From 8c374c9f3dc290d82dd68eeb330275edd778743e Mon Sep 17 00:00:00 2001 From: "Tom Peters (thopeter)" Date: Mon, 9 Oct 2017 11:13:21 -0400 Subject: [PATCH] Merge pull request #1036 in SNORT/snort3 from tunnel_225582 to master Squashed commit of the following: commit e9cc0d0af2059cb6aa589d8818bf4cac54738620 Author: Steven Baigal Date: Tue Oct 3 14:59:25 2017 -0400 updated DAQ stats to include retry verdict peg count commit 37cf28a584f43f093fbeec23baa9429257427304 Author: Steven Baigal Date: Mon Sep 25 15:14:23 2017 -0400 added tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS --- src/codecs/ip/cd_gre.cc | 7 ++++++- src/codecs/ip/cd_ipv4.cc | 8 ++++++++ src/codecs/ip/cd_ipv6.cc | 8 ++++++++ src/codecs/link/cd_mpls.cc | 4 ++++ src/main/modules.cc | 2 +- src/main/snort_config.cc | 12 ++++++++++++ src/main/snort_config.h | 6 +++++- src/utils/stats.cc | 8 ++++---- src/utils/stats.h | 8 ++------ 9 files changed, 50 insertions(+), 13 deletions(-) diff --git a/src/codecs/ip/cd_gre.cc b/src/codecs/ip/cd_gre.cc index 64f88368b..b33325cc1 100644 --- a/src/codecs/ip/cd_gre.cc +++ b/src/codecs/ip/cd_gre.cc @@ -24,8 +24,10 @@ #include "codecs/codec_module.h" #include "framework/codec.h" -#include "protocols/gre.h" #include "log/text_log.h" +#include "main/snort_config.h" +#include "packet_io/active.h" +#include "protocols/gre.h" #define CD_GRE_NAME "gre" #define CD_GRE_HELP "support for generic routing encapsulation" @@ -205,6 +207,9 @@ bool GreCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) return false; } + if (SnortConfig::tunnel_bypass_enabled(TUNNEL_GRE)) + Active::set_tunnel_bypass(); + codec.lyr_len = len; codec.next_prot_id = greh->proto(); codec.codec_flags |= CODEC_NON_IP_TUNNEL | CODEC_ETHER_NEXT; diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index f5f8067a6..42a2aa26a 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -215,6 +215,14 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN6) ) Active::set_tunnel_bypass(); } + else if (snort.ip_api.is_ip4()) + { + /* If Teredo or GRE seen, this is not an 4in4 tunnel */ + if ( codec.codec_flags & CODEC_NON_IP_TUNNEL ) + codec.codec_flags &= ~CODEC_NON_IP_TUNNEL; + else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN4)) + Active::set_tunnel_bypass(); + } // set the api now since this layer has been verified as valid snort.ip_api.set(iph); diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc index b77df070e..5791c29f2 100644 --- a/src/codecs/ip/cd_ipv6.cc +++ b/src/codecs/ip/cd_ipv6.cc @@ -177,6 +177,14 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN4) ) Active::set_tunnel_bypass(); } + else if (snort.ip_api.is_ip6()) + { + /* If Teredo or GRE seen, this is not an 6in6 tunnel */ + if ( codec.codec_flags & CODEC_NON_IP_TUNNEL ) + codec.codec_flags &= ~CODEC_NON_IP_TUNNEL; + else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN6)) + Active::set_tunnel_bypass(); + } IPV6CheckIsatap(ip6h, snort, codec); // check for isatap before overwriting the ip_api. diff --git a/src/codecs/link/cd_mpls.cc b/src/codecs/link/cd_mpls.cc index d7a93e94c..554158468 100644 --- a/src/codecs/link/cd_mpls.cc +++ b/src/codecs/link/cd_mpls.cc @@ -26,6 +26,7 @@ #include "flow/flow.h" #include "framework/codec.h" #include "main/snort_config.h" +#include "packet_io/active.h" #include "utils/safec.h" #define CD_MPLS_NAME "mpls" @@ -210,6 +211,9 @@ bool MplsCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) } } /* while bos not 1, peel off more labels */ + if (SnortConfig::tunnel_bypass_enabled(TUNNEL_MPLS)) + Active::set_tunnel_bypass(); + codec.lyr_len = (const uint8_t*)tmpMplsHdr - raw.data; switch (iRet) diff --git a/src/main/modules.cc b/src/main/modules.cc index fccf2e0b7..d477e2986 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -662,7 +662,7 @@ static const Parameter alerts_params[] = "don't alert w/o established session (note: rule action still taken)" }, { "tunnel_verdicts", Parameter::PT_STRING, nullptr, nullptr, - "let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic" }, + "let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index b3baf7673..d2e77ab66 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -886,6 +886,18 @@ void SnortConfig::set_tunnel_verdicts(const char* args) else if (!strcasecmp(tok, "4in6")) tunnel_mask |= TUNNEL_4IN6; + else if (!strcasecmp(tok, "4in4")) + tunnel_mask |= TUNNEL_4IN4; + + else if (!strcasecmp(tok, "6in6")) + tunnel_mask |= TUNNEL_6IN6; + + else if (!strcasecmp(tok, "gre")) + tunnel_mask |= TUNNEL_GRE; + + else if (!strcasecmp(tok, "mpls")) + tunnel_mask |= TUNNEL_MPLS; + else { ParseError("unknown tunnel bypass protocol"); diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 5dd05a874..0e7708963 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -107,7 +107,11 @@ enum TunnelFlags TUNNEL_GTP = 0x01, TUNNEL_TEREDO = 0x02, TUNNEL_6IN4 = 0x04, - TUNNEL_4IN6 = 0x08 + TUNNEL_4IN6 = 0x08, + TUNNEL_4IN4 = 0x10, + TUNNEL_6IN6 = 0x20, + TUNNEL_GRE = 0x40, + TUNNEL_MPLS = 0x80 }; struct srmm_table_t; diff --git a/src/utils/stats.cc b/src/utils/stats.cc index 04d5f088a..0629c7719 100644 --- a/src/utils/stats.cc +++ b/src/utils/stats.cc @@ -177,6 +177,7 @@ const PegInfo daq_names[] = { CountType::SUM, "whitelist", "total whitelist verdicts" }, { CountType::SUM, "blacklist", "total blacklist verdicts" }, { CountType::SUM, "ignore", "total ignore verdicts" }, + { CountType::SUM, "retry", "total retry verdicts" }, // FIXIT-L these are not exactly DAQ counts - but they are related { CountType::SUM, "internal_blacklist", @@ -241,13 +242,12 @@ void pc_sum() g_daq_stats.packets_filtered += daq_stats->packets_filtered; g_daq_stats.packets_injected += daq_stats->packets_injected; - for ( unsigned i = 0; i < MAX_SFDAQ_VERDICT; i++ ) + for ( unsigned i = 0; i < MAX_DAQ_VERDICT; i++ ) g_daq_stats.verdicts[i] += daq_stats->verdicts[i]; sum_stats((PegCount*)&gaux, (PegCount*)&aux_counts, sizeof(aux_counts)/sizeof(PegCount)); - // FIXIT-H why do we set gaux in sum_stats then zero it here? - memset(&gaux, 0, sizeof(gaux)); + memset(&aux_counts, 0, sizeof(aux_counts)); } //------------------------------------------------------------------------- @@ -271,7 +271,7 @@ void get_daq_stats(DAQStats& daq_stats) daq_stats.outstanding = pkts_out; daq_stats.injected = pkts_inj; - for ( unsigned i = 0; i < MAX_SFDAQ_VERDICT; i++ ) + for ( unsigned i = 0; i < MAX_DAQ_VERDICT; i++ ) daq_stats.verdicts[i] = g_daq_stats.verdicts[i]; daq_stats.internal_blacklist = gaux.internal_blacklist; diff --git a/src/utils/stats.h b/src/utils/stats.h index 0fd7ec6c1..044aa8b6f 100644 --- a/src/utils/stats.h +++ b/src/utils/stats.h @@ -22,6 +22,7 @@ // Provides facilities for displaying Snort exit stats +#include #include #include "framework/counts.h" @@ -77,13 +78,8 @@ struct AuxCount }; //------------------------------------------------------------------------- -// FIXIT-L 2.0.4 introduces the retry verdict -// no way to reliably optionally leverage this with dynamic loaded daqs - // FIXIT-L daq stats should be moved to sfdaq -#define MAX_SFDAQ_VERDICT 6 - struct DAQStats { PegCount pcaps; @@ -93,7 +89,7 @@ struct DAQStats PegCount filtered; PegCount outstanding; PegCount injected; - PegCount verdicts[MAX_SFDAQ_VERDICT]; + PegCount verdicts[MAX_DAQ_VERDICT]; PegCount internal_blacklist; PegCount internal_whitelist; PegCount skipped; -- 2.47.3