From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Thu, 12 Jan 2017 17:30:31 +0000 (-0500)
Subject: Merge pull request #772 in SNORT/snort3 from sdf_rebuilt to master
X-Git-Tag: 3.0.0-233~112
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e3abdd922c0ae0de29b8643666dd0eebb00986d;p=thirdparty%2Fsnort3.git

Merge pull request #772 in SNORT/snort3 from sdf_rebuilt to master

Squashed commit of the following:

commit 17e64dab9b41ff5f511d2f658f6b5786a9ba2c3b
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Wed Jan 11 15:36:17 2017 -0500

    update per review comments - remove spurios space

commit 4c57328e70f71d0982e5839021396f798167774f
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Wed Jan 11 15:06:36 2017 -0500

    update per review comments

commit 4d343bfbabb1e1bc434557150179e48ee0f92af2
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Wed Jan 11 13:50:00 2017 -0500

    delete obfuscator for rebuilt packets

commit 8b97d1de63620836d3f383f785c4eb07dbfb5d54
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Tue Jan 10 14:51:46 2017 -0500

    fix obfuscation offset for sdf

commit 5dd32194356ded49d1275a1796ba4df7d6c702db
Merge: 562ce29 f14f7db
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Tue Jan 10 14:51:01 2017 -0500

    Merge branch 'master' of https://bitbucket-eng-rtp1.cisco.com/bitbucket/scm/snort/snort3

commit 562ce2927cf84f5927bc583be6b45c08659c14c9
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Tue Jan 10 00:29:40 2017 -0500

    obfuscate stream rebuilt payload
---

diff --git a/src/log/log_text.cc b/src/log/log_text.cc
index 566038235..f1f705868 100644
--- a/src/log/log_text.cc
+++ b/src/log/log_text.cc
@@ -1478,7 +1478,7 @@ void LogPayload(TextLog* log, Packet* p)
             if ( p->obfuscator )
             {
                 // FIXIT-P avoid string copy
-                std::string buf(p->data, p->data + p->dsize);
+                std::string buf((const char*)p->data, p->dsize);
 
                 for ( const auto& b : *p->obfuscator )
                     buf.replace(b.offset, b.length, b.length, p->obfuscator->get_mask_char());
diff --git a/src/loggers/alert_fast.cc b/src/loggers/alert_fast.cc
index feb2b45ba..4ea8548eb 100644
--- a/src/loggers/alert_fast.cc
+++ b/src/loggers/alert_fast.cc
@@ -43,6 +43,7 @@
 #include "framework/module.h"
 #include "log/log_text.h"
 #include "log/text_log.h"
+#include "log/obfuscator.h"
 #include "main/snort_config.h"
 #include "packet_io/active.h"
 #include "packet_io/intf.h"
@@ -219,6 +220,16 @@ void FastLogger::alert(Packet* p, const char* msg, Event* event)
         TextLog_NewLine(fast_log);
         if (p->has_ip())
             LogIPPkt(fast_log, p);
+        else if ( p->obfuscator )
+        {
+            // FIXIT-P avoid string copy
+            std::string buf((const char*)p->data, p->dsize);
+
+            for ( const auto& b : *p->obfuscator )
+                buf.replace(b.offset, b.length, b.length, p->obfuscator->get_mask_char());
+
+            LogNetData(fast_log, (const uint8_t*)buf.c_str(), p->dsize, p);
+        }
         else
             LogNetData(fast_log, p->data, p->dsize, p);
 
diff --git a/src/loggers/unified2.cc b/src/loggers/unified2.cc
index 97cc97418..6bb64cace 100644
--- a/src/loggers/unified2.cc
+++ b/src/loggers/unified2.cc
@@ -535,7 +535,7 @@ static void _Unified2LogPacketAlert(
         {
             off_t off = p->data - p->pkt;
 
-            if ( !p->is_data() )
+            if ( p->is_data() )
                 off = 0;
 
             for ( const auto& b : *p->obfuscator )
diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc
index 6aad39d31..566c320bb 100644
--- a/src/protocols/packet.cc
+++ b/src/protocols/packet.cc
@@ -53,6 +53,8 @@ Packet::Packet(bool packet_data)
 
 Packet::~Packet()
 {
+    if (obfuscator)
+        delete obfuscator;
     if (allocated)
         delete[] (uint8_t*)pkth;
     delete[] layers;