloaded" },
     { "attribute_table_reloads", "number of times hosts table was reloaded" },
     { "attribute_table_hosts", "total number of hosts in table" },

diff --git a/src/utils/stats.h b/src/utils/stats.h
index 7e08423d952f663ec0a0e49c0f31c046f33964fe..0fd7ec6c1741eb3857fd346f2fefbefd3b208167 100644 (file)
--- a/src/utils/stats.h
+++ b/src/utils/stats.h
@@ -62,6 +62,7 @@ struct ProcessCount
     PegCount signals;
     PegCount conf_reloads;
     PegCount policy_reloads;
+    PegCount inspector_deletions;
     PegCount daq_reloads;
     PegCount attribute_table_reloads;
     PegCount attribute_table_hosts;