Pull request #3588: Add stateful signature evaluation
Merge in SNORT/snort3 from ~OSHUMEIK/snort3:stateful_signature_evaluation to master
Squashed commit of the following:
commit
8477617f494ffebae8c95ad6456c7ce3b630b34b
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date: Mon Apr 18 19:27:53 2022 +0300
detection: add stateful signature evaluation
If an IPS option sets the cursor beyond the current buffer size,
an evaluation state will be stored on the flow.
Rule evaluation will resume later, when enough data from the buffer become available.
Key updates/features:
* buffers supported: pkt_data, file_data, js_data
* a rule fired on the current packet doesn't create continuations
* continuations are droppped on config reload
* a few peg counters added
* rule variables are transferred to the continuation
* rule latency supported
Continuation tracks stream source for the following buffers:
pkt_data -- TCP payload data with respect to flow direction
js_data -- JavaScript text combined within the same HTTP request/response
file_data -- file's data within the same file (context)
Now a leaf node can have children, which are flowbit setters moved to the very end.
If an inspector sends PDU with data prepended from previous PDUs,
Continuations will be dropped, because data chunks cannot be concatenated.
Currently, http_inspect http2_inspect can present accumulated data
in file_data and js_data buffers.
projects / thirdparty / snort3.git / commit
