#include "packet_tracer/packet_tracer.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "utils/util.h"
#include "utils/util_utf.h"
{
case FILE_VERDICT_LOG:
// Log file event through data bus
- DataBus::publish("file_event", (const uint8_t*)"LOG", 3, flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FILE_VERDICT, (const uint8_t*)"LOG", 3, flow);
break;
case FILE_VERDICT_BLOCK:
// can't block session inside a session
- DataBus::publish("file_event", (const uint8_t*)"BLOCK", 5, flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FILE_VERDICT, (const uint8_t*)"BLOCK", 5, flow);
break;
case FILE_VERDICT_REJECT:
- DataBus::publish("file_event", (const uint8_t*)"RESET", 5, flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FILE_VERDICT, (const uint8_t*)"RESET", 5, flow);
break;
default:
log_needed = false;
#include "framework/module.h"
#include "log/messages.h"
#include "log/text_log.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "time/packet_time.h"
#include "utils/util.h"
bool configure(SnortConfig*) override
{
- DataBus::subscribe("file_event", new LogHandler(config));
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FILE_VERDICT, new LogHandler(config));
return true;
}
if (p->flow && packet_expect_flows && !packet_expect_flows->empty())
{
ExpectedFlowsEvent event(*packet_expect_flows, *p);
- DataBus::publish(EXPECT_EVENT_TYPE_HANDLE_FLOWS, event);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::EXPECT_HANDLE_FLOWS, event);
}
}
packet_expect_flows->emplace_back(last);
ExpectEvent event(ctrlPkt, last, fd);
- DataBus::publish(EXPECT_EVENT_TYPE_EARLY_SESSION_CREATE_KEY, event, ctrlPkt->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::EXPECT_EARLY_SESSION, event, ctrlPkt->flow);
}
return 0;
}
#include "memory/memory_cap.h"
#include "protocols/packet.h"
#include "protocols/tcp.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "sfip/sf_ip.h"
#include "utils/stats.h"
#include "utils/util.h"
void Flow::set_service(Packet* pkt, const char* new_service)
{
service = new_service;
- DataBus::publish(FLOW_SERVICE_CHANGE_EVENT, pkt);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_SERVICE_CHANGE, pkt);
}
void Flow::swap_roles()
#include "protocols/tcp.h"
#include "protocols/udp.h"
#include "protocols/vlan.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "pub_sub/packet_events.h"
#include "stream/stream.h"
#include "utils/util.h"
if (p->is_retry())
{
RetryPacketEvent retry_event(p);
- DataBus::publish(PKT_RETRY_EVENT, retry_event);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::RETRY_PACKET, retry_event);
flow->flags.retry_queued = false;
}
else if ( flow->flags.retry_queued and ( !p->is_cooked() or p->is_defrag() ) )
{
RetryPacketEvent retry_event(p);
- DataBus::publish(PKT_RETRY_EVENT, retry_event);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::RETRY_PACKET, retry_event);
if ( !retry_event.is_still_pending() )
flow->flags.retry_queued = false;
}
update_stats(flow, p);
flow->set_client_initiate(p);
- DataBus::publish(FLOW_STATE_SETUP_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_SETUP, p);
if ( flow->flow_state == Flow::FlowState::SETUP ||
(flow->flow_state == Flow::FlowState::INSPECT &&
return get(key, val, STASH_ITEM_TYPE_STRING);
}
-bool FlowStash::get(const std::string& key, StashGenericObject* &val)
+bool FlowStash::get(const string& key, StashGenericObject* &val)
{
return get(key, val, STASH_ITEM_TYPE_GENERIC_OBJECT);
}
-void FlowStash::store(const string& key, int32_t val)
+void FlowStash::store(const string& key, int32_t val, unsigned pubid, unsigned evid)
{
- store(key, val, STASH_ITEM_TYPE_INT32);
+ store(key, val, STASH_ITEM_TYPE_INT32, pubid, evid);
}
-void FlowStash::store(const string& key, uint32_t val)
+void FlowStash::store(const string& key, uint32_t val, unsigned pubid, unsigned evid)
{
- store(key, val, STASH_ITEM_TYPE_UINT32);
+ store(key, val, STASH_ITEM_TYPE_UINT32, pubid, evid);
}
-void FlowStash::store(const string& key, const string& val)
+void FlowStash::store(const string& key, const string& val, unsigned pubid, unsigned evid)
{
- store(key, val, STASH_ITEM_TYPE_STRING);
+ store(key, val, STASH_ITEM_TYPE_STRING, pubid, evid);
}
-void FlowStash::store(const std::string& key, StashGenericObject* val, bool publish)
+void FlowStash::store(const string& key, string* val, unsigned pubid, unsigned evid)
{
- store(key, val, STASH_ITEM_TYPE_GENERIC_OBJECT, publish);
+ store(key, val, STASH_ITEM_TYPE_STRING, pubid, evid);
}
-void FlowStash::store(const string& key, StashGenericObject* &val, StashItemType type, bool publish)
+void FlowStash::store(const string& key, StashGenericObject* val, unsigned pubid, unsigned evid)
+{
+ store(key, val, STASH_ITEM_TYPE_GENERIC_OBJECT, pubid, evid);
+}
+
+void FlowStash::store(const string& key, StashGenericObject* &val, StashItemType type, unsigned pubid, unsigned evid)
{
#ifdef NDEBUG
UNUSED(type);
it_and_status.first->second = item;
}
- if (publish)
+ if (DataBus::valid(pubid))
{
StashEvent e(item);
- DataBus::publish(key.c_str(), e);
+ DataBus::publish(pubid, evid, e);
}
}
-void FlowStash::store(const std::string& key, std::string* val)
-{
- store(key, val, STASH_ITEM_TYPE_STRING);
-}
-
template<typename T>
bool FlowStash::get(const string& key, T& val, StashItemType type)
{
}
template<typename T>
-void FlowStash::store(const string& key, T& val, StashItemType type)
+void FlowStash::store(const string& key, T& val, StashItemType type, unsigned pubid, unsigned evid)
{
#ifdef NDEBUG
UNUSED(type);
}
StashEvent e(item);
- DataBus::publish(key.c_str(), e);
+ DataBus::publish(pubid, evid, e);
}
bool FlowStash::store(const SfIp& ip, const SnortConfig* sc)
}
AuxiliaryIpEvent event(ip);
- DataBus::publish(AUXILIARY_IP_EVENT, event);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::AUXILIARY_IP, event);
return true;
}
public:
~FlowStash();
void reset();
+
bool get(const std::string& key, int32_t& val);
bool get(const std::string& key, uint32_t& val);
bool get(const std::string& key, std::string& val);
bool get(const std::string& key, StashGenericObject* &val);
- void store(const std::string& key, int32_t val);
- void store(const std::string& key, uint32_t val);
- void store(const std::string& key, const std::string& val);
- void store(const std::string& key, std::string* val);
- void store(const std::string& key, StashGenericObject* val, bool publish = true);
+
+ void store(const std::string& key, int32_t val, unsigned pubid = 0, unsigned evid = 0);
+ void store(const std::string& key, uint32_t val, unsigned pubid = 0, unsigned evid = 0);
+ void store(const std::string& key, const std::string& val, unsigned pubid = 0, unsigned evid = 0);
+ void store(const std::string& key, std::string* val, unsigned pubid = 0, unsigned evid = 0);
+ void store(const std::string& key, StashGenericObject* val, unsigned pubid = 0, unsigned evid = 0);
bool store(const snort::SfIp&, const SnortConfig* sc = nullptr);
template<typename T>
bool get(const std::string& key, T& val, StashItemType type);
template<typename T>
- void store(const std::string& key, T& val, StashItemType type);
- void store(const std::string& key, StashGenericObject* &val, StashItemType type,
- bool publish = true);
+ void store(const std::string& key, T& val, StashItemType type, unsigned = 0, unsigned = 0);
+ void store(const std::string& key, StashGenericObject* &val, StashItemType type, unsigned, unsigned);
};
}
#include "flow/flow_control.h"
#include "detection/detection_engine.h"
+#include "flow/expect_cache.h"
+#include "flow/flow_cache.h"
+#include "flow/ha.h"
+#include "flow/session.h"
#include "main/policy.h"
#include "main/snort_config.h"
#include "managers/inspector_manager.h"
#include "protocols/vlan.h"
#include "stream/stream.h"
#include "utils/util.h"
-#include "flow/expect_cache.h"
-#include "flow/flow_cache.h"
-#include "flow/ha.h"
-#include "flow/session.h"
#include "trace/trace_api.h"
#include <CppUTest/CommandLineTestRunner.h>
void Flow::flush(bool) { }
void Flow::reset(bool) { }
void Flow::free_flow_data() { }
-void DataBus::publish(const char*, DataEvent&, Flow*) { }
-void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { }
-void DataBus::publish(const char*, Packet*, Flow*) { }
+void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { }
+void DataBus::publish(unsigned, unsigned, const uint8_t*, unsigned, Flow*) { }
+void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
const SnortConfig* SnortConfig::get_conf() { return nullptr; }
void Flow::set_client_initiate(Packet*) { }
void Flow::set_direction(Packet*) { }
size_t FlowCache::uni_ip_flows_size() const { return 0; }
size_t FlowCache::flows_size() const { return 0; }
void Flow::init(PktType) { }
-void DataBus::publish(const char*, DataEvent&, Flow*) { }
-void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { }
-void DataBus::publish(const char*, Packet*, Flow*) { }
+void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { }
+void DataBus::publish(unsigned, unsigned, const uint8_t*, unsigned, Flow*) { }
+void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
const SnortConfig* SnortConfig::get_conf() { return nullptr; }
void FlowCache::unlink_uni(Flow*) { }
void Flow::set_client_initiate(Packet*) { }
using namespace snort;
using namespace std;
-static DataBus* DB = nullptr;
-
template<class Type>
class DBConsumer : public DataHandler
{
static const char* STASH_EVENT;
- // event we'll be listening to on the DataBus:
- // static constexpr char STASH_EVENT[] = "foo.stash.event";
-
DBConsumer(const char* mod_name) : DataHandler(mod_name) {}
void handle(DataEvent& e, Flow*) override
template<class Type>
const char* DBConsumer<Type>::STASH_EVENT = "foo.stash.event";
+static DataHandler* s_handler = nullptr;
+void DataBus::subscribe(const PubKey&, unsigned, snort::DataHandler* h)
+{ s_handler = h; }
-// DataBus mock: most functions are stubs, but _subscribe() and _publish()
-// are (close to) real.
-DataBus::DataBus() = default;
-
-DataBus::~DataBus()
-{
- for ( auto& p : map )
- for ( auto* h : p.second )
- delete h;
-}
-
-void DataBus::clone(DataBus&, const char*) {}
-void DataBus::subscribe(const char* key, DataHandler* h)
-{
- DB->_subscribe(key, h);
-}
-void DataBus::subscribe_network(const char* key, DataHandler* h)
-{
- DB->_subscribe(key, h);
-}
-
-void DataBus::unsubscribe(const char*, DataHandler*) {}
-void DataBus::unsubscribe_network(const char*, DataHandler*) {}
-
-void DataBus::publish(const char* key, DataEvent& e, Flow* f)
-{
- DB->_publish(key, e, f);
-}
-
-void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) {}
-void DataBus::publish(const char*, Packet*, Flow*) {}
-
-void DataBus::_subscribe(const char* key, DataHandler* h)
-{
- DataList& v = map[key];
- v.emplace_back(h);
-}
-
-void DataBus::_unsubscribe(const char*, DataHandler*) {}
-
-void DataBus::_publish(const char* key, DataEvent& e, Flow* f) const
+void DataBus::publish(unsigned, unsigned evid, snort::DataEvent& e, snort::Flow* f)
{
- auto v = map.find(key);
-
- if ( v != map.end() )
- {
- for ( auto* h : v->second )
- h->handle(e, f);
- }
+ if ( s_handler and evid )
+ s_handler->handle(e, f);
}
-// end DataBus mock.
static SnortConfig snort_conf;
}
TEST_GROUP(stash_tests)
-{
- void setup() override
- {
- DB = new DataBus();
- }
-
- void teardown() override
- {
- delete DB;
- }
-};
+{ };
// DataBus tests
TEST(stash_tests, data_bus_publish_test)
{
typedef int32_t value_t;
- // DB deletes the subscribers so make c a pointer, not a local object.
- DBConsumer<value_t>* c = new DBConsumer<value_t>("foo");
- DataBus::subscribe(DBConsumer<value_t>::STASH_EVENT, c);
+ DBConsumer<value_t> c("foo");
+ PubKey pub_key { };
+
+ DataBus::subscribe(pub_key, 0, &c);
FlowStash stash;
value_t vin, vout;
// stash/publish 10
vin = 10;
- stash.store(DBConsumer<value_t>::STASH_EVENT, vin);
- vout = c->get_value();
+ stash.store(DBConsumer<value_t>::STASH_EVENT, vin, 1, 1);
+ vout = c.get_value();
CHECK_EQUAL(vin, vout);
// stash/publish 20, with the same key as before
vin = 20;
- stash.store(DBConsumer<value_t>::STASH_EVENT, vin);
- vout = c->get_value();
+ stash.store(DBConsumer<value_t>::STASH_EVENT, vin, 1, 1);
+ vout = c.get_value();
CHECK_EQUAL(vin, vout);
// do we get some event that we're not listening to?
- value_t before = c->get_value();
+ value_t before = c.get_value();
stash.store("bar.stash.event", 30);
- value_t after = c->get_value();
+ value_t after = c.get_value();
CHECK_EQUAL(before, after);
// do we still get our own STASH_EVENT from the stash, at a later time?
- vout = c->get_from_stash(stash);
+ vout = c.get_from_stash(stash);
CHECK_EQUAL(vin, vout);
-
}
-
// Stash tests
TEST(stash_tests, new_int32_item)
{
int main(int argc, char** argv)
{
+ MemoryLeakWarningPlugin::turnOffNewDeleteOverloads();
return CommandLineTestRunner::RunAllTests(argc, argv);
}
+
const Layer* layer::get_mpls_layer(const Packet* const) { return nullptr; }
-void DataBus::publish(const char*, Packet*, Flow*) {}
+void DataBus::publish(unsigned, unsigned, Packet*, Flow*) {}
const SnortConfig* SnortConfig::get_conf() { return nullptr; }
#include "config.h"
#endif
-#include <algorithm>
-
#include "data_bus.h"
+#include <algorithm>
+#include <unordered_map>
+
#include "main/policy.h"
#include "main/snort_config.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
+#include "utils/stats.h"
using namespace snort;
+static std::unordered_map<std::string, unsigned> pub_ids;
+static unsigned next_event = 1;
+
static DataBus& get_data_bus()
{ return get_inspection_policy()->dbus; }
+
static DataBus& get_network_data_bus()
{ return get_network_policy()->dbus; }
//--------------------------------------------------------------------------
// public methods
-//--------------------------------------------------------------------------
+//-------------------------------------------------------------------------
DataBus::DataBus() = default;
DataBus::~DataBus()
{
- for ( auto& p : map )
- for ( auto* h : p.second )
+ for ( auto& p : pub_sub )
+ {
+ for ( auto* h : p )
{
// If the object is cloned, pass the ownership to the next config.
// When the object is no further cloned (e.g., the last config), delete it.
else
delete h;
}
+ }
+}
+
+unsigned DataBus::init()
+{
+ unsigned id = get_id(intrinsic_pub_key);
+ assert(id == 1);
+ return id;
}
void DataBus::clone(DataBus& from, const char* exclude_name)
{
- for ( auto& p : from.map )
- for ( auto* h : p.second )
- if ( nullptr == exclude_name || 0 != strcmp(exclude_name, h->module_name) )
+ for ( unsigned i = 0; i < from.pub_sub.size(); ++i )
+ {
+ for ( auto* h : from.pub_sub[i] )
+ {
+ if ( !exclude_name || strcmp(exclude_name, h->module_name) )
{
h->cloned = true;
- _subscribe(p.first.c_str(), h);
+ _subscribe(i, 0, h);
}
+ }
+ }
+}
+
+unsigned DataBus::get_id(const PubKey& key)
+{
+ auto it = pub_ids.find(key.publisher);
+
+ if ( it == pub_ids.end() )
+ {
+ pub_ids[key.publisher] = next_event;
+ next_event += key.num_events;
+ }
+ return pub_ids[key.publisher];
}
// add handler to list of handlers to be notified upon
// publication of given event
-void DataBus::subscribe(const char* key, DataHandler* h)
+void DataBus::subscribe(const PubKey& key, unsigned eid, DataHandler* h)
{
- get_data_bus()._subscribe(key, h);
+ get_data_bus()._subscribe(key, eid, h);
}
// for subscribers that need to receive events regardless of active inspection policy
-void DataBus::subscribe_network(const char* key, DataHandler* h)
+void DataBus::subscribe_network(const PubKey& key, unsigned eid, DataHandler* h)
{
- get_network_data_bus()._subscribe(key, h);
+ get_network_data_bus()._subscribe(key, eid, h);
}
// for subscribers that need to receive events regardless of active inspection policy
-void DataBus::subscribe_global(const char* key, DataHandler* h, SnortConfig& sc)
+void DataBus::subscribe_global(const PubKey& key, unsigned eid, DataHandler* h, SnortConfig& sc)
{
- sc.global_dbus->_subscribe(key, h);
+ sc.global_dbus->_subscribe(key, eid, h);
}
-void DataBus::unsubscribe(const char* key, DataHandler* h)
+void DataBus::unsubscribe(const PubKey& key, unsigned eid, DataHandler* h)
{
- get_data_bus()._unsubscribe(key, h);
+ get_data_bus()._unsubscribe(key, eid, h);
}
-void DataBus::unsubscribe_network(const char* key, DataHandler* h)
+void DataBus::unsubscribe_network(const PubKey& key, unsigned eid, DataHandler* h)
{
- get_network_data_bus()._unsubscribe(key, h);
+ get_network_data_bus()._unsubscribe(key, eid, h);
}
-void DataBus::unsubscribe_global(const char* key, DataHandler* h, SnortConfig& sc)
+void DataBus::unsubscribe_global(const PubKey& key, unsigned eid, DataHandler* h, SnortConfig& sc)
{
- sc.global_dbus->_unsubscribe(key, h);
+ sc.global_dbus->_unsubscribe(key, eid, h);
}
// notify subscribers of event
-void DataBus::publish(const char* key, DataEvent& e, Flow* f)
+void DataBus::publish(unsigned pid, unsigned eid, DataEvent& e, Flow* f)
{
- SnortConfig::get_conf()->global_dbus->_publish(key, e, f);
+ SnortConfig::get_conf()->global_dbus->_publish(pid, eid, e, f);
NetworkPolicy* ni = get_network_policy();
- ni->dbus._publish(key, e, f);
+ ni->dbus._publish(pid, eid, e, f);
InspectionPolicy* pi = get_inspection_policy();
- pi->dbus._publish(key, e, f);
+ pi->dbus._publish(pid, eid, e, f);
}
-void DataBus::publish(const char* key, const uint8_t* buf, unsigned len, Flow* f)
+void DataBus::publish(unsigned pid, unsigned eid, const uint8_t* buf, unsigned len, Flow* f)
{
BufferEvent e(buf, len);
- publish(key, e, f);
+ publish(pid, eid, e, f);
}
-void DataBus::publish(const char* key, Packet* p, Flow* f)
+void DataBus::publish(unsigned pid, unsigned eid, Packet* p, Flow* f)
{
PacketEvent e(p);
if ( p && !f )
f = p->flow;
- publish(key, e, f);
+ publish(pid, eid, e, f);
}
//--------------------------------------------------------------------------
return false;
}
-void DataBus::_subscribe(const char* key, DataHandler* h)
+void DataBus::_subscribe(unsigned pid, unsigned eid, DataHandler* h)
{
- DataList& v = map[key];
- v.emplace_back(h);
- std::sort(v.begin(), v.end(), compare);
-}
+ unsigned idx = pid + eid;
+ assert(idx < next_event);
-void DataBus::_unsubscribe(const char* key, DataHandler* h)
-{
- DataList& v = map[key];
+ if ( next_event > pub_sub.size() )
+ pub_sub.resize(next_event);
- for ( unsigned i = 0; i < v.size(); i++ )
- if ( v[i] == h )
- v.erase(v.begin() + i--);
+ SubList& subs = pub_sub[idx];
+ subs.emplace_back(h);
- if ( v.empty() )
- map.erase(key);
+ std::sort(subs.begin(), subs.end(), compare);
}
-// notify subscribers of event
-void DataBus::_publish(const char* key, DataEvent& e, Flow* f) const
+void DataBus::_subscribe(const PubKey& key, unsigned eid, DataHandler* h)
+{
+ unsigned pid = get_id(key);
+ _subscribe(pid, eid, h);
+}
+
+void DataBus::_unsubscribe(const PubKey& key, unsigned eid, DataHandler* h)
{
- auto v = map.find(key);
+ unsigned pid = get_id(key);
+ unsigned idx = pid + eid;
+ assert(idx < pub_sub.size());
- if ( v != map.end() )
+ SubList& subs = pub_sub[idx];
+
+ for ( unsigned i = 0; i < subs.size(); i++ )
{
- for ( auto* h : v->second )
- h->handle(e, f);
+ if ( subs[i] == h )
+ {
+ subs.erase(subs.begin() + i--);
+ break;
+ }
}
}
+void DataBus::_publish(unsigned pid, unsigned eid, DataEvent& e, Flow* f) const
+{
+ unsigned idx = pid + eid;
+
+ // not all instances are full size
+ if ( idx >= pub_sub.size() )
+ return;
+
+ const SubList& subs = pub_sub[idx];
+
+ for ( auto* h : subs )
+ h->handle(e, f);
+}
+
struct Packet;
struct SnortConfig;
+struct PubKey
+{
+ const char* publisher;
+ unsigned num_events;
+};
+
class DataEvent
{
public:
DataHandler(const char* mod_name) : module_name(mod_name), cloned(false) { }
};
-// FIXIT-P evaluate perf; focus is on correctness
-typedef std::vector<DataHandler*> DataList;
-typedef std::unordered_map<std::string, DataList> DataMap;
-
class SO_PUBLIC DataBus
{
public:
~DataBus();
// configure time methods - main thread only
+ static unsigned init();
void clone(DataBus& from, const char* exclude_name = nullptr);
+ // publishers must register their key and use given id to publish
+ static unsigned get_id(const PubKey&);
+
+ static bool valid(unsigned pub_id)
+ { return pub_id != 0; }
+
// FIXIT-L ideally these would not be static or would take an inspection policy*
- static void subscribe(const char* key, DataHandler*);
- static void subscribe_network(const char* key, DataHandler*);
- static void subscribe_global(const char* key, DataHandler*, SnortConfig&);
+ static void subscribe(const PubKey&, unsigned id, DataHandler*);
+ static void subscribe_network(const PubKey&, unsigned id, DataHandler*);
+ static void subscribe_global(const PubKey&, unsigned id, DataHandler*, SnortConfig&);
// FIXIT-L these should be called during cleanup
- static void unsubscribe(const char* key, DataHandler*);
- static void unsubscribe_network(const char* key, DataHandler*);
- static void unsubscribe_global(const char* key, DataHandler*, SnortConfig&);
+ static void unsubscribe(const PubKey&, unsigned id, DataHandler*);
+ static void unsubscribe_network(const PubKey&, unsigned id, DataHandler*);
+ static void unsubscribe_global(const PubKey&, unsigned id, DataHandler*, SnortConfig&);
// runtime methods
- static void publish(const char* key, DataEvent&, Flow* = nullptr);
+ static void publish(unsigned pub_id, unsigned evt_id, DataEvent&, Flow* = nullptr);
// convenience methods
- static void publish(const char* key, const uint8_t*, unsigned, Flow* = nullptr);
- static void publish(const char* key, Packet*, Flow* = nullptr);
+ static void publish(unsigned pub_id, unsigned evt_id, const uint8_t*, unsigned, Flow* = nullptr);
+ static void publish(unsigned pub_id, unsigned evt_id, Packet*, Flow* = nullptr);
private:
- void _subscribe(const char* key, DataHandler*);
- void _unsubscribe(const char* key, DataHandler*);
- void _publish(const char* key, DataEvent&, Flow*) const;
+ void _subscribe(unsigned pub_id, unsigned evt_id, DataHandler*);
+ void _subscribe(const PubKey&, unsigned evt_id, DataHandler*);
+ void _unsubscribe(const PubKey&, unsigned evt_id, DataHandler*);
+ void _publish(unsigned pub_id, unsigned evt_id, DataEvent&, Flow*) const;
private:
- DataMap map;
+ typedef std::vector<DataHandler*> SubList;
+ std::vector<SubList> pub_sub;
};
}
-//
-// Common core functionality data events
-//
-
-#define PACKET_EVENT "detection.packet"
-#define FLOW_STATE_EVENT "flow.state_change"
-#define THREAD_IDLE_EVENT "thread.idle"
-#define THREAD_ROTATE_EVENT "thread.rotate"
-
-// A packet is being detained.
-#define DETAINED_PACKET_EVENT "analyzer.detained.packet"
-
-// A flow changed its service
-#define FLOW_SERVICE_CHANGE_EVENT "flow.service_change_event"
-// A flow has found the service inspector
-#define SERVICE_INSPECTOR_CHANGE_EVENT "flow.service_inspector.changed"
-// No service has been found for the flow
-#define FLOW_NO_SERVICE_EVENT "flow.no_service_event"
-// search of SSL is abandoned on this flow
-#define SSL_SEARCH_ABANDONED "flow.ssl_search_abandoned"
-
-// A flow has entered the setup state
-#define FLOW_STATE_SETUP_EVENT "flow.state_setup"
-
-// The policy has changed for the flow
-#define FLOW_STATE_RELOADED_EVENT "flow.reloaded"
-
-// A new flow is created on this packet
-#define STREAM_ICMP_NEW_FLOW_EVENT "stream.icmp_new_flow"
-#define STREAM_IP_NEW_FLOW_EVENT "stream.ip_new_flow"
-#define STREAM_UDP_NEW_FLOW_EVENT "stream.udp_new_flow"
-
-// A flow has been determined to be bidirectional
-#define STREAM_ICMP_BIDIRECTIONAL_EVENT "stream.icmp_bidirectional"
-#define STREAM_IP_BIDIRECTIONAL_EVENT "stream.ip.bidirectional"
-#define STREAM_UDP_BIDIRECTIONAL_EVENT "stream.udp.bidirectional"
-
-// A TCP flow has the flag; a midstream flow may not publish other events
-#define STREAM_TCP_SYN_EVENT "stream.tcp_syn"
-#define STREAM_TCP_SYN_ACK_EVENT "stream.tcp_syn_ack"
-#define STREAM_TCP_MIDSTREAM_EVENT "stream.tcp_midstream"
-#define STREAM_TCP_ESTABLISHED_EVENT "stream.tcp_established"
-
-// A new standby flow was generated by stream high availability
-#define STREAM_HA_NEW_FLOW_EVENT "stream.ha.new_flow"
-
#endif
#include "framework/data_bus.h"
#include "main/snort_config.h"
-
+#include "main/thread.h"
+#include "utils/stats.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
NetworkPolicy::~NetworkPolicy() = default;
namespace snort
{
-SnortConfig::SnortConfig(snort::SnortConfig const*, const char*)
-{ global_dbus = new DataBus(); }
+
+static SnortConfig s_conf;
+
+THREAD_LOCAL SnortConfig* snort_conf = &s_conf;
const SnortConfig* SnortConfig::get_conf()
-{
- const SnortConfig* snort_conf =
- (const SnortConfig*)mock().getData("snort_conf").getObjectPointer();
- return snort_conf;
-}
+{ return snort_conf; }
-SnortConfig* SnortConfig::get_main_conf()
-{
- SnortConfig* snort_conf =
- (SnortConfig*)mock().getData("snort_conf").getObjectPointer();
- return snort_conf;
-}
+SnortConfig::SnortConfig(const SnortConfig* const, const char*)
+{ global_dbus = new DataBus(); }
SnortConfig::~SnortConfig()
{ delete global_dbus; }
return my_inspection_policy;
}
+THREAD_LOCAL PacketCount pc;
}
//--------------------------------------------------------------------------
seq = ++s_next;
}
-#define DB_UTEST_EVENT "unit.test.event"
+struct DbUtIds { enum : unsigned { EVENT, num_ids }; };
+
+const PubKey pub_key { "db_ut", DbUtIds::num_ids };
//--------------------------------------------------------------------------
// data bus unit tests
//--------------------------------------------------------------------------
+static constexpr unsigned event_id = 1;
+
TEST_GROUP(data_bus)
{
- SnortConfig snort_conf;
InspectionPolicy my_inspection_policy;
NetworkPolicy my_network_policy;
+ unsigned pub_id = 0; // cppcheck-suppress variableScope
void setup() override
{
- mock().setDataObject("snort_conf", "SnortConfig", &snort_conf);
mock().setDataObject("my_network_policy", "NetworkPolicy", &my_network_policy);
mock().setDataObject("my_inspection_policy", "InspectionPolicy", &my_inspection_policy);
+
+ pub_id = DataBus::get_id(pub_key);
+ CHECK_TRUE(DataBus::valid(pub_id));
}
void teardown() override
TEST(data_bus, subscribe_global)
{
UTestHandler h;
- DataBus::subscribe_global(DB_UTEST_EVENT, &h, snort_conf);
+ DataBus::subscribe_global(pub_key, DbUtIds::EVENT, &h, *snort_conf);
UTestEvent event(100);
- DataBus::publish(DB_UTEST_EVENT, event);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event);
CHECK(100 == h.evt_msg);
UTestEvent event1(200);
- DataBus::publish(DB_UTEST_EVENT, event1);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event1);
CHECK(200 == h.evt_msg);
- DataBus::unsubscribe_global(DB_UTEST_EVENT, &h, snort_conf);
+ DataBus::unsubscribe_global(pub_key, DbUtIds::EVENT, &h, *snort_conf);
UTestEvent event2(300);
- DataBus::publish(DB_UTEST_EVENT, event2);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event2);
CHECK(200 == h.evt_msg); // unsubscribed!
}
TEST(data_bus, subscribe_network)
{
UTestHandler* h = new UTestHandler();
- DataBus::subscribe_network(DB_UTEST_EVENT, h);
+ DataBus::subscribe_network(pub_key, DbUtIds::EVENT, h);
UTestEvent event(100);
- DataBus::publish(DB_UTEST_EVENT, event);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event);
CHECK(100 == h->evt_msg);
UTestEvent event1(200);
- DataBus::publish(DB_UTEST_EVENT, event1);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event1);
CHECK(200 == h->evt_msg);
- DataBus::unsubscribe_network(DB_UTEST_EVENT, h);
+ DataBus::unsubscribe_network(pub_key, DbUtIds::EVENT, h);
UTestEvent event2(300);
- DataBus::publish(DB_UTEST_EVENT, event2);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event2);
CHECK(200 == h->evt_msg); // unsubscribed!
delete h;
TEST(data_bus, subscribe)
{
UTestHandler* h = new UTestHandler();
- DataBus::subscribe(DB_UTEST_EVENT, h);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h);
UTestEvent event(100);
- DataBus::publish(DB_UTEST_EVENT, event);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event);
CHECK(100 == h->evt_msg);
UTestEvent event1(200);
- DataBus::publish(DB_UTEST_EVENT, event1);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event1);
CHECK(200 == h->evt_msg);
- DataBus::unsubscribe(DB_UTEST_EVENT, h);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h);
UTestEvent event2(300);
- DataBus::publish(DB_UTEST_EVENT, event2);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event2);
CHECK(200 == h->evt_msg); // unsubscribed!
delete h;
TEST(data_bus, order1)
{
UTestHandler* h0 = new UTestHandler();
- DataBus::subscribe(DB_UTEST_EVENT, h0);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h0);
UTestHandler* h1 = new UTestHandler(1);
- DataBus::subscribe(DB_UTEST_EVENT, h1);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h1);
UTestHandler* h9 = new UTestHandler(9);
- DataBus::subscribe(DB_UTEST_EVENT, h9);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h9);
s_next = 0;
UTestEvent event(100);
- DataBus::publish(DB_UTEST_EVENT, event);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event);
CHECK(1 == h1->seq);
CHECK(2 == h9->seq);
CHECK(3 == h0->seq);
- DataBus::unsubscribe(DB_UTEST_EVENT, h0);
- DataBus::unsubscribe(DB_UTEST_EVENT, h1);
- DataBus::unsubscribe(DB_UTEST_EVENT, h9);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h0);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h1);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h9);
delete h0;
delete h1;
TEST(data_bus, order2)
{
UTestHandler* h0 = new UTestHandler(0);
- DataBus::subscribe(DB_UTEST_EVENT, h0);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h0);
UTestHandler* h9 = new UTestHandler(9);
- DataBus::subscribe(DB_UTEST_EVENT, h9);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h9);
UTestHandler* h1 = new UTestHandler(1);
- DataBus::subscribe(DB_UTEST_EVENT, h1);
+ DataBus::subscribe(pub_key, DbUtIds::EVENT, h1);
s_next = 0;
UTestEvent event(100);
- DataBus::publish(DB_UTEST_EVENT, event);
+ DataBus::publish(pub_id, DbUtIds::EVENT, event);
CHECK(1 == h1->seq);
CHECK(2 == h9->seq);
CHECK(3 == h0->seq);
- DataBus::unsubscribe(DB_UTEST_EVENT, h0);
- DataBus::unsubscribe(DB_UTEST_EVENT, h1);
- DataBus::unsubscribe(DB_UTEST_EVENT, h9);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h0);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h1);
+ DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h9);
delete h0;
delete h1;
int main(int argc, char** argv)
{
+ // event_map is not released until after cpputest gives up
+ MemoryLeakWarningPlugin::turnOffNewDeleteOverloads();
return CommandLineTestRunner::RunAllTests(argc, argv);
}
limit = m->limit;
width = m->width;
raw = m->raw;
- DataBus::subscribe(DAQ_SOF_MSG_EVENT, new DaqMessageEventHandler());
- DataBus::subscribe(DAQ_EOF_MSG_EVENT, new DaqMessageEventHandler());
+
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::DAQ_SOF_MSG, new DaqMessageEventHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::DAQ_EOF_MSG, new DaqMessageEventHandler());
}
void HextLogger::open()
static void process_daq_sof_eof_msg(DAQ_Msg_h msg, DAQ_Verdict& verdict)
{
const DAQ_FlowStats_t *stats = (const DAQ_FlowStats_t*) daq_msg_get_hdr(msg);
- const char* key;
+ unsigned key;
select_default_policy(*stats, SnortConfig::get_conf());
if (daq_msg_get_type(msg) == DAQ_MSG_TYPE_EOF)
{
packet_time_update(&stats->eof_timestamp);
daq_stats.eof_messages++;
- key = DAQ_EOF_MSG_EVENT;
+ key = IntrinsicEventIds::DAQ_EOF_MSG;
}
else
{
packet_time_update(&stats->sof_timestamp);
daq_stats.sof_messages++;
- key = DAQ_SOF_MSG_EVENT;
+ key = IntrinsicEventIds::DAQ_SOF_MSG;
}
DaqMessageEvent event(msg, verdict);
- DataBus::publish(key, event);
+ DataBus::publish(intrinsic_pub_id, key, event);
}
static bool process_packet(Packet* p)
{
if (p->flow->flags.trigger_detained_packet_event)
{
- DataBus::publish(DETAINED_PACKET_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::DETAINED_PACKET, p);
}
}
else
if (p->flow and p->flow->flags.trigger_finalize_event)
{
FinalizePacketEvent event(p, verdict);
- DataBus::publish(FINALIZE_PACKET_EVENT, event);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FINALIZE_PACKET, event);
}
if (PacketTracer::is_active())
{
daq_stats.other_messages++;
DaqMessageEvent event(msg, verdict);
- DataBus::publish(DAQ_OTHER_MSG_EVENT, event);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::DAQ_OTHER_MSG, event);
}
break;
}
timeradd(&now, &increment, &now);
packet_time_update(&now);
- DataBus::publish(THREAD_IDLE_EVENT, nullptr);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::THREAD_IDLE, nullptr);
// Service the retry queue with the new packet time.
process_retry_queue();
void Analyzer::rotate()
{
- DataBus::publish(THREAD_ROTATE_EVENT, nullptr);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::THREAD_ROTATE, nullptr);
}
#include "parser/parse_conf.h"
#include "parser/vars.h"
#include "ports/port_var_table.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "modules.h"
#include "shell.h"
void InspectionPolicy::configure()
{
- dbus.subscribe(PACKET_EVENT, new AltPktHandler);
+ dbus.subscribe(intrinsic_pub_key, IntrinsicEventIds::ALT_PACKET, new AltPktHandler);
}
//-------------------------------------------------------------------------
#endif
InitProtoNames();
+ DataBus::init();
load_actions();
load_codecs();
}
Packet::~Packet() = default;
IpsPolicy* get_ips_policy() { return nullptr; }
-void DataBus::publish(const char*, Packet*, Flow*) { }
-void DataBus::publish(const char*, DataEvent&, Flow*) { }
+void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
+void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { }
SFDAQInstance::SFDAQInstance(const char*, unsigned, const SFDAQConfig*) { }
SFDAQInstance::~SFDAQInstance() = default;
void SFDAQInstance::reload() { }
#include "distill_verdict_stubs.h"
+#include "framework/data_bus.h"
#include "main/analyzer.h"
#include "memory/memory_cap.h"
#include "packet_io/sfdaq_instance.h"
void Flow::trust() { }
SFDAQInstance* SFDAQ::get_local_instance() { return nullptr; }
+
+unsigned DataBus::get_id(const PubKey&)
+{ return 0; }
}
using namespace snort;
#include "main/snort_module.h"
#include "main/thread_config.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "search_engines/search_tool.h"
#include "target_based/snort_protocols.h"
#include "time/clock_defs.h"
{
Flow* flow = p->flow;
- DataBus::publish(FLOW_SERVICE_CHANGE_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_SERVICE_CHANGE, p);
flow->clear_clouseau();
{
if ( !flow->flags.svc_event_generated )
{
- DataBus::publish(FLOW_NO_SERVICE_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, p);
flow->flags.svc_event_generated = true;
}
}
template<bool T>
-void InspectorManager::full_inspection(Packet* p)
+void inline InspectorManager::full_inspection(Packet* p)
{
Flow* flow = p->flow;
}
}
-// FIXIT-M leverage knowledge of flow creation so that reputation (possibly a
-// new it_xxx) is run just once per flow (and all non-flow packets).
-void InspectorManager::execute(Packet* p)
-{
- if ( trace_enabled(snort_trace, TRACE_INSPECTOR_MANAGER, DEFAULT_TRACE_LOG_LEVEL, p) )
- internal_execute<true>(p);
- else
- internal_execute<false>(p);
-
- if ( p->flow && ( !p->is_cooked() or p->is_defrag() ) )
- ExpectFlow::handle_expected_flows(p);
-}
-
template<bool T>
-void InspectorManager::internal_execute(Packet* p)
+inline void InspectorManager::internal_execute(Packet* p)
{
Stopwatch<SnortClock> timer;
const char* packet_type = nullptr;
if ( p->flow )
{
if ( p->flow->reload_id && p->flow->reload_id != reload_id )
- DataBus::publish(FLOW_STATE_RELOADED_EVENT, p, p->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_RELOADED, p, p->flow);
}
else
- DataBus::publish(PKT_WITHOUT_FLOW_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::PKT_WITHOUT_FLOW, p);
FrameworkPolicy* fp = get_inspection_policy()->framework_policy;
assert(fp);
packet_type, p->context->packet_number, p->context->context_num, TO_USECS(timer.get()));
}
+// FIXIT-M leverage knowledge of flow creation so that reputation (possibly a
+// new it_xxx) is run just once per flow (and all non-flow packets).
+void InspectorManager::execute(Packet* p)
+{
+ if ( trace_enabled(snort_trace, TRACE_INSPECTOR_MANAGER, DEFAULT_TRACE_LOG_LEVEL, p) )
+ internal_execute<true>(p);
+ else
+ internal_execute<false>(p);
+
+ if ( p->flow && ( !p->is_cooked() or p->is_defrag() ) )
+ ExpectFlow::handle_expected_flows(p);
+}
+
void InspectorManager::probe(Packet* p)
{
GlobalInspectorPolicy* pp = p->context->conf->policy_map->get_global_inspector_policy();
void LogLabel(const char*, FILE*) { }
void ParseError(const char*, ...) { }
void WarningMessage(const char*, ...) { }
-void DataBus::publish(const char*, Packet*, Flow*) { }
+DataBus::DataBus() { }
+DataBus::~DataBus() { }
+void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
+unsigned DataBus::get_id(const PubKey&) { return 0; }
void DetectionEngine::disable_content(Packet*) { }
unsigned SnortConfig::get_thread_reload_id() { return 1; }
void SnortConfig::update_thread_reload_id() { }
void Module::show_interval_stats(IndexVec&, FILE*) { }
void Module::show_stats() { }
void Module::reset_stats() { }
-DataBus::DataBus() { }
-DataBus::~DataBus() { }
Module* ModuleManager::get_module(const char*) { return nullptr; }
void ExpectFlow::handle_expected_flows(const Packet*) { }
#include "managers/module_manager.h"
#include "packet_tracer/packet_tracer.h"
#include "profiler/profiler.h"
+#include "pub_sub/appid_event_ids.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "appid_data_decrypt_event_handler.h"
#include "appid_dcerpc_event_handler.h"
THREAD_LOCAL OdpThreadContext* odp_thread_local_ctxt = nullptr;
THREAD_LOCAL OdpContext* pkt_thread_odp_ctxt = nullptr;
+unsigned AppIdInspector::pub_id = 0;
+
static THREAD_LOCAL PacketTracer::TracerMute appid_mute;
static void add_appid_to_packet_trace(Flow& flow, const OdpContext& odp_context)
assert(!ctxt);
ctxt = new AppIdContext(const_cast<AppIdConfig&>(*config));
-
ctxt->init_appid(sc, *this);
- DataBus::subscribe_global(SIP_EVENT_TYPE_SIP_DIALOG_KEY, new SipEventHandler(*this), *sc);
-
- DataBus::subscribe_global(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler(
- HttpEventHandler::REQUEST_EVENT, *this), *sc);
-
- DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(
- HttpEventHandler::RESPONSE_EVENT, *this), *sc);
-
- DataBus::subscribe_global(HTTPX_REQUEST_BODY_EVENT_KEY, new AppIdHttpXReqBodyEventHandler(), *sc);
-
- DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), *sc);
+ DataBus::subscribe_global(http_pub_key, HttpEventIds::REQUEST_HEADER,
+ new HttpEventHandler(HttpEventHandler::REQUEST_EVENT, *this), *sc);
- DataBus::subscribe_global(DCERPC_EXP_SESSION_EVENT_KEY, new DceExpSsnEventHandler(), *sc);
+ DataBus::subscribe_global(http_pub_key, HttpEventIds::RESPONSE_HEADER,
+ new HttpEventHandler(HttpEventHandler::RESPONSE_EVENT, *this), *sc);
- DataBus::subscribe_global(OPPORTUNISTIC_TLS_EVENT, new AppIdOpportunisticTlsEventHandler(), *sc);
+ DataBus::subscribe_global(http_pub_key, HttpEventIds::REQUEST_BODY, new AppIdHttpXReqBodyEventHandler(), *sc);
+ DataBus::subscribe_global(sip_pub_key, SipEventIds::DIALOG, new SipEventHandler(*this), *sc);
+ DataBus::subscribe_global(dce_tcp_pub_key, DceTcpEventIds::EXP_SESSION, new DceExpSsnEventHandler(), *sc);
+ DataBus::subscribe_global(ssh_pub_key, SshEventIds::STATE_CHANGE, new SshEventHandler(), *sc);
+ DataBus::subscribe_global(external_pub_key, ExternalEventIds::DATA_DECRYPT, new DataDecryptEventHandler(), *sc);
- DataBus::subscribe_global(EVE_PROCESS_EVENT, new AppIdEveProcessEventHandler(*this), *sc);
+ DataBus::subscribe_global(external_pub_key, ExternalEventIds::EVE_PROCESS,
+ new AppIdEveProcessEventHandler(*this), *sc);
- DataBus::subscribe_global(SSH_EVENT, new SshEventHandler(), *sc);
+ DataBus::subscribe_global(intrinsic_pub_key, IntrinsicEventIds::OPPORTUNISTIC_TLS,
+ new AppIdOpportunisticTlsEventHandler(), *sc);
- DataBus::subscribe_global(FLOW_NO_SERVICE_EVENT, new AppIdServiceEventHandler(*this), *sc);
+ DataBus::subscribe_global(intrinsic_pub_key, IntrinsicEventIds::FLOW_NO_SERVICE,
+ new AppIdServiceEventHandler(*this), *sc);
+ pub_id = DataBus::get_id(appid_pub_key);
return true;
}
AppIdContext& get_ctxt() const;
const AppIdConfig& get_config() const { return *config; }
+ static unsigned get_pub_id() { return pub_id; }
+
private:
const AppIdConfig* config = nullptr;
AppIdContext* ctxt = nullptr;
+ static unsigned pub_id;
};
extern const snort::InspectApi appid_inspector_api;
constraints.dport = dport;
AppIdDebugLogEvent event(&constraints, "AppIdDbg");
- DataBus::publish(APPID_DEBUG_LOG_EVENT, event);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DEBUG_LOG, event);
main_broadcast_command(new AcAppIdDebug(&constraints), ControlConn::query_from_lua(L));
static int disable_debug(lua_State* L)
{
AppIdDebugLogEvent event(nullptr, "");
- DataBus::publish(APPID_DEBUG_LOG_EVENT, event);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DEBUG_LOG, event);
main_broadcast_command(new AcAppIdDebug(nullptr), ControlConn::query_from_lua(L));
return 0;
}
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "protocols/tcp.h"
+#include "pub_sub/appid_events.h"
#include "stream/stream.h"
#include "target_based/snort_protocols.h"
#include "time/packet_time.h"
return;
AppidEvent app_event(change_bits, is_httpx, httpx_stream_index, api, p);
- DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::ANY_CHANGE, app_event, p.flow);
if (appidDebug->is_active())
{
std::string str;
#include "service_bootp.h"
+#include "appid_utils/ip_funcs.h"
#include "detection/detection_engine.h"
#include "protocols/eth.h"
#include "protocols/packet.h"
+#include "pub_sub/appid_event_ids.h"
#include "pub_sub/dhcp_events.h"
+
#include "app_info_table.h"
#include "appid_config.h"
#include "appid_inspector.h"
-#include "appid_utils/ip_funcs.h"
using namespace snort;
unsigned op60_length = (op60_len > DHCP_OP60_MAX_SIZE) ? DHCP_OP60_MAX_SIZE : op60_len;
Packet* p = DetectionEngine::get_current_packet();
DHCPDataEvent event(p, op55_length, op60_length, op55, op60, mac);
- DataBus::publish(DHCP_DATA_EVENT, event, p->flow);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DHCP_DATA, event, p->flow);
}
}
asd.set_session_flags(APPID_SESSION_HAS_DHCP_INFO);
Packet* p = DetectionEngine::get_current_packet();
DHCPInfoEvent event(p, ip, mac, subnetmask, leaseSecs, router);
- DataBus::publish(DHCP_INFO_EVENT, event, p->flow);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DHCP_INFO, event, p->flow);
}
#include "service_netbios.h"
#include "detection/detection_engine.h"
#include "protocols/packet.h"
+#include "pub_sub/appid_event_ids.h"
#include "pub_sub/smb_events.h"
#include "utils/endian.h"
#include "utils/util_cstring.h"
#include "app_info_table.h"
+#include "appid_inspector.h"
#include "dcerpc.h"
using namespace snort;
asd.set_session_flags(APPID_SESSION_HAS_SMB_INFO);
Packet* p = DetectionEngine::get_current_packet();
FpSMBDataEvent event(p, major, minor, (flags & FINGERPRINT_UDP_FLAGS_MASK));
- DataBus::publish(FP_SMB_DATA_EVENT, event, p->flow);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::FP_SMB_DATA, event, p->flow);
}
#include "framework/data_bus.h"
#include "protocols/protocol_ids.h"
+#include "pub_sub/appid_event_ids.h"
#include "service_inspectors/http_inspect/http_msg_header.h"
+
+#include "appid_http_session.h"
#include "tp_appid_module_api.h"
#include "tp_appid_session_api.h"
-#include "appid_http_session.h"
#include "appid_mock_definitions.h"
#include "appid_mock_http_session.h"
void eval(Packet*) override {};
};
-void DataBus::publish(const char*, DataEvent& event, Flow*)
+void DataBus::publish(unsigned, unsigned, DataEvent& event, Flow*)
{
AppidEvent* appid_event = (AppidEvent*)&event;
char* test_log = (char*)mock().getData("test_log").getObjectPointer();
void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p, bool, uint32_t)
{
AppidEvent app_event(change_bits, false, 0, this->get_api(), p);
- DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow);
+ DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow);
}
bool SslPatternMatchers::scan_hostname(const uint8_t* server_name, size_t, AppId& client_id, AppId& payload_id)
#define APPID_MOCK_INSPECTOR_H // avoiding mocked inspector
+#include "framework/data_bus.h"
#include "helpers/discovery_filter.h"
#include "host_tracker/host_cache.h"
#include "network_inspectors/appid/appid_discovery.cc"
#include "network_inspectors/appid/appid_peg_counts.h"
#include "network_inspectors/packet_tracer/packet_tracer.h"
-
+#include "pub_sub/appid_event_ids.h"
#include "search_engines/search_tool.h"
#include "utils/sflsq.cc"
void SearchTool::add(const uint8_t*, unsigned, int, bool) {}
void SearchTool::add(const uint8_t*, unsigned, void*, bool) {}
-// Stubs for ip
+// Mocks for ip
namespace ip
{
void IpApi::set(const SfIp& sip, const SfIp& dip)
AppIdSessionApi::AppIdSessionApi(const AppIdSession*, const SfIp&) :
StashGenericObject(STASH_GENERIC_OBJECT_APPID) {}
-void AppIdSessionApi::get_first_stream_app_ids(AppId&, AppId&,
- AppId&, AppId&) const { }
-} // namespace snort
-void AppIdModule::reset_stats() {}
-DiscoveryFilter::~DiscoveryFilter() {}
-// Stubs for publish
-void DataBus::publish(const char*, DataEvent& event, Flow*)
+void AppIdSessionApi::get_first_stream_app_ids(AppId&, AppId&, AppId&, AppId&) const { }
+
+// Mocks for publish
+unsigned DataBus::get_id(const PubKey&)
+{ return 0; }
+
+void DataBus::publish(unsigned, unsigned, DataEvent& event, Flow*)
{
AppidEvent* appid_event = (AppidEvent*)&event;
char* test_log = (char*)mock().getData("test_log").getObjectPointer();
appid_event->get_change_bitset().to_string().c_str());
mock().actualCall("publish");
}
+} // namespace snort
+void AppIdModule::reset_stats() {}
+DiscoveryFilter::~DiscoveryFilter() {}
// Stubs for matchers
static HttpPatternMatchers* http_matchers;
void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p, bool, uint32_t)
{
AppidEvent app_event(change_bits, false, 0, this->get_api(), p);
- DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow);
+ DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow);
}
void AppIdHttpSession::set_tun_dest(){}
void LogText(const char*, FILE*) {}
void ParseWarning(WarningGroup, const char*, ...) { }
-
void LogLabel(const char*, FILE*) {}
+
+unsigned DataBus::get_id(const PubKey&) { return 0; }
+
SearchTool::SearchTool(bool) { }
SearchTool::~SearchTool() = default;
}
void LogLabel(const char*, FILE*) {}
void LogText(const char* s, FILE*) { LogMessage("%s\n", s); }
+unsigned DataBus::get_id(const PubKey&)
+{ return 0; }
// Stubs for utils
char* snort_strdup(const char* str)
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "pub_sub/assistant_gadget_event.h"
+#include "pub_sub/intrinsic_event_ids.h"
+#include "pub_sub/stream_event_ids.h"
#include "stream/stream.h"
#include "stream/stream_splitter.h"
#include "target_based/host_attributes.h"
if (flow.ssn_state.snort_protocol_id == UNKNOWN_PROTOCOL_ID)
flow.ssn_state.snort_protocol_id = gadget->get_service();
- DataBus::publish(SERVICE_INSPECTOR_CHANGE_EVENT, DetectionEngine::get_current_packet());
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SERVICE_INSPECTOR_CHANGE,
+ DetectionEngine::get_current_packet());
}
}
else if (wizard)
flow.set_clouseau(wizard);
+
else if (!flow.flags.svc_event_generated)
{
- DataBus::publish(FLOW_NO_SERVICE_EVENT, DetectionEngine::get_current_packet());
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, DetectionEngine::get_current_packet());
flow.flags.svc_event_generated = true;
}
}
default_ssn_inspectors[proto] = InspectorManager::get_inspector(name);
}
- DataBus::subscribe(PKT_WITHOUT_FLOW_EVENT, new NonFlowPacketHandler());
- DataBus::subscribe(FLOW_STATE_SETUP_EVENT, new FlowStateSetupHandler());
- DataBus::subscribe(FLOW_SERVICE_CHANGE_EVENT, new FlowServiceChangeHandler());
- DataBus::subscribe(STREAM_HA_NEW_FLOW_EVENT, new StreamHANewFlowHandler());
- DataBus::subscribe(FLOW_ASSISTANT_GADGET_EVENT, new AssistantGadgetHandler());
- DataBus::subscribe(FLOW_STATE_RELOADED_EVENT, new RebindFlow());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::PKT_WITHOUT_FLOW, new NonFlowPacketHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_SETUP, new FlowStateSetupHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_SERVICE_CHANGE, new FlowServiceChangeHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_ASSISTANT_GADGET, new AssistantGadgetHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_RELOADED, new RebindFlow());
+
+ DataBus::subscribe(stream_pub_key, StreamEventIds::HA_NEW_FLOW, new StreamHANewFlowHandler());
return true;
}
flow.set_data(data);
}
- DataBus::publish(SERVICE_INSPECTOR_CHANGE_EVENT, DetectionEngine::get_current_packet());
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SERVICE_INSPECTOR_CHANGE,
+ DetectionEngine::get_current_packet());
}
else
flow.ssn_state.snort_protocol_id = UNKNOWN_PROTOCOL_ID;
#include "main/thread.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
#ifdef UNIT_TEST
#include "catch/snort_catch.h"
{
public:
PerfIdleHandler(PerfMonitor& p) : DataHandler(PERF_NAME), perf_monitor(p)
- { DataBus::subscribe_network(THREAD_IDLE_EVENT, this); }
+ { DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::THREAD_IDLE, this); }
void handle(DataEvent&, Flow*) override
{ perf_monitor.eval(nullptr); }
{
public:
PerfRotateHandler(PerfMonitor& p) : DataHandler(PERF_NAME), perf_monitor(p)
- { DataBus::subscribe_network(THREAD_ROTATE_EVENT, this); }
+ { DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::THREAD_ROTATE, this); }
void handle(DataEvent&, Flow*) override
{ perf_monitor.rotate(); }
{
public:
FlowIPDataHandler(PerfMonitor& p) : DataHandler(PERF_NAME), perf_monitor(p)
- { DataBus::subscribe_network(FLOW_STATE_EVENT, this); }
+ { DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_CHANGE, this); }
void handle(DataEvent&, Flow* flow) override
{
THREAD_LOCAL ProfileStats reputation_perf_stats;
THREAD_LOCAL ReputationStats reputationstats;
+static unsigned pub_id = 0;
+
const PegInfo reputation_peg_names[] =
{
{ CountType::SUM, "packets", "total packets processed" },
DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLOCKLIST_DST);
ReputationVerdictEvent event(p, REP_VERDICT_BLOCKED, iplist_id, false);
- DataBus::publish(REPUTATION_MATCHED_EVENT, event);
+ DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event);
p->active->drop_packet(p, true);
// disable all preproc analysis and detection for this packet
{
DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR_DST);
ReputationVerdictEvent event(p, REP_VERDICT_MONITORED, iplist_id, false);
- DataBus::publish(REPUTATION_MATCHED_EVENT, event);
+ DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event);
reputationstats.aux_ip_monitored++;
}
else if (decision == TRUSTED)
{
DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_ALLOWLIST_DST);
ReputationVerdictEvent event(p, REP_VERDICT_TRUSTED, iplist_id, false);
- DataBus::publish(REPUTATION_MATCHED_EVENT, event);
+ DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event);
p->active->trust_session(p, true);
reputationstats.aux_ip_trusted++;
}
DetectionEngine::queue_event(GID_REPUTATION, blocklist_event);
ReputationVerdictEvent event(p, REP_VERDICT_BLOCKED, iplist_id, BLOCKED_SRC == decision);
- DataBus::publish(REPUTATION_MATCHED_EVENT, event);
+ DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event);
act->drop_packet(p, true);
// disable all preproc analysis and detection for this packet
DetectionEngine::queue_event(GID_REPUTATION, monitor_event);
ReputationVerdictEvent event(p, REP_VERDICT_MONITORED, iplist_id, MONITORED_SRC == decision);
- DataBus::publish(REPUTATION_MATCHED_EVENT, event);
+ DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event);
reputationstats.monitored++;
}
DetectionEngine::queue_event(GID_REPUTATION, allowlist_event);
ReputationVerdictEvent event(p, REP_VERDICT_TRUSTED, iplist_id, TRUSTED_SRC == decision);
- DataBus::publish(REPUTATION_MATCHED_EVENT, event);
+ DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event);
act->trust_session(p, true);
reputationstats.trusted++;
}
bool Reputation::configure(SnortConfig*)
{
- DataBus::subscribe_network( FLOW_STATE_SETUP_EVENT, new IpRepHandler(*this) );
- DataBus::subscribe_network( FLOW_STATE_RELOADED_EVENT, new IpRepHandler(*this) );
- DataBus::subscribe_network( AUXILIARY_IP_EVENT, new AuxiliaryIpRepHandler(*this) );
- DataBus::subscribe_network( PKT_WITHOUT_FLOW_EVENT, new IpRepHandler(*this) );
+ DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_SETUP, new IpRepHandler(*this));
+ DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_RELOADED, new IpRepHandler(*this));
+ DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::AUXILIARY_IP, new AuxiliaryIpRepHandler(*this));
+ DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::PKT_WITHOUT_FLOW, new IpRepHandler(*this));
+
+ pub_id = DataBus::get_id(reputation_pub_key);
return true;
}
#ifndef RNA_CONFIG_H
#define RNA_CONFIG_H
+#include "framework/data_bus.h"
+
namespace snort
{
class TcpFpProcessor;
uint16_t max_host_service_info = 16;
bool enable_banner_grab = false;
bool log_when_idle = false;
+
+ static unsigned pub_id;
};
#endif
#ifndef RNA_CPE_OS_H
#define RNA_CPE_OS_H
-#define CPE_OS_INFO_EVENT "cpe_os_info_event"
+#include "pub_sub/external_event_ids.h"
class SO_PUBLIC CpeOsInfoEvent : public snort::DataEvent
{
#include "main/snort.h"
#include "managers/inspector_manager.h"
#include "protocols/packet.h"
+#include "pub_sub/appid_event_ids.h"
#include "pub_sub/dhcp_events.h"
+#include "pub_sub/intrinsic_event_ids.h"
+#include "pub_sub/rna_events.h"
#include "pub_sub/smb_events.h"
+#include "pub_sub/stream_event_ids.h"
+
#include "rna_cpe_os.h"
#include "rna_event_handler.h"
#include "rna_fingerprint_smb.h"
THREAD_LOCAL RnaStats rna_stats;
THREAD_LOCAL ProfileStats rna_perf_stats;
+unsigned RnaConfig::pub_id = 0;
+
//-------------------------------------------------------------------------
// class stuff
//-------------------------------------------------------------------------
bool RnaInspector::configure(SnortConfig*)
{
- DataBus::subscribe_network( APPID_EVENT_ANY_CHANGE, new RnaAppidEventHandler(*pnd) );
- DataBus::subscribe_network( DHCP_INFO_EVENT, new RnaDHCPInfoEventHandler(*pnd) );
- DataBus::subscribe_network( DHCP_DATA_EVENT, new RnaDHCPDataEventHandler(*pnd) );
- DataBus::subscribe_network( FP_SMB_DATA_EVENT, new RnaFpSMBEventHandler(*pnd) );
+ RnaConfig::pub_id = DataBus::get_id(rna_pub_key);
+
+ DataBus::subscribe_network( appid_pub_key, AppIdEventIds::ANY_CHANGE, new RnaAppidEventHandler(*pnd) );
+ DataBus::subscribe_network( appid_pub_key, AppIdEventIds::DHCP_INFO, new RnaDHCPInfoEventHandler(*pnd) );
+ DataBus::subscribe_network( appid_pub_key, AppIdEventIds::DHCP_DATA, new RnaDHCPDataEventHandler(*pnd) );
+ DataBus::subscribe_network( appid_pub_key, AppIdEventIds::FP_SMB_DATA, new RnaFpSMBEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_ICMP_NEW_FLOW_EVENT, new RnaIcmpNewFlowEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_ICMP_BIDIRECTIONAL_EVENT, new RnaIcmpBidirectionalEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::ICMP_NEW_FLOW, new RnaIcmpNewFlowEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::ICMP_BIDIRECTIONAL, new RnaIcmpBidirectionalEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_IP_NEW_FLOW_EVENT, new RnaIpNewFlowEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_IP_BIDIRECTIONAL_EVENT, new RnaIpBidirectionalEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::IP_NEW_FLOW, new RnaIpNewFlowEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::IP_BIDIRECTIONAL, new RnaIpBidirectionalEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_UDP_NEW_FLOW_EVENT, new RnaUdpNewFlowEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_UDP_BIDIRECTIONAL_EVENT, new RnaUdpBidirectionalEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::UDP_NEW_FLOW, new RnaUdpNewFlowEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::UDP_BIDIRECTIONAL, new RnaUdpBidirectionalEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_TCP_SYN_EVENT, new RnaTcpSynEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_TCP_SYN_ACK_EVENT, new RnaTcpSynAckEventHandler(*pnd) );
- DataBus::subscribe_network( STREAM_TCP_MIDSTREAM_EVENT, new RnaTcpMidstreamEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::TCP_SYN, new RnaTcpSynEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::TCP_SYN_ACK, new RnaTcpSynAckEventHandler(*pnd) );
+ DataBus::subscribe_network( stream_pub_key, StreamEventIds::TCP_MIDSTREAM, new RnaTcpMidstreamEventHandler(*pnd) );
- DataBus::subscribe_network( CPE_OS_INFO_EVENT, new RnaCPEOSInfoEventHandler(*pnd) );
- DataBus::subscribe_network( NETFLOW_EVENT, new RnaNetFlowEventHandler(*pnd) );
+ DataBus::subscribe_network( external_pub_key, ExternalEventIds::CPE_OS_INFO, new RnaCPEOSInfoEventHandler(*pnd) );
+ DataBus::subscribe_network( netflow_pub_key, NetFlowEventIds::DATA, new RnaNetFlowEventHandler(*pnd) );
if (rna_conf && rna_conf->log_when_idle)
- DataBus::subscribe_network( THREAD_IDLE_EVENT, new RnaIdleEventHandler(*pnd) );
+ DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::THREAD_IDLE, new RnaIdleEventHandler(*pnd) );
if ( mod_conf->ua_processor )
mod_conf->ua_processor->make_mpse();
{
uint32_t service = nfe->get_service_id();
RNAEvent new_flow_event(p, nfe->get_record(), service);
- DataBus::publish(RNA_NEW_NETFLOW_CONN, new_flow_event);
+ DataBus::publish(RnaConfig::pub_id, NetFlowEventIds::DATA, new_flow_event);
return;
}
#include "main/snort_types.h"
#include "target_based/snort_protocols.h"
-// Event that is generated when a packet without a flow is processed
-#define PKT_WITHOUT_FLOW_EVENT "non_flow_pkt"
-
namespace snort
{
class Active;
set (PUB_SUB_INCLUDES
appid_debug_log_event.h
+ appid_event_ids.h
appid_events.h
assistant_gadget_event.h
cip_events.h
dhcp_events.h
eve_process_event.h
expect_events.h
+ external_event_ids.h
finalize_packet_event.h
+ http_event_ids.h
http_events.h
http_request_body_event.h
+ intrinsic_event_ids.h
netflow_event.h
opportunistic_tls_event.h
packet_events.h
reputation_events.h
rna_events.h
sip_events.h
+ stream_event_ids.h
smb_events.h
ssh_events.h
)
#include <string>
-#include "framework/data_bus.h"
#include "network_inspectors/appid/appid_debug.h"
-
-#define APPID_DEBUG_LOG_EVENT "appid_debug_log_event"
+#include "pub_sub/appid_event_ids.h"
class AppIdDebugLogEvent : public snort::DataEvent
{
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_event_ids.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef APPID_EVENT_IDS_H
+#define APPID_EVENT_IDS_H
+
+#include "framework/data_bus.h"
+
+namespace snort
+{
+
+struct AppIdEventIds
+{ enum : unsigned {
+
+ ANY_CHANGE,
+ DEBUG_LOG,
+ DHCP_DATA,
+ DHCP_INFO,
+ FP_SMB_DATA,
+
+ num_ids
+}; };
+
+const PubKey appid_pub_key { "appid", AppIdEventIds::num_ids };
+
+}
+#endif
+
#include <bitset>
-#include "framework/data_bus.h"
-
-#define APPID_EVENT_ANY_CHANGE "appid_event_any_change"
+#include "pub_sub/appid_event_ids.h"
namespace snort
{
#define ASSISTANT_GADGET_EVENTS_H
#include "framework/data_bus.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "target_based/snort_protocols.h"
#include "utils/util.h"
// A flow is setting up assistant inspector.
// For example used by HTTP2 to set NHI as assistant inspector.
-#define FLOW_ASSISTANT_GADGET_EVENT "flow.assistant_gadget"
-
namespace snort
{
struct Packet;
#ifndef AUXILIARY_IP_EVENT_H
#define AUXILIARY_IP_EVENT_H
-#include "framework/data_bus.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "sfip/sf_ip.h"
-#define AUXILIARY_IP_EVENT "auxiliary_ip_event"
-
class AuxiliaryIpEvent : public snort::DataEvent
{
public:
#include "framework/data_bus.h"
-#define CIP_EVENT_TYPE_CIP_DATA_KEY "cip_event_type_cip_data"
+struct CipEventIds { enum : unsigned { DATA, num_ids }; };
-enum CipEventType
-{
- CIP_EVENT_TYPE_CIP_DATA
-};
+const snort::PubKey cip_pub_key { "cip", CipEventIds::num_ids };
namespace snort
{
#include <daq.h>
-#include "framework/data_bus.h"
-
-#define DAQ_SOF_MSG_EVENT "daq.message.sof"
-#define DAQ_EOF_MSG_EVENT "daq.message.eof"
-#define DAQ_OTHER_MSG_EVENT "daq.message.other"
+#include "pub_sub/intrinsic_event_ids.h"
namespace snort
{
//--------------------------------------------------------------------------
// Copyright (C) 2020-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
+// data_decrypt_event.h author Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
#ifndef DATA_DECRYPT_EVENT_H
#define DATA_DECRYPT_EVENT_H
-#define DATA_DECRYPT_EVENT "Data Decrypt event"
+#include "pub_sub/external_event_ids.h"
class DataDecryptEvent : public snort::DataEvent
{
StateEventType m_type;
};
-
-#endif //DATA_DECRYPT_EVENT_H
+#endif
#include "framework/data_bus.h"
-#define DCERPC_EXP_SESSION_EVENT_KEY "dcerpc_expected_session_event"
+struct DceTcpEventIds { enum : unsigned { EXP_SESSION, num_ids }; };
+
+const snort::PubKey dce_tcp_pub_key { "dce_tcp", DceTcpEventIds::num_ids };
namespace snort
{
#define DHCP_EVENTS_H
#include <cstring>
-#include "framework/data_bus.h"
+#include "pub_sub/appid_event_ids.h"
-#define DHCP_DATA_EVENT "dhcp_data_event"
-#define DHCP_INFO_EVENT "dhcp_info_event"
#define DHCP_OP55_MAX_SIZE 64
#define DHCP_OP60_MAX_SIZE 64
#define EVE_PROCESS_EVENT_H
#include <string>
-#include "framework/data_bus.h"
-
-#define EVE_PROCESS_EVENT "eve_process_event"
+#include "pub_sub/external_event_ids.h"
class EveProcessEvent : public snort::DataEvent
{
#include <list>
#include <vector>
-#include "framework/data_bus.h"
+#include "pub_sub/intrinsic_event_ids.h"
#define EXPECT_EVENT_TYPE_EARLY_SESSION_CREATE_KEY "expect_event_type_early_session_create"
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// external_event_ids.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef EXTERNAL_EVENT_IDS_H
+#define EXTERNAL_EVENT_IDS_H
+
+#include "framework/data_bus.h"
+
+struct ExternalEventIds
+{ enum : unsigned {
+
+ CPE_OS_INFO,
+ DATA_DECRYPT,
+ EVE_PROCESS,
+
+ num_ids
+}; };
+
+const snort::PubKey external_pub_key { "external", ExternalEventIds::num_ids };
+
+#endif
+
#include <daq_common.h>
-#include "framework/data_bus.h"
-
-#define FINALIZE_PACKET_EVENT "analyzer.finalize.packet"
+#include "pub_sub/intrinsic_event_ids.h"
namespace snort
{
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// http_event_ids.h author Russ Combs <rucombs@cisco.com>
+
+// Inspection events published by the Http Inspector. Modules can subscribe
+// to receive the events.
+
+#ifndef HTTP_EVENT_IDS_H
+#define HTTP_EVENT_IDS_H
+
+#include "framework/data_bus.h"
+
+namespace snort
+{
+// These are common values between the HTTP inspector and the subscribers.
+struct HttpEventIds
+{ enum : unsigned {
+
+ REQUEST_HEADER,
+ RESPONSE_HEADER,
+ REQUEST_BODY,
+
+ num_ids
+}; };
+
+const PubKey http_pub_key { "http_inspect", HttpEventIds::num_ids };
+
+}
+#endif
+
#define HTTP_EVENTS_H
#include "framework/data_bus.h"
-
-// These are common values between the HTTP inspector and the subscribers.
-#define HTTP_REQUEST_HEADER_EVENT_KEY "http_request_header_event"
-#define HTTP_RESPONSE_HEADER_EVENT_KEY "http_response_header_event"
+#include "pub_sub/http_event_ids.h"
class HttpMsgHeader;
namespace snort
{
+
class SO_PUBLIC HttpEvent : public snort::DataEvent
{
public:
HttpEvent(HttpMsgHeader* http_msg_header_, bool httpx, int64_t stream_id) :
http_msg_header(http_msg_header_), is_httpx(httpx), httpx_stream_id(stream_id) { }
-
const uint8_t* get_content_type(int32_t &length);
const uint8_t* get_cookie(int32_t &length);
const uint8_t* get_authority(int32_t &length);
#include "service_inspectors/http_inspect/http_field.h"
#include "service_inspectors/http_inspect/http_msg_body.h"
-// These are common values between the HTTP inspector and the subscribers.
-#define HTTPX_REQUEST_BODY_EVENT_KEY "httpx_request_body_event"
+#include "http_event_ids.h"
class HttpFlowData;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// intrinsic_event_ids.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef INTRINSIC_EVENT_IDS_H
+#define INTRINSIC_EVENT_IDS_H
+
+// Common core functionality data events
+
+#include "framework/data_bus.h"
+
+namespace snort
+{
+
+struct IntrinsicEventIds
+{ enum : unsigned {
+
+ DAQ_SOF_MSG,
+ DAQ_EOF_MSG,
+ DAQ_OTHER_MSG,
+
+ ALT_PACKET,
+ PKT_WITHOUT_FLOW,
+ DETAINED_PACKET,
+ FINALIZE_PACKET,
+ RETRY_PACKET,
+
+ THREAD_IDLE,
+ THREAD_ROTATE,
+
+ SSL_SEARCH_ABANDONED,
+ OPPORTUNISTIC_TLS,
+
+ FLOW_STATE_CHANGE,
+ FLOW_SERVICE_CHANGE,
+ SERVICE_INSPECTOR_CHANGE,
+
+ FLOW_NO_SERVICE,
+ FLOW_STATE_SETUP,
+ FLOW_STATE_RELOADED,
+ FLOW_ASSISTANT_GADGET,
+
+ EXPECT_HANDLE_FLOWS,
+ EXPECT_EARLY_SESSION,
+ AUXILIARY_IP,
+ FILE_VERDICT,
+
+ num_ids
+}; };
+
+const PubKey intrinsic_pub_key { "snort", IntrinsicEventIds::num_ids };
+
+const unsigned intrinsic_pub_id = 1;
+}
+#endif
+
#include "framework/data_bus.h"
#include "service_inspectors/netflow/netflow_record.h"
-#define NETFLOW_EVENT "service_inspector.netflow"
-
namespace snort
{
+struct NetFlowEventIds { enum : unsigned { DATA, num_ids }; };
+
+const PubKey netflow_pub_key { "netflow", NetFlowEventIds::num_ids };
+
class NetFlowEvent : public DataEvent
{
public:
#include <memory>
#include <string>
-#include "framework/data_bus.h"
+#include "pub_sub/intrinsic_event_ids.h"
// An opportunistic SSL/TLS session will start from next packet
-#define OPPORTUNISTIC_TLS_EVENT "service_inspector.opportunistic.tls"
namespace snort
{
#ifndef PACKET_EVENTS_H
#define PACKET_EVENTS_H
-#include "framework/data_bus.h"
+#include "pub_sub/intrinsic_event_ids.h"
// A retry packet is being processed
-#define PKT_RETRY_EVENT "retry_packet"
namespace snort
{
#include "framework/data_bus.h"
-#define REPUTATION_MATCHED_EVENT "rep.matched"
-
namespace snort
{
+struct ReputationEventIds { enum : unsigned { REP_MATCHED, num_ids }; };
+
+const PubKey reputation_pub_key { "reputation", ReputationEventIds::num_ids };
+
enum ReputationVerdict
{
REP_VERDICT_BLOCKED,
#include "framework/data_bus.h"
#include "service_inspectors/netflow/netflow_record.h"
-#define RNA_NEW_NETFLOW_CONN "network_inspector.rna.new_netflow_host"
-
namespace snort
{
+struct RnaEventIds { enum : unsigned { NEW_NETFLOW_CONN, num_ids }; };
+
+const PubKey rna_pub_key { "rna", RnaEventIds::num_ids };
+
class RNAEvent : public DataEvent
{
public:
#include "framework/data_bus.h"
-#define SIP_EVENT_TYPE_SIP_DIALOG_KEY "sip_event_type_sip_dialog"
+struct SipEventIds { enum : unsigned { DIALOG, num_ids }; };
-enum SipEventType
-{
- SIP_EVENT_TYPE_SIP_DIALOG
-};
+const snort::PubKey sip_pub_key { "sip", SipEventIds::num_ids };
namespace snort
{
#ifndef SMB_EVENTS_H
#define SMB_EVENTS_H
-#include "framework/data_bus.h"
-
-#define FP_SMB_DATA_EVENT "fp_smb_data_event"
+#include "pub_sub/appid_event_ids.h"
namespace snort
{
}
-#endif // SMB_EVENTS_H
+#endif
+
// This event allows the SSH service inspector to publish extracted metadata
// for use by data bus subscribers
+#include "framework/data_bus.h"
#include "service_inspectors/ssh/ssh.h"
-#define SSH_EVENT "ssh_event"
+struct SshEventIds { enum : unsigned { STATE_CHANGE, num_ids }; };
-enum SshEventType {
+const snort::PubKey ssh_pub_key { "ssh", SshEventIds::num_ids };
+
+enum SshEventType
+{
SSH_VERSION_STRING,
SSH_VALIDATION
};
-enum SshValidationResult {
+enum SshValidationResult
+{
SSH_NOT_FINISHED,
SSH_VALID_KEXINIT,
SSH_INVALID_VERSION,
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// stream_event_ids.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef STREAM_EVENT_IDS_H
+#define STREAM_EVENT_IDS_H
+
+#include "framework/data_bus.h"
+
+struct StreamEventIds
+{ enum : unsigned {
+
+ IP_NEW_FLOW,
+ IP_BIDIRECTIONAL,
+
+ ICMP_NEW_FLOW,
+ ICMP_BIDIRECTIONAL,
+
+ TCP_SYN,
+ TCP_SYN_ACK,
+ TCP_MIDSTREAM,
+ TCP_ESTABLISHED,
+
+ UDP_NEW_FLOW,
+ UDP_BIDIRECTIONAL,
+
+ HA_NEW_FLOW,
+
+ num_ids
+}; };
+
+const snort::PubKey stream_pub_key { "stream", StreamEventIds::num_ids };
+
+#endif
publish_length = buf_size;
}
void HttpMsgBody::analyze() {}
-void HttpMsgBody::publish() {}
+void HttpMsgBody::publish(unsigned) {}
void HttpMsgBody::do_file_processing(const Field&) {}
void HttpMsgBody::do_utf_decoding(const Field&, Field&) {}
void HttpMsgBody::do_file_decompression(const Field&, Field&) {}
THREAD_LOCAL ProfileStats cip_perf_stats;
unsigned CipFlowData::inspector_id = 0;
+unsigned CipEventData::pub_id = 0;
static void free_cip_data(void* data);
if (publish_appid)
{
- DataBus::publish(CIP_EVENT_TYPE_CIP_DATA_KEY, cip_event, packet->flow);
+ DataBus::publish(CipEventData::pub_id, CipEventIds::DATA, cip_event, packet->flow);
}
}
Cip(CipProtoConf*);
~Cip() override;
+ bool configure(SnortConfig*) override;
void show(const SnortConfig*) const override;
void eval(Packet*) override;
}
}
+bool Cip::configure(SnortConfig*)
+{
+ CipEventData::pub_id = DataBus::get_id(cip_pub_key);
+ return true;
+}
+
void Cip::show(const SnortConfig*) const
{
if (!config)
#include "flow/flow.h"
#include "framework/counts.h"
+#include "framework/data_bus.h"
#include "main/thread.h"
#include "protocols/packet.h"
// Pointer to snort::Packet
const snort::Packet* snort_packet;
+
+ static unsigned pub_id;
};
class CipFlowData : public snort::FlowData
pack_cip_request_event(&embedded_request, &cip_event_data);
- DataBus::publish(CIP_EVENT_TYPE_CIP_DATA_KEY, cip_event, global_data->snort_packet->flow);
+ DataBus::publish(CipEventData::pub_id, CipEventIds::DATA, cip_event, global_data->snort_packet->flow);
}
return valid;
DceExpectedSessionEvent map_resp_event(pkt, src_ip, 0,
ept_ip, ept_port, proto, protocol_id);
- DataBus::publish(DCERPC_EXP_SESSION_EVENT_KEY, map_resp_event, pkt->flow);
+ DataBus::publish(Dce2Tcp::pub_id, DceTcpEventIds::EXP_SESSION, map_resp_event, pkt->flow);
}
DceTcpExpSsnManager::DceTcpExpSsnManager(const dce2TcpProtoConf& config) :
#include "dce_tcp.h"
#include "detection/detection_engine.h"
+#include "pub_sub/dcerpc_events.h"
#include "utils/util.h"
#include "dce_context_data.h"
THREAD_LOCAL ProfileStats dce2_tcp_pstat_main;
unsigned Dce2TcpFlowData::inspector_id = 0;
+unsigned Dce2Tcp::pub_id = 0;
DCE2_TcpSsnData* get_dce2_tcp_session_data(Flow* flow)
{
bool Dce2Tcp::configure(snort::SnortConfig* sc)
{
esm.set_proto_id(sc->proto_ref->add(DCE_RPC_SERVICE_NAME));
+ pub_id = DataBus::get_id(dce_tcp_pub_key);
return true;
}
#ifndef DCE_TCP_H
#define DCE_TCP_H
+#include "framework/data_bus.h"
#include "framework/inspector.h"
#include "profiler/profiler_defs.h"
snort::StreamSplitter* get_splitter(bool c2s) override
{ return new Dce2TcpSplitter(c2s); }
+ static unsigned pub_id;
+
private:
dce2TcpProtoConf config;
DceTcpExpSsnManager esm;
#include "framework/data_bus.h"
#include "log/messages.h"
#include "managers/inspector_manager.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "utils/util.h"
#include "ftp_cmd_lookup.h"
void do_detection(Packet* p)
{
- DataBus::publish(PACKET_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::ALT_PACKET, p);
DetectionEngine::disable_all(p);
}
if (fd and fd->in_tls)
{
OpportunisticTlsEvent evt(p, fd_svc_name);
- DataBus::publish(OPPORTUNISTIC_TLS_EVENT, evt, p->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, evt, p->flow);
}
else
- DataBus::publish(SSL_SEARCH_ABANDONED, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p);
}
}
and rsp_code == 234)
{
OpportunisticTlsEvent event(p, p->flow->service);
- DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow);
++ftstats.starttls;
if (session->flags & FTP_FLG_SEARCH_ABANDONED)
++ftstats.ssl_search_abandoned_too_soon;
!(ftpssn->flags & FTP_FLG_SEARCH_ABANDONED))
{
ftpssn->flags |= FTP_FLG_SEARCH_ABANDONED;
- DataBus::publish(SSL_SEARCH_ABANDONED, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p);
++ftstats.ssl_search_abandoned;
}
#include "http2_flow_data.h"
+#include "main/snort_types.h"
#include "service_inspectors/http_inspect/http_inspect.h"
#include "service_inspectors/http_inspect/http_test_manager.h"
FlowData* Http2FlowStreamIntf::get_stream_flow_data(const Flow* flow)
{
- Http2FlowData* h2i_flow_data = nullptr;
-
- h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
assert(h2i_flow_data);
return h2i_flow_data->get_hi_flow_data();
void Http2FlowStreamIntf::set_stream_flow_data(Flow* flow, FlowData* flow_data)
{
- Http2FlowData* h2i_flow_data =
- (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
assert(h2i_flow_data);
+
h2i_flow_data->set_hi_flow_data((HttpFlowData*)flow_data);
}
void Http2FlowStreamIntf::get_stream_id(const Flow* flow, int64_t& stream_id)
{
- Http2FlowData* h2i_flow_data = nullptr;
-
- h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
assert(h2i_flow_data);
+
stream_id = h2i_flow_data->get_processing_stream_id();
}
AppId Http2FlowStreamIntf::get_appid_from_stream(const Flow* flow)
{
- Http2FlowData* h2i_flow_data = nullptr;
-
- h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+#ifdef NDEBUG
+ UNUSED(flow);
+#else
+ Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
assert(h2i_flow_data);
+#endif
return APP_ID_HTTP2;
}
if (session_data == nullptr)
{
AssistantGadgetEvent event(pkt, "http");
- DataBus::publish(FLOW_ASSISTANT_GADGET_EVENT, event, flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_ASSISTANT_GADGET, event, flow);
if (flow->assistant_gadget == nullptr)
{
// http_inspect is not configured
#include "service_inspectors/http2_inspect/http2_flow_data.h"
#include "log/unified2.h"
#include "protocols/packet.h"
+#include "pub_sub/http_event_ids.h"
#include "stream/stream.h"
#include "http_common.h"
delete script_finder;
}
-bool HttpInspect::configure(SnortConfig* )
+bool HttpInspect::configure(SnortConfig*)
{
params->js_norm_param.configure();
params->mime_decode_conf->sync_all_depths();
+ pub_id = DataBus::get_id(http_pub_key);
return true;
}
}
#endif
- current_section->publish();
+ current_section->publish(pub_id);
if (p != nullptr)
{
const PduSection pdu_section = current_section->get_inspection_section();
static int get_xtra_host(snort::Flow*, uint8_t** buf, uint32_t* len, uint32_t* type);
static int get_xtra_jsnorm(snort::Flow*, uint8_t**, uint32_t*, uint32_t*);
+ unsigned get_pub_id()
+ { return pub_id; }
+
private:
friend HttpApi;
friend HttpStreamSplitter;
const uint32_t xtra_uri_id;
const uint32_t xtra_host_id;
const uint32_t xtra_jsnorm_id;
+
+ unsigned pub_id; // for inspection events
};
#endif
get_related_sections();
}
-void HttpMsgBody::publish()
+void HttpMsgBody::publish(unsigned pub_id)
{
if (publish_length <= 0)
return;
HttpRequestBodyEvent http_request_body_event(this, publish_octets, last_piece, session_data);
- DataBus::publish(HTTPX_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow);
+ DataBus::publish(pub_id, HttpEventIds::REQUEST_BODY, http_request_body_event, flow);
publish_octets += publish_length;
#ifdef REG_TEST
if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
const Field& get_msg_text_new() const { return msg_text_new; }
static void fd_event_callback(void* context, int event);
bool is_first() { return first_body; }
- void publish() override;
+ void publish(unsigned pub_id) override;
int32_t get_publish_length() const;
protected:
get_related_sections();
}
-void HttpMsgHeader::publish()
+void HttpMsgHeader::publish(unsigned pub_id)
{
const int64_t stream_id = session_data->get_hx_stream_id();
HttpEvent http_header_event(this, session_data->for_httpx, stream_id);
- const char* key = (source_id == SRC_CLIENT) ?
- HTTP_REQUEST_HEADER_EVENT_KEY : HTTP_RESPONSE_HEADER_EVENT_KEY;
+ unsigned evid = (source_id == SRC_CLIENT) ?
+ HttpEventIds::REQUEST_HEADER : HttpEventIds::RESPONSE_HEADER;
- DataBus::publish(key, http_header_event, flow);
+ DataBus::publish(pub_id, evid, http_header_event, flow);
}
const Field& HttpMsgHeader::get_true_ip()
bool detection_required() const override { return true; }
void update_flow() override;
void gen_events() override;
- void publish() override;
+ void publish(unsigned pub_id) override;
const Field& get_true_ip();
const Field& get_true_ip_addr();
int32_t get_num_cookies();
#include "http_msg_request.h"
+#include "pub_sub/intrinsic_event_ids.h"
+
#include "http_api.h"
#include "http_common.h"
#include "http_enum.h"
session_data->method_id = method_id;
}
-void HttpMsgRequest::publish()
+void HttpMsgRequest::publish(unsigned)
{
if (!session_data->ssl_search_abandoned && trans_num > 1 &&
!flow->flags.data_decrypted && get_method_id() != METH_CONNECT)
{
session_data->ssl_search_abandoned = true;
- DataBus::publish(SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet());
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet());
}
if (SnortConfig::get_conf()->aux_ip_is_enabled())
{ return snort::PS_HEADER; }
void gen_events() override;
void update_flow() override;
- void publish() override;
+ void publish(unsigned pub_id) override;
const Field& get_method() { return method; }
const Field& get_uri();
virtual void update_flow() = 0;
// Publish an inspection event for other modules to consume
- virtual void publish() {}
+ virtual void publish(unsigned /*pub_id*/) {}
// Call the detection engine to inspect the current packet
virtual bool run_detection(snort::Packet* p);
{
HttpRequestBodyEvent http_request_body_event(nullptr,
session_data->publish_octets[source_id], true, session_data);
- DataBus::publish(HTTPX_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow);
+ DataBus::publish(my_inspector->get_pub_id(), HttpEventIds::REQUEST_BODY, http_request_body_event, flow);
#ifdef REG_TEST
if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
{
and !p->flow->flags.data_decrypted)
{
imap_ssn->session_flags |= IMAP_FLAG_ABANDON_EVT;
- DataBus::publish(SSL_SEARCH_ABANDONED, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p);
imapstats.ssl_search_abandoned++;
}
imap_ssn->state = STATE_DATA;
}
OpportunisticTlsEvent event(p, p->flow->service);
- DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow);
imapstats.start_tls++;
imap_ssn->state = STATE_DECRYPTION_REQ;
}
using namespace snort;
+static unsigned pub_id = 0;
+
// -----------------------------------------------------------------------------
// static functions
// -----------------------------------------------------------------------------
}
NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID);
- DataBus::publish(NETFLOW_EVENT, event);
+ DataBus::publish(pub_id, NetFlowEventIds::DATA, event);
}
static bool version_9_record_update(const unsigned char* data, uint32_t unix_secs,
void tterm() override;
void eval(snort::Packet*) override;
+ bool configure(SnortConfig*) override;
void show(const snort::SnortConfig*) const override;
void install_reload_handler(snort::SnortConfig*) override;
return zs;
}
+bool NetFlowInspector::configure(SnortConfig*)
+{
+ pub_id = DataBus::get_id(netflow_pub_key);
+ return true;
+}
+
static void show_device(const NetFlowRule& d, bool is_exclude)
{
ConfigLogger::log_flag("exclude", is_exclude, true);
and !p->flow->flags.data_decrypted)
{
pop_ssn->session_flags |= POP_FLAG_ABANDON_EVT;
- DataBus::publish(SSL_SEARCH_ABANDONED, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p);
popstats.ssl_search_abandoned++;
}
}
OpportunisticTlsEvent event(p, p->flow->service);
- DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow);
popstats.start_tls++;
pop_ssn->state = STATE_DECRYPTION_REQ;
}
#include "log/messages.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "stream/stream.h"
#include "stream/stream_splitter.h"
#include "utils/safec.h"
if (RpcPrepRaw(data, rsdata->frag_len, p) != RPC_STATUS__SUCCESS)
return RPC_STATUS__ERROR;
- DataBus::publish(PACKET_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::ALT_PACKET, p);
}
if ( (dsize > 0) )
if ( (dsize > 0) )
RpcPreprocEvent(rsdata, RPC_MULTIPLE_RECORD);
- DataBus::publish(PACKET_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::ALT_PACKET, p);
RpcBufClean(&rsdata->frag);
}
#include "memory/memory_cap.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
+#include "pub_sub/sip_events.h"
#include "stream/stream_splitter.h"
#include "sip_module.h"
static void FreeSipData(void*);
unsigned SipFlowData::inspector_id = 0;
+unsigned SIPData::pub_id = 0;
SipFlowData::SipFlowData() : FlowData(inspector_id)
{
Sip(SIP_PROTO_CONF*);
~Sip() override;
+ bool configure(SnortConfig*) override;
void show(const SnortConfig*) const override;
void eval(Packet*) override;
}
}
+bool Sip::configure(SnortConfig*)
+{
+ SIPData::pub_id = DataBus::get_id(sip_pub_key);
+ return true;
+}
+
void Sip::show(const SnortConfig*) const
{
if ( !config )
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-//
#ifndef SIP_H
#define SIP_H
+
// Implementation header with definitions, datatypes and flowdata class for SIP service inspector.
#include "flow/flow.h"
+#include "framework/data_bus.h"
+
#include "sip_dialog.h"
#include "sip_parser.h"
#include "sip_roptions.h"
SIP_DialogList dialogs;
SIP_Roptions ropts;
SIP_PROTO_CONF *sip_config;
+
+ static unsigned pub_id;
};
class SipFlowData : public snort::FlowData
const Packet* p, const SIPMsg* sip_msg, const SIP_DialogData* dialog)
{
SipEvent event(p, sip_msg, dialog);
- DataBus::publish(SIP_EVENT_TYPE_SIP_DIALOG_KEY, event, p->flow);
+ DataBus::publish(SIPData::pub_id, SipEventIds::DIALOG, event, p->flow);
}
/********************************************************************
and !(smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT))
{
smtp_ssn->state_flags |= SMTP_FLAG_ABANDON_EVT;
- DataBus::publish(SSL_SEARCH_ABANDONED, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p);
++smtpstats.ssl_search_abandoned;
}
break;
smtp_ssn->server_accepted_starttls = true;
OpportunisticTlsEvent event(p, p->flow->service);
- DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow);
++smtpstats.starttls;
if (smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT)
++smtpstats.ssl_search_abandoned_too_soon;
THREAD_LOCAL ProfileStats sshPerfStats;
THREAD_LOCAL SshStats sshstats;
+static unsigned pub_id = 0;
+
/*
* Function prototype(s)
*/
{
std::string proto_string((const char *)(p->data), p->dsize);
SshEvent event(SSH_VERSION_STRING, SSH_NOT_FINISHED, proto_string, pkt_direction, p);
- DataBus::publish(SSH_EVENT, event, p->flow);
+ DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow);
}
else
{
SshEvent event(SSH_VALIDATION, SSH_INVALID_VERSION, "", pkt_direction, p);
- DataBus::publish(SSH_EVENT, event, p->flow);
+ DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow);
}
}
else if (!(sessp->state_flags & search_dir_keyinit))
if (keyx_valid)
{
SshEvent event(SSH_VALIDATION, SSH_VALID_KEXINIT, "", pkt_direction, p);
- DataBus::publish(SSH_EVENT, event, p->flow);
+ DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow);
}
else
{
SshEvent event(SSH_VALIDATION, SSH_INVALID_KEXINIT, "", pkt_direction, p);
- DataBus::publish(SSH_EVENT, event, p->flow);
+ DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow);
sessp->state_flags |= SSH_FLG_SESS_ENCRYPTED;
}
}
Ssh(SSH_PROTO_CONF*);
~Ssh() override;
+ bool configure(SnortConfig*) override;
void show(const SnortConfig*) const override;
void eval(Packet*) override;
class StreamSplitter* get_splitter(bool to_server) override
delete config;
}
+bool Ssh::configure(SnortConfig*)
+{
+ pub_id = DataBus::get_id(ssh_pub_key);
+ return true;
+}
+
void Ssh::show(const SnortConfig*) const
{
if ( !config )
bool Ssl::configure(SnortConfig*)
{
- DataBus::subscribe(FINALIZE_PACKET_EVENT, new SslFinalizePacketHandler());
- DataBus::subscribe(OPPORTUNISTIC_TLS_EVENT, new SslStartTlsEventtHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FINALIZE_PACKET, new SslFinalizePacketHandler());
+ DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::OPPORTUNISTIC_TLS, new SslStartTlsEventtHandler());
return true;
}
#include "log/messages.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "stream/stream_splitter.h"
#include "trace/trace_api.h"
if ( !pkt->flow->flags.svc_event_generated )
{
- DataBus::publish(FLOW_NO_SERVICE_EVENT, pkt);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, pkt);
pkt->flow->flags.svc_event_generated = true;
}
// enhanced to abort sooner if it can't detect service.
if ( !pkt->flow->service and !pkt->flow->flags.svc_event_generated )
{
- DataBus::publish(FLOW_NO_SERVICE_EVENT, pkt);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, pkt);
pkt->flow->flags.svc_event_generated = true;
}
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
#include "protocols/tcp.h"
+#include "pub_sub/stream_event_ids.h"
#include "stream/flush_bucket.h"
+#include "stream/stream.h"
#include "stream/tcp/tcp_stream_tracker.h"
#include "stream_ha.h"
{
public:
StreamBase(const StreamModuleConfig*);
+ bool configure(SnortConfig*) override;
void show(const SnortConfig*) const override;
void tear_down(SnortConfig*) override;
StreamBase::StreamBase(const StreamModuleConfig* c)
{ config = *c; }
+bool StreamBase::configure(SnortConfig*)
+{
+ Stream::set_pub_id();
+ return true;
+}
+
void StreamBase::tear_down(SnortConfig* sc)
{ sc->register_reload_handler(new StreamUnloadReloadResourceManager); }
bool new_flow = false;
flow_con->process(PktType::IP, p, &new_flow);
if ( new_flow )
- DataBus::publish(STREAM_IP_NEW_FLOW_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::IP_NEW_FLOW, p);
}
break;
bool new_flow = false;
flow_con->process(PktType::UDP, p, &new_flow);
if ( new_flow )
- DataBus::publish(STREAM_UDP_NEW_FLOW_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::UDP_NEW_FLOW, p);
}
break;
if ( !flow_con->process(PktType::ICMP, p, &new_flow) )
flow_con->process(PktType::IP, p, &new_flow);
if ( new_flow )
- DataBus::publish(STREAM_ICMP_NEW_FLOW_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::ICMP_NEW_FLOW, p);
}
break;
#include "flow/flow_key.h"
#include "managers/inspector_manager.h"
+#include "pub_sub/stream_event_ids.h"
#include "stream/stream.h"
using namespace snort;
return false;
BareDataEvent event;
- DataBus::publish(STREAM_HA_NEW_FLOW_EVENT, event, flow);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::HA_NEW_FLOW, event, flow);
flow->ha_state->clear(FlowHAState::NEW);
flow->ha_state->add(FlowHAState::STANDBY);
ha_client = nullptr;
}
}
+
#include "protocols/tcp.h"
#include "protocols/udp.h"
#include "protocols/vlan.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
#include "utils/util.h"
#include "icmp_ha.h"
if (!(flow->ssn_state.session_flags & SSNFLAG_ESTABLISHED) and !(p->is_from_client()))
{
- DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::ICMP_BIDIRECTIONAL, p);
flow->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
}
#include "memory/memory_cap.h"
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
#include "ip_defrag.h"
#include "ip_ha.h"
if ( p->type() == PktType::ICMP and p->ptrs.icmph)
{
- DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::ICMP_BIDIRECTIONAL, p);
}
else
{
- DataBus::publish(STREAM_IP_BIDIRECTIONAL_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::IP_BIDIRECTIONAL, p);
}
}
}
StreamIp(StreamIpConfig*);
~StreamIp() override;
- bool configure(SnortConfig*) override;
void show(const SnortConfig*) const override;
NORETURN_ASSERT void eval(Packet*) override;
StreamIpConfig* config;
#include "flow/flow_key.h"
#include "flow/ha.h"
#include "flow/prune_stats.h"
+#include "framework/data_bus.h"
#include "main/snort.h"
#include "main/snort_config.h"
#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
#include "protocols/vlan.h"
+#include "pub_sub/stream_event_ids.h"
#include "stream/base/stream_module.h"
#include "target_based/host_attributes.h"
#include "target_based/snort_protocols.h"
return false;
}
+//-------------------------------------------------------------------------
+// pub sub foo
+//-------------------------------------------------------------------------
+
+static unsigned stream_pub_id = 0;
+
+void Stream::set_pub_id()
+{ stream_pub_id = DataBus::get_id(stream_pub_key); }
+
+unsigned Stream::get_pub_id()
+{ return stream_pub_id; }
+
+//-------------------------------------------------------------------------
#ifdef UNIT_TEST
+//-------------------------------------------------------------------------
#include "catch/snort_catch.h"
#include "tcp/test/stream_tcp_test_utils.h"
static bool get_held_pkt_seq(Flow*, uint32_t&);
+ static void set_pub_id();
+ static unsigned get_pub_id();
+
private:
static void set_ip_protocol(Flow*);
};
#include "memory/memory_cap.h"
#include "profiler/profiler.h"
#include "protocols/eth.h"
+#include "pub_sub/intrinsic_event_ids.h"
#include "stream_tcp.h"
#include "tcp_ha.h"
flow->update_session_flags(session_flags);
if ( fire_event )
- DataBus::publish(FLOW_STATE_EVENT, nullptr, flow);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_CHANGE, nullptr, flow);
}
bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd)
#include "tcp_state_listen.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
+
#include "tcp_normalizers.h"
#include "tcp_session.h"
if ( !Stream::is_midstream(flow) )
{
flow->set_session_flags(SSNFLAG_MIDSTREAM);
- DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt());
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
}
trk.init_on_data_seg_sent(tsd);
if ( !Stream::is_midstream(flow) )
{
flow->set_session_flags(SSNFLAG_MIDSTREAM);
- DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt());
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
}
trk.init_on_data_seg_recv(tsd);
trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
#include "tcp_state_none.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
+
#include "tcp_normalizers.h"
#include "tcp_session.h"
if ( !Stream::is_midstream(flow) )
{
flow->set_session_flags(SSNFLAG_MIDSTREAM);
- DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt());
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
}
trk.init_on_data_seg_sent(tsd);
if ( !Stream::is_midstream(flow) )
{
flow->set_session_flags(SSNFLAG_MIDSTREAM);
- DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt());
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
}
trk.init_on_data_seg_recv(tsd);
#include "framework/data_bus.h"
#include "log/messages.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
#include "stream/tcp/tcp_ha.h"
using namespace snort;
if (SSNFLAG_ESTABLISHED != (SSNFLAG_ESTABLISHED & flow->get_session_flags()))
{
flow->set_session_flags(SSNFLAG_ESTABLISHED);
- DataBus::publish(STREAM_TCP_ESTABLISHED_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_ESTABLISHED, p);
}
}
else if ( initiator_watermark != watermark )
{
flow.ssn_state.session_flags |= SSNFLAG_TCP_ONE_SIDED;
- DataBus::publish(STREAM_TCP_ESTABLISHED_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_ESTABLISHED, p);
}
}
}
#include "packet_io/active.h"
#include "profiler/profiler_defs.h"
#include "protocols/eth.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
#include "held_packet_queue.h"
#include "segment_overlap_editor.h"
tcp_event = TCP_SYN_RECV_EVENT;
tcpStats.syns++;
if ( tcp_state == TcpStreamTracker::TCP_LISTEN )
- DataBus::publish(STREAM_TCP_SYN_EVENT, tsd.get_pkt());
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_SYN, tsd.get_pkt());
}
else if ( tcph->is_syn_ack() )
{
(!Stream::is_midstream(tsd.get_flow()) and
(tcp_state == TcpStreamTracker::TCP_LISTEN or
tcp_state == TcpStreamTracker::TCP_STATE_NONE)) )
- DataBus::publish(STREAM_TCP_SYN_ACK_EVENT, tsd.get_pkt());
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_SYN_ACK, tsd.get_pkt());
}
else if ( tcph->is_rst() )
{
#include "memory/memory_cap.h"
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
+#include "pub_sub/intrinsic_event_ids.h"
+#include "pub_sub/stream_event_ids.h"
+#include "stream/stream.h"
#include "udp_ha.h"
#include "udp_module.h"
(lwssn->ssn_state.session_flags & SSNFLAG_SEEN_RESPONDER))
{
lwssn->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
- DataBus::publish(STREAM_UDP_BIDIRECTIONAL_EVENT, p);
+ DataBus::publish(Stream::get_pub_id(), StreamEventIds::UDP_BIDIRECTIONAL, p);
}
}
SESSION_STATS_ADD(udpStats)
- DataBus::publish(FLOW_STATE_EVENT, p);
+ DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_CHANGE, p);
if ( flow->ssn_state.ignore_direction != SSN_DIR_NONE )
{
projects / thirdparty / snort3.git / commitdiff
