Merge pull request #2413 in SNORT/snort3 from ~MMATIRKO/snort3:update_proto to master

Squashed commit of the following:

commit 319ee476aba2c0a07accbea66c720d66230e7bef
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Wed Aug 19 16:21:28 2020 -0400

    rna: add protocols on logging host trackers

diff --git a/src/host_tracker/host_tracker.h b/src/host_tracker/host_tracker.h
index 8947833cbe144da6ee5d94f11a5faddf17b3ba30..8ce467481146b1248c92e9403baa210a3d118b24 100644 (file)
--- a/src/host_tracker/host_tracker.h
+++ b/src/host_tracker/host_tracker.h
@@ -107,11 +107,35 @@ public:
         return last_event;
     }
 
+    std::vector<uint16_t, HostCacheAllocIp<uint16_t>> get_network_protos()
+    {
+        std::lock_guard<std::mutex> lck(host_tracker_lock);
+        return network_protos;
+    }
+
+    std::vector<uint8_t, HostCacheAllocIp<uint8_t>> get_xport_protos()
+    {
+        std::lock_guard<std::mutex> lck(host_tracker_lock);
+        return xport_protos;
+    }
+
     void set_host_type(HostType rht)
-    { host_type = rht; }
+    {
+        std::lock_guard<std::mutex> lck(host_tracker_lock);
+        host_type = rht;
+    }
 
-    uint8_t get_hops() { return hops; }
-    void update_hops(uint8_t h) { hops = h; }
+    uint8_t get_hops()
+    {
+        std::lock_guard<std::mutex> lck(host_tracker_lock);
+        return hops;
+    }
+
+    void update_hops(uint8_t h)
+    {
+        std::lock_guard<std::mutex> lck(host_tracker_lock);
+        hops = h;
+    }
 
     // Returns true if a new mac entry is added, false otherwise
     bool add_mac(const uint8_t* mac, uint8_t ttl, uint8_t primary);

diff --git a/src/network_inspectors/rna/rna_mac_cache.h b/src/network_inspectors/rna/rna_mac_cache.h
index a9855ca29674b8552e3baf24261697a17b9d6af6..436d6c0a4961e7810b5f73b00d27b85ce2fc6748 100644 (file)
--- a/src/network_inspectors/rna/rna_mac_cache.h
+++ b/src/network_inspectors/rna/rna_mac_cache.h
@@ -55,6 +55,12 @@ public:
     bool has_vlan();
     void get_vlan_details(uint8_t& cfi, uint8_t& priority, uint16_t& vid);
 
+    std::vector<uint16_t, HostCacheAllocMac<uint16_t>> get_network_protos()
+    {
+        std::lock_guard<std::mutex> lck(host_tracker_mac_lock);
+        return network_protos;
+    }
+
     uint16_t get_vlan();
 
     uint32_t get_last_seen()

diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc
index 6c06517619687a790fe2b577561260b98203ef3f..71bb68fd6fc475b2053397372130fe00b388903d 100644 (file)
--- a/src/network_inspectors/rna/rna_pnd.cc
+++ b/src/network_inspectors/rna/rna_pnd.cc
@@ -171,18 +171,18 @@ void RnaPnd::discover_network(const Packet* p, uint8_t ttl)
 
     if ( new_mac and !new_host )
         logger.log(RNA_EVENT_CHANGE, CHANGE_MAC_ADD, p, &ht,
-            src_ip_ptr, src_mac, 0, nullptr, ht->get_hostmac(src_mac));
+            src_ip_ptr, src_mac, packet_time(), nullptr, ht->get_hostmac(src_mac));
 
     if ( ht->update_mac_ttl(src_mac, ttl) )
     {
         logger.log(RNA_EVENT_CHANGE, CHANGE_MAC_INFO, p, &ht,
-            src_ip_ptr, src_mac, 0, nullptr, ht->get_hostmac(src_mac));
+            src_ip_ptr, src_mac, packet_time(), nullptr, ht->get_hostmac(src_mac));
 
         HostMac* hm = ht->get_max_ttl_hostmac();
         if (hm and hm->primary and ht->get_hops())
         {
             ht->update_hops(0);
-            logger.log(RNA_EVENT_CHANGE, CHANGE_HOPS, p, &ht, src_ip_ptr, src_mac);
+            logger.log(RNA_EVENT_CHANGE, CHANGE_HOPS, p, &ht, src_ip_ptr, src_mac, packet_time());
         }
     }
 
@@ -191,13 +191,13 @@ void RnaPnd::discover_network(const Packet* p, uint8_t ttl)
     {
         if ( ht->add_network_proto(ptype) )
             logger.log(RNA_EVENT_NEW, NEW_NET_PROTOCOL, p, &ht, src_ip_ptr, src_mac,
-                0, nullptr, nullptr, ptype);
+                packet_time(), nullptr, nullptr, ptype);
     }
 
     ptype = to_utype(p->get_ip_proto_next());
     if ( ht->add_xport_proto(ptype) )
         logger.log(RNA_EVENT_NEW, NEW_XPORT_PROTOCOL, p, &ht, src_ip_ptr, src_mac,
-            0, nullptr, nullptr, ptype);
+            packet_time(), nullptr, nullptr, ptype);
 
     if ( !new_host )
     {
@@ -282,8 +282,13 @@ void RnaPnd::generate_change_host_update_eth(HostTrackerMac* mt, const Packet* p
 
     // Create and populate a new HostTracker solely for event logging
     RnaTracker rt = shared_ptr<snort::HostTracker>(new HostTracker());
-    rt.get()->update_last_seen();
-    rt.get()->add_mac(src_mac, 0, 1);
+    rt->update_last_seen();
+    rt->add_mac(src_mac, 0, 1);
+
+    auto protos = mt->get_network_protos();
+    auto total = protos.size();
+    while( total-- )
+        rt->add_network_proto(protos[total]);
 
     uint32_t last_seen = mt->get_last_seen();
     uint32_t last_event = mt->get_last_event();
@@ -460,9 +465,6 @@ int RnaPnd::discover_network_arp(const Packet* p, RnaTracker* ht_ref)
     auto ht = host_cache.find_else_create(spa, &new_host);
     auto hm_ptr = host_cache_mac.find_else_create(mk, &new_host_mac);
 
-    if ( !new_host )
-        generate_change_host_update_eth(hm_ptr.get(), p, src_mac, packet_time());
-
     if (!new_host_mac)
         hm_ptr->update_last_seen(p->pkth->ts.tv_sec);
 
@@ -493,8 +495,8 @@ int RnaPnd::discover_network_arp(const Packet* p, RnaTracker* ht_ref)
     }
 
     generate_change_vlan_update(&ht, p, src_mac, &spa, true);
-
     auto ntype = to_utype(ProtocolId::ETHERTYPE_ARP);
+
     if ( hm_ptr->add_network_proto(ntype) )
     {
         logger.log(RNA_EVENT_NEW, NEW_NET_PROTOCOL, p, &ht, nullptr, src_mac,
@@ -511,6 +513,9 @@ int RnaPnd::discover_network_arp(const Packet* p, RnaTracker* ht_ref)
         hm_ptr->update_last_event(p->pkth->ts.tv_sec);
     }
 
+    if ( !new_host )
+        generate_change_host_update_eth(hm_ptr.get(), p, src_mac, packet_time());
+
     return 0;
 }