#include "protocols/packet.h"
#include "protocols/tcp.h"
#include "search_engines/search_tool.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "utils/util.h"
#include "utils/util_utf.h"
#include "utils/sfsnprintfappend.h"
void HttpInspectRegisterXtraDataFuncs()
{
- xtra_trueip_id = stream.reg_xtra_data_cb(GetHttpTrueIP);
- xtra_uri_id = stream.reg_xtra_data_cb(GetHttpUriData);
- xtra_hname_id = stream.reg_xtra_data_cb(GetHttpHostnameData);
- xtra_gzip_id = stream.reg_xtra_data_cb(GetHttpGzipData);
- xtra_jsnorm_id = stream.reg_xtra_data_cb(GetHttpJSNormData);
+ xtra_trueip_id = Stream::reg_xtra_data_cb(GetHttpTrueIP);
+ xtra_uri_id = Stream::reg_xtra_data_cb(GetHttpUriData);
+ xtra_hname_id = Stream::reg_xtra_data_cb(GetHttpHostnameData);
+ xtra_gzip_id = Stream::reg_xtra_data_cb(GetHttpGzipData);
+ xtra_jsnorm_id = Stream::reg_xtra_data_cb(GetHttpJSNormData);
}
static void PrintFileDecompOpt(HTTPINSPECT_CONF* ServerConf)
/*
** We now set the packet direction
*/
- if (p->flow && stream.is_midstream(p->flow))
+ if (p->flow && Stream::is_midstream(p->flow))
{
SiInput->pdir = HI_SI_NO_MODE;
}
/* for pipelined HTTP requests */
if ( !iCallDetect )
- stream.clear_extra_data(p->flow, p, 0);
+ Stream::clear_extra_data(p->flow, p, 0);
if (hsd->true_ip)
{
if (!(p->packet_flags & PKT_STREAM_INSERT) && !(p->packet_flags & PKT_REBUILT_STREAM))
SetExtraData(p, xtra_trueip_id);
else
- stream.set_extra_data(p->flow, p, xtra_trueip_id);
+ Stream::set_extra_data(p->flow, p, xtra_trueip_id);
}
if (hsd->log_flags & HTTP_LOG_URI)
{
- stream.set_extra_data(p->flow, p, xtra_uri_id);
+ Stream::set_extra_data(p->flow, p, xtra_uri_id);
}
if (hsd->log_flags & HTTP_LOG_HOSTNAME)
{
- stream.set_extra_data(p->flow, p, xtra_hname_id);
+ Stream::set_extra_data(p->flow, p, xtra_hname_id);
}
if (hsd->log_flags & HTTP_LOG_JSNORM_DATA)
#include "detection/detection_util.h"
#include "protocols/packet.h"
-#include "stream/stream_api.h"
#include "utils/util_jsnorm.h"
#include "utils/util_utf.h"
#include "hi_ui_config.h"
#include "hi_ui_config.h"
#include "hi_ad.h"
#include "hi_main.h"
-#include "stream/stream_api.h"
/*
** NAME
#include "main/snort_debug.h"
#include "events/event_queue.h"
#include "protocols/packet.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "utils/util.h"
#ifdef DEBUG_MSGS
if ( !flow )
return nullptr;
- HttpSplitter* s = (HttpSplitter*)stream.get_splitter(flow, c2s);
+ HttpSplitter* s = (HttpSplitter*)Stream::get_splitter(flow, c2s);
return s ? &s->state : nullptr;
}
if ( nreq == MAX_PIPELINE )
{
- if ( stream.is_paf_active(ssn, 0) )
+ if ( Stream::is_paf_active(ssn, 0) )
hi_paf_event_pipe();
}
else if ( nreq < MAX_PIPELINE )
#define HI_STREAM_SPLITTER_H
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
bool hi_paf_init(uint32_t cap);
#ifndef HI_UTIL_H
#define HI_UTIL_H
+#include <strings.h>
#include "hi_include.h"
/*
#include "main/snort_debug.h"
#include "decompress/file_decomp.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "file_api/file_api.h"
#include "file_api/file_service.h"
#include "mime/decode_base.h"
#include "packet_io/active.h"
#include "codecs/ip/checksum.h"
#include "main/thread.h"
-#include "stream/stream_api.h"
#include "codecs/codec_module.h"
#include "protocols/ip.h"
#include "protocols/ipv4_options.h"
#include "protocols/ipv6.h"
#include "codecs/codec_module.h"
#include "framework/codec.h"
-#include "stream/stream_api.h"
#include "main/snort_config.h"
#include "packet_io/active.h"
#include "protocols/protocol_ids.h"
#include "ports/port_object.h"
#include "profiler/profiler_defs.h"
#include "sfip/sf_ipvar.h"
+#include "stream/stream.h"
#include "utils/stats.h"
#define CHECK_SRC_IP 0x01
// FIXIT-H but this result in double clearing? should normal
// clear_session() calls be deleted from stream? this is a
// performance hit on short-lived flows
- stream.check_session_closed(p);
+ Stream::check_flow_closed(p);
/*
** By checking tagging here, we make sure that we log the
#include "events/event_wrapper.h"
#include "packet_io/active.h"
#include "parser/parser.h"
-#include "stream/stream_api.h"
#include "utils/sflsq.h"
#include "utils/util.h"
#include "profiler/profiler.h"
#include "protocols/udp.h"
#include "protocols/icmp4.h"
#include "search_engines/pat_stats.h"
+#include "stream/stream.h"
#include "utils/stats.h"
THREAD_LOCAL ProfileStats rulePerfStats;
if ( !otn )
return 0;
- return !stream.add_session_alert(
+ return !Stream::add_flow_alert(
p->flow, p, otn->sigInfo.generator, otn->sigInfo.id);
}
{
const SigInfo* si = &otn->sigInfo;
- if (!stream.check_session_alerted(p->flow, p, si->generator, si->id))
+ if (!Stream::check_flow_alerted(p->flow, p, si->generator, si->id))
return 0;
else
return 1;
// and configurations.
#include <sys/types.h>
+#include <string>
-#include "stream/stream_api.h"
#include "main/snort_types.h"
#define ENABLE_FILE_TYPE_IDENTIFICATION 0x1
return ((position == SNORT_FILE_END) || (position == SNORT_FILE_FULL));
}
-SO_PUBLIC uint64_t get_file_processed_size(Flow* flow);
-FilePosition get_file_position(Packet* pkt);
+SO_PUBLIC uint64_t get_file_processed_size(class Flow* flow);
+FilePosition get_file_position(struct Packet* pkt);
#endif
#include "file_config.h"
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "packet_io/active.h"
int64_t FileConfig::show_data_depth = DEFAULT_FILE_SHOW_DATA_DEPTH;
#ifndef FILE_POLICY_H
#define FILE_POLICY_H
-#include "file_api.h"
#include <map>
+#include <vector>
+
+#include "file_api.h"
struct FileVerdictWhen
{
#include "mime/file_mime_process.h"
#include "main/snort_types.h"
#include "managers/action_manager.h"
-#include "stream/stream_api.h"
#include "detection/detect.h"
#include "detection/detection_util.h"
#include "packet_io/active.h"
#include <assert.h>
#include "time/packet_time.h"
-#include "stream/stream_api.h" // FIXIT-M bad dependency
#include "hash/zhash.h"
+#include "protocols/packet.h"
+#include "stream/stream.h"
#include "sfip/sf_ip.h"
/* Reasonably small, and prime */
#include "protocols/udp.h"
#include "protocols/vlan.h"
#include "sfip/sf_ip.h"
+#include "stream/stream.h"
#include "expect_cache.h"
#include "flow_cache.h"
case Flow::FlowState::ALLOW:
if ( news )
- stream.stop_inspection(flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(flow, p, SSN_DIR_BOTH, -1, 0);
else
DisableInspection();
case Flow::FlowState::BLOCK:
if ( news )
- stream.drop_traffic(flow, SSN_DIR_BOTH);
+ Stream::drop_traffic(flow, SSN_DIR_BOTH);
else
Active::block_again();
case Flow::FlowState::RESET:
if ( news )
- stream.drop_traffic(flow, SSN_DIR_BOTH);
+ Stream::drop_traffic(flow, SSN_DIR_BOTH);
else
Active::reset_again();
- stream.blocked_session(flow, p);
+ Stream::blocked_flow(flow, p);
DisableInspection();
break;
}
#include "packet_io/sfdaq.h"
#include "profiler/profiler.h"
#include "side_channel/side_channel.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "time/packet_time.h"
static const uint8_t HA_MESSAGE_VERSION = 3;
{
FlowKey key;
(void)read_flow_key(&key, msg);
- stream.delete_session(&key);
+ Stream::delete_flow(&key);
}
static void consume_receive_update_message(HAMessage* msg)
FlowKey key;
(void)read_flow_key(&key, msg);
// flow will be nullptr if/when the session does not exist in the caches
- Flow* flow = stream.get_session(&key);
+ Flow* flow = Stream::get_flow(&key);
assert(s_client_map);
// the subclasses do the actual work of tracking, reassembly, etc.
#include "sfip/sfip_t.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
struct Packet;
class Flow;
#include "flow/flow.h"
#include "main/snort_debug.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
private:
};
-Flow* Stream::get_session(const FlowKey* flowkey)
+Flow* Stream::get_flow(const FlowKey* flowkey)
{
s_flowkey = *flowkey;
s_get_session_called = true;
return &s_flow;
}
-void Stream::delete_session(const FlowKey* flowkey)
+void Stream::delete_flow(const FlowKey* flowkey)
{
s_flowkey = *flowkey;
s_delete_session_called = true;
// host_tracker_module.cc author Steve Chew <stechew@cisco.com>
-#include "host_tracker/host_tracker_module.h"
+#include "host_tracker_module.h"
-#include "host_tracker/host_cache.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "target_based/snort_protocols.h"
+#include "host_cache.h"
const PegInfo host_tracker_pegs[] =
{
#include <bitset>
-#include "profiler/profiler.h"
#include "detection/detection_defines.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "file_api/file_identifier.h"
#include "file_api/file_flows.h"
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
typedef std::bitset<FILE_ID_MAX> TypeBitSet;
#include "parser/parser.h"
#include "utils/util.h"
#include "hash/sfhashfcn.h"
-#include "stream/stream_api.h"
#include "profiler/profiler.h"
#include "detection/detection_defines.h"
#include "framework/ips_option.h"
#include "utils/bitop.h"
#include "hash/sfghash.h"
#include "parser/mstring.h"
-#include "stream/stream_api.h"
#include "profiler/profiler.h"
#include "hash/sfhashfcn.h"
#include "detection/detection_defines.h"
#include "events/event.h"
#include "parser/parser.h"
#include "packet_io/sfdaq.h"
-#include "stream/stream_api.h"
#include "utils/util.h"
#include "utils/stats.h"
#include "detection/detect.h"
#include "parser/parser.h"
#include "events/event.h"
-#include "utils/util.h"
+#include "log/obfuscator.h"
#include "packet_io/active.h"
#include "packet_io/sfdaq.h"
-#include "stream/stream_api.h"
#include "protocols/layer.h"
#include "protocols/vlan.h"
#include "protocols/icmp4.h"
-#include "log/obfuscator.h"
+#include "stream/stream.h"
#include "utils/safec.h"
+#include "utils/util.h"
using namespace std;
Unified2InitFile(&config);
- stream.reg_xtra_data_log(AlertExtraData, &config);
+ Stream::reg_xtra_data_log(AlertExtraData, &config);
}
void U2Logger::close()
}
if ( p->flow )
- stream.update_session_alert(
+ Stream::update_flow_alert(
p->flow, p, event->sig_info->generator, event->sig_info->id,
event->event_id, event->ref_time.tv_sec);
if ( p->xtradata_mask )
{
LogFunction* log_funcs;
- uint32_t max_count = stream.get_xtra_data_map(&log_funcs);
+ uint32_t max_count = Stream::get_xtra_data_map(&log_funcs);
if ( max_count > 0 )
AlertExtraData(
#include "side_channel/side_channel_module.h"
#include "sfip/sf_ip.h"
#include "sfip/sf_ipvar.h"
+#include "stream/stream.h"
#include "target_based/sftarget_data.h"
#include "target_based/snort_protocols.h"
#include "filters/detection_filter.h"
#include "filters/rate_filter.h"
#include "filters/sfthreshold.h"
-#include "flow/flow_control.h"
#include "flow/ha.h"
#include "framework/mpse.h"
#include "helpers/process.h"
void Snort::thread_idle()
{
- if ( flow_con )
- // FIXIT-M batch here or loop vs looping over idle?
- flow_con->timeout_flows(time(NULL));
-
+ Stream::timeout_flows(time(nullptr));
perf_monitor_idle_process();
aux_counts.idle++;
HighAvailabilityManager::process_receive();
void Snort::thread_term()
{
HighAvailabilityManager::thread_term_beginning();
+
if ( !snort_conf->dirty_pig )
- InspectorManager::thread_stop(snort_conf);
+ Stream::purge_flows();
+ InspectorManager::thread_stop(snort_conf);
ModuleManager::accumulate(snort_conf);
InspectorManager::thread_term(snort_conf);
ActionManager::thread_term(snort_conf);
Active::reset();
PacketManager::encode_reset();
-
- if ( flow_con ) // FIXIT-M always instantiate
- flow_con->timeout_flows(pkthdr->ts.tv_sec);
-
+ Stream::timeout_flows(pkthdr->ts.tv_sec);
HighAvailabilityManager::process_receive();
s_packet->pkth = nullptr; // no longer avail upon sig segv
// prune_handler.cc author Joel Cornett <jocornet@cisco.com>
#include "prune_handler.h"
-
-#include "flow/flow_cache.h"
-#include "flow/flow_control.h"
#include "stream/stream.h"
namespace memory
void prune_handler()
{
- // assert(flow_con);
- if ( flow_con )
- flow_con->prune_one(PruneReason::MEMCAP, false);
+ Stream::prune_flows();
}
} // namespace memory
// appid_flow_data.cc author Sourcefire Inc.
+#include "log/messages.h"
#include "protocols/tcp.h"
#include "profiler/profiler.h"
#include "target_based/snort_protocols.h"
+#include "sfip/sf_ip.h"
+#include "stream/stream.h"
+#include "time/packet_time.h"
+#include "utils/util.h"
-#include "appid_session.h"
-#include "appid_module.h"
-#include "fw_appid.h"
-#include "appid_stats.h"
-#include "app_forecast.h"
-#include "host_port_app_cache.h"
-#include "lua_detector_module.h"
+#include "appid_utils/ip_funcs.h"
#include "client_plugins/client_app_base.h"
#include "detector_plugins/detector_http.h"
#include "detector_plugins/detector_dns.h"
#include "service_plugins/service_ssl.h"
#include "service_plugins/service_util.h"
-#include "log/messages.h"
-#include "stream/stream_api.h"
-#include "sfip/sf_ip.h"
-#include "utils/util.h"
-#include "appid_utils/ip_funcs.h"
-#include "time/packet_time.h"
+#include "appid_session.h"
+#include "appid_module.h"
+#include "fw_appid.h"
+#include "appid_stats.h"
+#include "app_forecast.h"
+#include "host_port_app_cache.h"
+#include "lua_detector_module.h"
ProfileStats tpPerfStats;
ProfileStats tpLibPerfStats;
// FIXIT - 2.9.x set_application_protocol_id_expected has several new parameters, need to look
// into what is required to support those here.
- if (stream.set_application_protocol_id_expected(/*crtlPkt,*/ cliIp, cliPort, srvIp, srvPort,
- protocol, app_id, session) )
+ if ( Stream::set_application_protocol_id_expected(
+ /*crtlPkt,*/ cliIp, cliPort, srvIp, srvPort, protocol, app_id, session) )
{
if (app_id_debug_session_flag)
LogMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n",
thirdparty_appid_module->disable_flags(tpsession,
TP_SESSION_FLAG_ATTRIBUTE | TP_SESSION_FLAG_TUNNELING | TP_SESSION_FLAG_FUTUREFLOW);
}
- if (tp_app_id == APP_ID_SSL && (stream.get_application_protocol_id(p->flow) == snortId_for_ftp_data))
+ if (tp_app_id == APP_ID_SSL &&
+ (Stream::get_application_protocol_id(p->flow) == snortId_for_ftp_data))
{
// If we see SSL on an FTP data channel set tpAppId back
// to APP_ID_NONE so the FTP preprocessor picks up the flow.
(SearchTool*)( ( AppIdConfig*)pConfig)->find_generic_config_element(client_app_mod.name);
#ifdef APP_ID_USES_REASSEMBLED
- stream.flush_response_flush(pkt);
+ Stream::flush_response_flush(pkt);
#endif
if (!size)
goto inprocess;
#ifdef APP_ID_USES_REASSEMBLED
- stream.flush_response_flush(pkt);
+ Stream::flush_response_flush(pkt);
#endif
if (!size)
#endif
#ifdef APP_ID_USES_REASSEMBLED
- stream.flush_response_flush(pkt);
+ Stream::flush_response_flush(pkt);
#endif
if (!size)
goto inprocess;
#ifdef APP_ID_USES_REASSEMBLED
- stream.flush_response_flush(pkt);
+ Stream::flush_response_flush(pkt);
#endif
if (!size)
return CLIENT_APP_INPROCESS;
#ifdef APP_ID_USES_REASSEMBLED
- stream.flush_response_flush(pkt);
+ Stream::flush_response_flush(pkt);
#endif
dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(flowp,
goto inprocess;
#ifdef APP_ID_USES_REASSEMBLED
- stream.flush_response_flush(pkt);
+ Stream::flush_response_flush(pkt);
#endif
if (dir != APP_ID_FROM_RESPONDER)
#include "appid_utils/network_set.h"
#include "time/packet_time.h"
#include "sfip/sf_ip.h"
-#include "stream/stream_api.h"
#define HTTP_PATTERN_MAX_LEN 1024
#define PORT_MAX 65535
#include "hash/sfhashfcn.h"
#include "log/messages.h"
#include "profiler/profiler.h"
+#include "stream/stream.h"
#include "utils/util.h"
-#include "stream/stream_api.h"
//-------------------------------------------------------------------------
// appid option
#include "protocols/packet.h"
#include "protocols/vlan.h"
#include "protocols/layer.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#include "profiler/profiler.h"
#include "utils/stats.h"
static void set_service(Flow* flow, const HostAttributeEntry* host)
{
- stream.set_application_protocol_id(flow, host, FROM_SERVER);
+ Stream::set_application_protocol_id(flow, host, FROM_SERVER);
}
static Inspector* get_gadget(Flow* flow)
if ( ins )
{
- stream.set_splitter(flow, true, ins->get_splitter(true));
- stream.set_splitter(flow, false, ins->get_splitter(false));
+ Stream::set_splitter(flow, true, ins->get_splitter(true));
+ Stream::set_splitter(flow, false, ins->get_splitter(false));
}
else
{
- stream.set_splitter(flow, true, new AtomSplitter(true));
- stream.set_splitter(flow, false, new AtomSplitter(false));
+ Stream::set_splitter(flow, true, new AtomSplitter(true));
+ Stream::set_splitter(flow, false, new AtomSplitter(false));
}
return 0;
#include "managers/inspector_manager.h"
#include "main/policy.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#include "utils/stats.h"
#include "protocols/tcp_options.h"
#include "protocols/icmp4.h"
#include "protocols/icmp6.h"
-#include "stream/stream.h"
#include "stream/tcp/tcp_normalizer.h"
#include "utils/stats.h"
#include <sstream>
#include <vector>
-#include "stream/stream.h"
#include "stream/tcp/tcp_normalizer.h"
using namespace std;
#include "protocols/packet.h"
#include "time/packet_time.h"
#include "hash/sfxhash.h"
-#include "stream/stream_api.h"
-#include "sfip/sf_ip.h"
#include "protocols/tcp.h"
#include "protocols/udp.h"
#include "protocols/icmp4.h"
#include "protocols/icmp6.h"
#include "protocols/eth.h"
+#include "sfip/sf_ip.h"
+#include "stream/stream.h"
typedef struct s_PS_HASH_KEY
{
}
else if (p->ptrs.udph && p->flow)
{
- if (stream.get_packet_direction(p) & PKT_FROM_SERVER)
+ if (Stream::get_packet_direction(p) & PKT_FROM_SERVER)
reverse_pkt = 1;
}
{
if ( p->flow )
{
- uint32_t direction = stream.get_packet_direction(p);
+ uint32_t direction = Stream::get_packet_direction(p);
if (direction == PKT_FROM_CLIENT)
{
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "file_api/file_api.h"
#include "parser/parser.h"
#include "framework/inspector.h"
#define REPUTATION_INSPECT_H
#include "protocols/packet.h"
-#include "stream/stream_api.h"
// Per-session data block containing current state
// of the Reputation preprocessor for the session.
#include "managers/action_manager.h"
#include "packet_io/sfdaq.h"
#include "protocols/tcp.h"
+#include "stream/stream.h"
#include "utils/dnet_header.h"
#define MAX_ATTEMPTS 20
active_action = ACT_BLOCK;
if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() )
- stream.drop_session(p);
+ Stream::drop_flow(p);
}
void Active::reset_session(const Packet* p, bool force)
active_action = ACT_RESET;
if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() )
- stream.drop_session(p);
+ Stream::drop_flow(p);
if ( s_enabled and snort_conf->max_responses )
{
if ( p->flow )
{
- stream.init_active_response(p, p->flow);
+ Stream::init_active_response(p, p->flow);
p->flow->set_state(Flow::FlowState::RESET);
}
}
#include "utils/stats.h"
#include "log/text_log.h"
#include "main/snort_debug.h"
-#include "stream/stream_api.h"
#include "packet_io/sfdaq.h"
#include "packet_io/active.h"
+#include "stream/stream.h"
THREAD_LOCAL ProfileStats decodePerfStats;
// outermost ip is considered to be outer here,
// even if it is the only ip layer ...
- ttl = stream.get_session_ttl(p->flow, dir, outer);
+ ttl = Stream::get_flow_ttl(p->flow, dir, outer);
// if we don't get outer, we use inner
if ( 0 == ttl && outer )
- ttl = stream.get_session_ttl(p->flow, dir, false);
+ ttl = Stream::get_flow_ttl(p->flow, dir, false);
return ttl;
}
#define DCE_SMB_PAF_H
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#define DCE2_SMB_PAF_SHIFT(x64, x8) { x64 <<= 8; x64 |= (uint64_t)x8; }
#include "dce_common.h"
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#define DCE2_DEBUG__PAF_START_MSG_TCP "DCE/RPC over TCP PAF ====================================="
// Protocol aware flushing for DNP3.
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
enum dnp3_paf_state
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "parser/parser.h"
#include "framework/inspector.h"
+#include "stream/stream.h"
#include "utils/sfsnprintfappend.h"
#include "dns_module.h"
return;
}
- if ( !stream.is_stream_sequenced(p->flow, SSN_DIR_FROM_CLIENT) )
+ if ( !Stream::is_stream_sequenced(p->flow, SSN_DIR_FROM_CLIENT) )
{
return;
}
#define DNS_H
#include "protocols/packet.h"
-#include "stream/stream_api.h"
// Implementation header with definitions, datatypes and flowdata class for
// DNS service inspector.
// FIXIT-L breaks target-based non-standard ports
//if ( !ScPafEnabled() )
/* Force flush of client side of stream */
- stream.flush_response(p);
+ Stream::flush_response(p);
}
else
{
/* FTP-Data session is in limbo, we need to lookup the control session
* to figure out what to do. */
- FtpFlowData* fd = (FtpFlowData*)stream.get_flow_data(
+ FtpFlowData* fd = (FtpFlowData*)Stream::get_flow_data(
&data_ssn->ftp_key, FtpFlowData::flow_id);
FTP_SESSION* ftp_ssn = fd ? &fd->session : NULL;
memset(&session, 0, sizeof(session));
session.ft_ssn.proto = FTPP_SI_PROTO_FTP_DATA;
- stream.populate_session_key(p, &session.ftp_key);
+ Stream::populate_flow_key(p, &session.ftp_key);
}
FtpDataFlowData::~FtpDataFlowData()
initFilePosition(&data_ssn->position, get_file_processed_size(p->flow));
finalFilePosition(&data_ssn->position);
- stream.flush_request(p);
+ Stream::flush_request(p);
if (!(data_ssn->packet_flags & FTPDATA_FLG_STOP))
{
#include "ftpp_return_codes.h"
#include "sfip/sf_ip.h"
+#include "stream/stream.h"
#include "utils/util.h"
unsigned FtpFlowData::flow_id = 0;
bool FTPDataDirection(Packet* p, FTP_DATA_SESSION* ftpdata)
{
uint32_t direction;
- uint32_t pktdir = stream.get_packet_direction(p);
+ uint32_t pktdir = Stream::get_packet_direction(p);
if (ftpdata->mode == FTPP_XFER_ACTIVE)
direction = ftpdata->direction ? PKT_FROM_SERVER : PKT_FROM_CLIENT;
/*
* We now set the packet direction
*/
- if (p->flow && stream.is_midstream(p->flow))
+ if (p->flow && Stream::is_midstream(p->flow))
{
SiInput->pdir = FTPP_SI_NO_MODE;
}
#include "ftp_server.h"
#include "protocols/packet.h"
#include "file_api/file_api.h"
-#include "stream/stream_api.h"
#include "flow/flow.h"
+#include "stream/stream.h"
/*
* These are the defines for the different types of
ftpdata->data_chan = session->server_conf->data_chan;
/* Call into Streams to mark data channel as ftp-data */
- result = stream.set_application_protocol_id_expected(
+ result = Stream::set_application_protocol_id_expected(
&session->clientIP, session->clientPort,
&session->serverIP, session->serverPort,
p->type(), ftp_data_app_id, fd);
{
/* Call into Streams to mark data channel as something
* to ignore. */
- stream.ignore_session(
+ Stream::ignore_flow(
&session->clientIP, session->clientPort,
&session->serverIP, session->serverPort,
p->type(), SSN_DIR_BOTH,
ftpdata->data_chan = session->server_conf->data_chan;
/* Call into Streams to mark data channel as ftp-data */
- result = stream.set_application_protocol_id_expected(
+ result = Stream::set_application_protocol_id_expected(
&session->clientIP, session->clientPort,
&session->serverIP, session->serverPort,
p->type(), ftp_data_app_id, fd);
{
/* Call into Streams to mark data channel as something
* to ignore. */
- stream.ignore_session(
+ Stream::ignore_flow(
&session->clientIP, session->clientPort,
&session->serverIP, session->serverPort,
p->type(), SSN_DIR_BOTH,
if (!ftpssn->server_conf->check_encrypted_data)
{
/* Mark this session & packet as one to ignore */
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
}
DebugMessage(DEBUG_FTPTELNET,
"FTP client stream is now encrypted\n");
if (!ftpssn->server_conf->check_encrypted_data)
{
/* Mark this session & packet as one to ignore */
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
}
DebugMessage(DEBUG_FTPTELNET,
"FTP server stream is now encrypted\n");
else
{
/* Okay, it wasn't an IAC also its a midstream pickup */
- if (*read_ptr > 0x7F && stream.is_midstream(p->flow))
+ if (*read_ptr > 0x7F && Stream::is_midstream(p->flow))
{
consec_8bit_chars++;
if (consec_8bit_chars > CONSECUTIVE_8BIT_THRESHOLD)
if (!tnssn->telnet_conf->check_encrypted_data)
{
/* Mark this session & packet as one to ignore */
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
/* No point to do further normalization */
return FTPP_ALERT;
}
if (!tnssn->telnet_conf->check_encrypted_data)
{
/* Mark this session & packet as one to ignore */
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
/* No point to do further normalization */
return FTPP_ALERT;
}
#include <stdio.h>
#include <zlib.h>
-#include "stream/stream_api.h"
+#include "flow/flow.h"
#include "mime/file_mime_process.h"
#include "utils/util_utf.h"
#include <stdio.h>
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "http_enum.h"
#include "http_msg_request.h"
#ifndef HTTP_MSG_SECTION_H
#define HTTP_MSG_SECTION_H
-#include "stream/stream_api.h"
#include "detection/detection_util.h"
#include "http_field.h"
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "file_api/file_api.h"
#include "parser/parser.h"
#include "framework/inspector.h"
#include "utils/util.h"
#include "protocols/ssl.h"
#include "mime/file_mime_process.h"
+#include "stream/stream.h"
#include "imap_paf.h"
#include "imap_module.h"
(p->packet_flags & PKT_REBUILT_STREAM))
{
int missing_in_rebuilt =
- stream.missing_in_reassembled(p->flow, SSN_DIR_FROM_CLIENT);
+ Stream::missing_in_reassembled(p->flow, SSN_DIR_FROM_CLIENT);
if (ssn->session_flags & IMAP_FLAG_NEXT_STATE_UNKNOWN)
{
imap_ssn->state = STATE_TLS_DATA;
}
else if (!(p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
- && !stream.missed_packets(p->flow, SSN_DIR_BOTH))
+ && !Stream::missed_packets(p->flow, SSN_DIR_BOTH))
{
/* revert back to command state - assume server didn't accept STARTTLS */
imap_ssn->state = STATE_UNKNOWN;
// IMAP service inspector.
#include "protocols/packet.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "imap_config.h"
// Direction packet is coming from, if we can figure it out
if ( !flow )
return nullptr;
- ImapSplitter* s = (ImapSplitter*)stream.get_splitter(flow, c2s);
+ ImapSplitter* s = (ImapSplitter*)Stream::get_splitter(flow, c2s);
return s ? &s->state : nullptr;
}
// Protocol aware flushing for IMAP
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#include "mime/file_mime_paf.h"
#include "modbus.h"
#include "modbus_module.h"
#include "protocols/packet.h"
-#include "stream/stream_api.h"
#include "events/event_queue.h"
// FIXIT-L convert this stuff to a table and make configurable
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "parser/parser.h"
#include "framework/inspector.h"
#include "target_based/snort_protocols.h"
(p->packet_flags & PKT_REBUILT_STREAM))
{
int missing_in_rebuilt =
- stream.missing_in_reassembled(p->flow, SSN_DIR_FROM_CLIENT);
+ Stream::missing_in_reassembled(p->flow, SSN_DIR_FROM_CLIENT);
if (ssn->session_flags & POP_FLAG_NEXT_STATE_UNKNOWN)
{
pop_ssn->state = STATE_TLS_DATA;
}
else if (!(p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
- && !stream.missed_packets(p->flow, SSN_DIR_BOTH))
+ && !Stream::missed_packets(p->flow, SSN_DIR_BOTH))
{
/* revert back to command state - assume server didn't accept STARTTLS */
pop_ssn->state = STATE_UNKNOWN;
// POP service inspector.
#include "protocols/packet.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "pop_config.h"
// Direction packet is coming from, if we can figure it out
if ( !flow )
return nullptr;
- PopSplitter* s = (PopSplitter*)stream.get_splitter(flow, c2s);
+ PopSplitter* s = (PopSplitter*)Stream::get_splitter(flow, c2s);
return s ? &s->state : nullptr;
}
// Protocol aware flushing for POP.
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#include "mime/file_mime_paf.h"
#include "profiler/profiler.h"
#include "utils/util.h"
#include "detection/detection_util.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#include "target_based/snort_protocols.h"
#include "protocols/tcp.h"
#include "protocols/packet.h"
#include "framework/data_bus.h"
#include "framework/inspector.h"
+#include "stream/stream.h"
#include "utils/safec.h"
#include "rpc_module.h"
++rdstats.total_packets;
- if ( !rsdata && p->flow && !stream.is_midstream(p->flow) )
+ if ( !rsdata && p->flow && !Stream::is_midstream(p->flow) )
rsdata = RpcSsnDataNew(p);
if ( RpcSsnIsActive(rsdata) and (p->packet_flags & PKT_REBUILT_STREAM) )
#include "main/snort_debug.h"
#include "main/snort_config.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "file_api/file_api.h"
#include "parser/parser.h"
#include "framework/inspector.h"
// Implementation header with definitions, datatypes and flowdata class for SIP service inspector.
#include "protocols/packet.h"
-#include "stream/stream_api.h"
#include "sip_config.h"
#include "sip_dialog.h"
#include "sip_parser.h"
#include <assert.h>
+#include "framework/data_bus.h"
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "main/snort_config.h"
+#include "stream/stream.h"
#include "sfip/sf_ip.h"
-#include "stream/stream_api.h"
-#include "framework/data_bus.h"
#include "sip_module.h"
#include "sip.h"
sfip_to_str(&mdataB->maddress), mdataB->mport);
/* Call into Streams to mark data channel as something to ignore. */
- FlowData* fd = stream.get_flow_data(
+ FlowData* fd = Stream::get_flow_data(
PktType::UDP, IpProtocol::UDP, &mdataA->maddress,mdataA->mport,
&mdataB->maddress, mdataB->mport, 0, 0, p->pkth->address_space_id,
SipFlowData::flow_id);
}
else
{
- stream.ignore_session(&mdataA->maddress, mdataA->mport, &mdataB->maddress,
+ Stream::ignore_flow(&mdataA->maddress, mdataA->mport, &mdataB->maddress,
mdataB->mport, p->type(), SSN_DIR_BOTH, SipFlowData::flow_id);
}
sip_stats.ignoreChannels++;
sipEventData.packet = p;
- if (stream.service_event_publish(PP_SIP, p->flow, SIP_EVENT_TYPE_SIP_DIALOG, &sipEventData)
+ if (Stream::service_event_publish(PP_SIP, p->flow, SIP_EVENT_TYPE_SIP_DIALOG, &sipEventData)
== false)
ErrorMessage("failed to publish to SIP_DIALOG\n");
}
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "file_api/file_api.h"
#include "mime/file_mime_process.h"
#include "parser/parser.h"
smtp_ssn->mime_ssn->config = config;
smtp_ssn->mime_ssn->set_mime_stats(&(smtpstats.mime_stats));
- if(stream.is_midstream(p->flow))
+ if(Stream::is_midstream(p->flow))
{
DebugMessage(DEBUG_SMTP, "Got midstream packet - "
"setting state to unknown\n");
(p->packet_flags & PKT_REBUILT_STREAM))
{
int missing_in_rebuilt =
- stream.missing_in_reassembled(p->flow, SSN_DIR_FROM_CLIENT);
+ Stream::missing_in_reassembled(p->flow, SSN_DIR_FROM_CLIENT);
if (ssn->session_flags & SMTP_FLAG_NEXT_STATE_UNKNOWN)
{
smtp_ssn->state = STATE_TLS_DATA;
}
else if (!(p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
- && !stream.missed_packets(p->flow, SSN_DIR_BOTH))
+ && !Stream::missed_packets(p->flow, SSN_DIR_BOTH))
{
/* Check to see if the raw packet is in order */
if (p->packet_flags & PKT_STREAM_ORDER_OK)
/* if we're ignoring tls data, set a zero length alt buffer */
if (config->ignore_tls_data)
{
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
return;
}
}
static void SMTP_RegXtraDataFuncs(SMTP_PROTO_CONF* config)
{
- config->xtra_filename_id = stream.reg_xtra_data_cb(SMTP_GetFilename);
- config->xtra_mfrom_id = stream.reg_xtra_data_cb(SMTP_GetMailFrom);
- config->xtra_rcptto_id = stream.reg_xtra_data_cb(SMTP_GetRcptTo);
- config->xtra_ehdrs_id = stream.reg_xtra_data_cb(SMTP_GetEmailHdrs);
+ config->xtra_filename_id = Stream::reg_xtra_data_cb(SMTP_GetFilename);
+ config->xtra_mfrom_id = Stream::reg_xtra_data_cb(SMTP_GetMailFrom);
+ config->xtra_rcptto_id = Stream::reg_xtra_data_cb(SMTP_GetRcptTo);
+ config->xtra_ehdrs_id = Stream::reg_xtra_data_cb(SMTP_GetEmailHdrs);
}
int SmtpMime::handle_header_line(const uint8_t* ptr, const uint8_t* eol,
// Implementation header with definitions, datatypes and flowdata class for
// SMTP service inspector.
-#include "protocols/packet.h"
-#include "stream/stream_api.h"
#include "main/thread.h"
+#include "protocols/packet.h"
+#include "stream/stream.h"
#include "smtp_config.h"
// Direction packet is coming from, if we can figure it out
if ( !flow )
return nullptr;
- SmtpSplitter* s = (SmtpSplitter*)stream.get_splitter(flow, c2s);
+ SmtpSplitter* s = (SmtpSplitter*)Stream::get_splitter(flow, c2s);
return s ? &s->state : nullptr;
}
// Protocol aware flushing for SMTP
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
#include "mime/file_mime_paf.h"
#include "smtp.h"
#include "smtp_config.h"
-#include "stream/stream_api.h"
#include "detection/detection_util.h"
#include "utils/safec.h"
if (log->is_file_name_present())
{
- stream.set_extra_data(p->flow, p, config->xtra_filename_id);
+ Stream::set_extra_data(p->flow, p, config->xtra_filename_id);
}
if (log->is_email_from_present())
{
- stream.set_extra_data(p->flow, p, config->xtra_mfrom_id);
+ Stream::set_extra_data(p->flow, p, config->xtra_mfrom_id);
}
if (log->is_email_to_present())
{
- stream.set_extra_data(p->flow, p, config->xtra_rcptto_id);
+ Stream::set_extra_data(p->flow, p, config->xtra_rcptto_id);
}
if (log->is_email_hdrs_present())
{
- stream.set_extra_data(p->flow, p, config->xtra_ehdrs_id);
+ Stream::set_extra_data(p->flow, p, config->xtra_ehdrs_id);
}
}
#include <sys/types.h>
#include "events/event_queue.h"
+#include "file_api/file_api.h"
+#include "framework/inspector.h"
#include "log/messages.h"
#include "main/snort_types.h"
#include "main/snort_debug.h"
-#include "profiler/profiler.h"
-#include "stream/stream_api.h"
-#include "file_api/file_api.h"
#include "parser/parser.h"
-#include "framework/inspector.h"
+#include "profiler/profiler.h"
#include "utils/sfsnprintfappend.h"
#include "target_based/snort_protocols.h"
// means we've already missed packets) set missed packets flag and make
// sure we don't do any more reassembly on this session
if ((p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
- || stream.missed_packets(p->flow, SSN_DIR_BOTH))
+ || Stream::missed_packets(p->flow, SSN_DIR_BOTH))
{
// Order only matters if the packets are not encrypted
if ( !(sessp->state_flags & SSH_FLG_SESS_ENCRYPTED ))
else
SnortEventqAdd(GID_SSH, SSH_EVENT_RESPOVERFLOW);
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
}
}
// and therefore cannot be used late in an
// encrypted session. For performance purposes,
// stop examining this session.
- stream.stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
}
}
}
// packets appear malformed/spoofed.
#include "protocols/packet.h"
-#include "stream/stream_api.h"
+#include "stream/stream.h"
#include "ssh_config.h"
// Per-session data block containing current state
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
-#include "stream/stream_api.h"
#include "parser/parser.h"
#include "framework/inspector.h"
#include "utils/sfsnprintfappend.h"
#include "target_based/snort_protocols.h"
#include "detection/detect.h"
#include "protocols/ssl.h"
+#include "stream/stream.h"
#include "ssl_module.h"
/* Check if we're either midstream or if packets were missed after the
* * connection was established */
else if ((packet->flow->get_session_flags() & SSNFLAG_MIDSTREAM) ||
- (stream.missed_packets(packet->flow, SSN_DIR_BOTH)))
+ (Stream::missed_packets(packet->flow, SSN_DIR_BOTH)))
{
if ((ssl_flags & (SSL_CAPP_FLAG | SSL_SAPP_FLAG)) == (SSL_CAPP_FLAG | SSL_SAPP_FLAG))
{
if (!config->max_heartbeat_len)
{
DebugMessage(DEBUG_SSL, "STOPPING INSPECTION (process_app)\n");
- stream.stop_inspection(packet->flow, packet, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(packet->flow, packet, SSN_DIR_BOTH, -1, 0);
sslstats.stopped++;
}
else if (!(new_flags & SSL_HEARTBEAT_SEEN))
if (!config->max_heartbeat_len)
{
DebugMessage(DEBUG_SSL, "STOPPING INSPECTION (process_other)\n");
- stream.stop_inspection(packet->flow, packet, SSN_DIR_BOTH, -1, 0);
+ Stream::stop_inspection(packet->flow, packet, SSN_DIR_BOTH, -1, 0);
}
else if (!(new_flags & SSL_HEARTBEAT_SEEN))
{
{
if ( (SSL_IS_SHELLO(new_flags) && !SSL_IS_CHELLO(sd->ssn_flags) ))
{
- if (!(stream.missed_packets(p->flow, SSN_DIR_FROM_CLIENT)))
+ if (!(Stream::missed_packets(p->flow, SSN_DIR_FROM_CLIENT)))
SnortEventqAdd(GID_SSL, SSL_INVALID_SERVER_HELLO);
}
}
// Implementation header with definitions, datatypes and flowdata class for SSL service inspector.
#include "protocols/packet.h"
-#include "stream/stream_api.h"
#include "ssl_config.h"
#define SSLPP_ENCRYPTED_FLAGS \
set (STREAM_INCLUDES
paf.h
- stream_api.h
+ stream.h
stream_splitter.h
)
add_library( stream STATIC
- stream.h
- stream_api.cc
+ stream.cc
stream_inspectors.cc
stream_inspectors.h
stream_splitter.cc
x_include_HEADERS = \
paf.h \
-stream_api.h \
+stream.h \
stream_splitter.h
libstream_a_SOURCES = \
-stream.h \
-stream_api.cc \
+stream.cc \
stream_inspectors.cc \
stream_inspectors.h \
stream_splitter.cc
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-#include "stream/stream.h"
-
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <assert.h>
-#include "stream_module.h"
-#include "stream_ha.h"
-#include "main/snort_debug.h"
-#include "managers/inspector_manager.h"
#include "flow/flow_control.h"
#include "flow/prune_stats.h"
-#include "stream/stream_api.h"
+#include "main/snort_debug.h"
+#include "managers/inspector_manager.h"
#include "profiler/profiler.h"
+
#include "stream/tcp/tcp_session.h"
+#include "stream_module.h"
+#include "stream_ha.h"
//-------------------------------------------------------------------------
// stats
void StreamBase::tterm()
{
- flow_con->purge_flows(PktType::IP);
- flow_con->purge_flows(PktType::ICMP);
- flow_con->purge_flows(PktType::TCP);
- flow_con->purge_flows(PktType::UDP);
- flow_con->purge_flows(PktType::PDU);
- flow_con->purge_flows(PktType::FILE);
-
StreamHAManager::tterm();
}
#include "binder/binder.h"
#include "main/snort_debug.h"
#include "managers/inspector_manager.h"
+#include "stream/stream.h"
#include "sfip/sf_ip.h"
-#include "stream/stream_api.h"
// HA Session flags helper macros
#define HA_IGNORED_SESSION_FLAGS \
#include "stream_module.h"
-#include "stream/stream.h"
-
#include <string>
using namespace std;
PROTO_FIELDS(file);
};
+extern const PegInfo base_pegs[];
+
extern THREAD_LOCAL BaseStats stream_base_stats;
struct StreamModuleConfig
#include "stream_file.h"
#include "main/snort_config.h"
-#include "stream/stream.h"
//-------------------------------------------------------------------------
// stream_file module
#include "main/snort_types.h"
#include "main/thread.h"
#include "framework/module.h"
-#include "stream/stream.h"
struct SnortConfig;
Flow* IcmpHA::create_session(FlowKey* key)
{
- DebugMessage(DEBUG_HA,"IcmpHA::create_session\n");
-
- assert ( key );
-
- Flow* flow = flow_con->new_flow(key);
+ assert(key);
+ Flow* flow = Stream::new_flow(key);
if ( (flow != nullptr ) && (flow->session == nullptr) )
{
#include "main/snort_types.h"
#include "main/thread.h"
+#include "flow/session.h"
#include "framework/module.h"
-#include "stream/stream.h"
extern const PegInfo icmp_pegs[];
extern THREAD_LOCAL struct IcmpStats icmpStats;
{
case PktType::TCP:
/* Lookup a TCP session */
- ssn = Stream::get_session(&skey);
+ ssn = Stream::get_flow(&skey);
break;
case PktType::UDP:
/* Lookup a UDP session */
- ssn = Stream::get_session(&skey);
+ ssn = Stream::get_flow(&skey);
break;
case PktType::ICMP:
/* Lookup a ICMP session */
- ssn = Stream::get_session(&skey);
+ ssn = Stream::get_flow(&skey);
break;
default:
break;
#include "ip_ha.h"
-#include "flow/flow_control.h"
#include "main/snort_debug.h"
-#include "stream/ip/ip_session.h"
+#include "stream/stream.h"
+#include "ip_session.h"
Flow* IpHA::create_session(FlowKey* key)
{
- DebugMessage(DEBUG_HA,"IpHA::create_session\n");
+ assert(key);
- assert ( key );
-
- Flow* flow = flow_con->new_flow(key);
+ Flow* flow = Stream::new_flow(key);
if ( (flow != nullptr ) && (flow->session == nullptr) )
{
#include "main/snort_types.h"
#include "main/thread.h"
+#include "flow/session.h"
#include "framework/module.h"
-#include "stream/stream.h"
struct SnortConfig;
#include "ip_defrag.h"
#include "ip_ha.h"
#include "stream/stream.h"
-#include "flow/flow_control.h"
#include "sfip/sf_ip.h"
#include "profiler/profiler.h"
ip_stats.current++;
#ifdef ENABLE_EXPECTED_IP
- if ( flow_con->expected_session(flow, p))
+ if ( Stream::expected_flow(flow, p) )
{
ip_stats.sessions--; // Incremented in SESSION_STATS_ADD
MODULE_PROFILE_END(ip_perf_stats);
{
Profile profile(ip_perf_stats);
- if ( stream.expired_session(flow, p) )
+ if ( Stream::expired_flow(flow, p) )
{
IpSessionCleanup(flow, &tracker);
#ifdef ENABLE_EXPECTED_IP
- if ( flow_con->expected_session(flow, p))
+ if ( Stream::expected_flow(flow, p) )
return 0;
#endif
IpHAManager::process_deletion(flow);
}
- if ( stream.blocked_session(flow, p) || stream.ignored_session(flow, p) )
+ if ( Stream::blocked_flow(flow, p) || Stream::ignored_flow(flow, p) )
return 0;
if ( p->ptrs.decode_flags & DECODE_FRAG )
#include "flow/flow.h"
/* engine-based defragmentation policy enums */
-// must update stream_api.h::IP_POLICIES if this changes
+// must update stream.h::IP_POLICIES if this changes
enum
{
FRAG_POLICY_FIRST = 1,
// tcp_stream_tracker.cpp author davis mcpherson <davmcphe@@cisco.com>
// Created on: Jun 24, 2015
-#include "protocols/tcp_options.h"
-#include "protocols/tcp.h"
-#include "protocols/eth.h"
-#include "profiler/profiler.h"
+#include "tcp_stream_tracker.h"
+#include "profiler/profiler.h"
+#include "protocols/eth.h"
+#include "protocols/tcp.h"
+#include "protocols/tcp_options.h"
#include "stream/stream.h"
-#include "tcp_stream_tracker.h"
const char* tcp_state_names[] =
-{ "TCP_LISTEN", "TCP_SYN_SENT", "TCP_SYN_RECV", "TCP_ESTABLISHED","TCP_FIN_WAIT1",
- "TCP_FIN_WAIT2", "TCP_CLOSE_WAIT", "TCP_CLOSING", "TCP_LAST_ACK",
- "TCP_TIME_WAIT", "TCP_CLOSED", "TCP_STATE_NONE",};
-
-const char* tcp_event_names[] = { "TCP_SYN_SENT_EVENT", "TCP_SYN_RECV_EVENT",
- "TCP_SYN_ACK_SENT_EVENT", "TCP_SYN_ACK_RECV_EVENT",
- "TCP_ACK_SENT_EVENT",
- "TCP_ACK_RECV_EVENT", "TCP_DATA_SEG_SENT_EVENT",
- "TCP_DATA_SEG_RECV_EVENT",
- "TCP_FIN_SENT_EVENT", "TCP_FIN_RECV_EVENT", "TCP_RST_SENT_EVENT",
- "TCP_RST_RECV_EVENT" };
+{
+ "TCP_LISTEN", "TCP_SYN_SENT", "TCP_SYN_RECV",
+ "TCP_ESTABLISHED",
+ "TCP_FIN_WAIT1", "TCP_FIN_WAIT2", "TCP_CLOSE_WAIT", "TCP_CLOSING",
+ "TCP_LAST_ACK", "TCP_TIME_WAIT", "TCP_CLOSED",
+ "TCP_STATE_NONE"
+};
+
+const char* tcp_event_names[] = {
+ "TCP_SYN_SENT_EVENT", "TCP_SYN_RECV_EVENT",
+ "TCP_SYN_ACK_SENT_EVENT", "TCP_SYN_ACK_RECV_EVENT",
+ "TCP_ACK_SENT_EVENT", "TCP_ACK_RECV_EVENT",
+ "TCP_DATA_SEG_SENT_EVENT", "TCP_DATA_SEG_RECV_EVENT",
+ "TCP_FIN_SENT_EVENT", "TCP_FIN_RECV_EVENT",
+ "TCP_RST_SENT_EVENT", "TCP_RST_RECV_EVENT"
+};
TcpStreamTracker::TcpStreamTracker(bool client) :
client_tracker(client), tcp_state(client ? TCP_STATE_NONE : TCP_LISTEN)
#include "main/snort_types.h"
#include "main/snort_debug.h"
-#include "stream/stream.h"
-#include "stream/stream_api.h"
+#include "protocols/packet.h"
//--------------------------------------------------------------------
// private state
#include <stdint.h>
#include "main/snort_types.h"
-#include "stream/stream_api.h"
#include "stream/stream_splitter.h"
struct SnortConfig;
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-#include "stream_api.h"
+#include "stream.h"
#ifdef HAVE_CONFIG_H
#include "config.h"
#include "flow/flow_control.h"
#include "flow/flow_cache.h"
#include "flow/ha.h"
+#include "flow/prune_stats.h"
#include "flow/session.h"
#include "stream/stream.h"
#include "stream/paf.h"
#include "stream/libtcp/stream_tcp_unit_test.h"
#endif
-Stream stream; // FIXIT-L global for SnortContext
+// this should not be publicly accessible
+extern THREAD_LOCAL class FlowControl* flow_con;
-Stream::Stream()
+struct StreamImpl
{
- xtradata_func_count = 0;
- extra_data_log = NULL;
- extra_data_config = NULL;
-}
+public:
+ uint32_t xtradata_func_count = 0;
+ LogFunction xtradata_map[MAX_LOG_FN];
+ LogExtraData extra_data_log = nullptr;
+ void* extra_data_config = nullptr;
+};
-Stream::~Stream() { }
+static StreamImpl stream;
//-------------------------------------------------------------------------
// session foo
//-------------------------------------------------------------------------
-Flow* Stream::get_session(const FlowKey* key)
+Flow* Stream::get_flow(const FlowKey* key)
{ return flow_con->find_flow(key); }
-Flow* Stream::new_session(const FlowKey* key)
+Flow* Stream::new_flow(const FlowKey* key)
{ return flow_con->new_flow(key); }
-void Stream::delete_session(const FlowKey* key)
+Flow* Stream::new_flow(FlowKey* key)
+{
+ return flow_con ? flow_con->new_flow(key) : nullptr;
+}
+
+void Stream::delete_flow(const FlowKey* key)
{ flow_con->delete_flow(key); }
//-------------------------------------------------------------------------
// key foo
//-------------------------------------------------------------------------
-Flow* Stream::get_session_ptr(
+Flow* Stream::get_flow(
PktType type, IpProtocol proto,
const sfip_t* srcIP, uint16_t srcPort,
const sfip_t* dstIP, uint16_t dstPort,
uint16_t vlan, uint32_t mplsId, uint16_t addressSpaceId)
{
FlowKey key;
-
key.init(type, proto, srcIP, srcPort, dstIP, dstPort, vlan, mplsId, addressSpaceId);
-
- return get_session(&key);
+ return get_flow(&key);
}
-void Stream::populate_session_key(Packet* p, FlowKey* key)
+void Stream::populate_flow_key(Packet* p, FlowKey* key)
{
if (!key || !p)
return;
p->pkth->address_space_id);
}
-FlowKey* Stream::get_session_key(Packet* p)
+FlowKey* Stream::get_flow_key(Packet* p)
{
FlowKey* key = (FlowKey*)snort_calloc(sizeof(*key));
- populate_session_key(p, key);
+ populate_flow_key(p, key);
return key;
}
FlowData* Stream::get_flow_data(
const FlowKey* key, unsigned flow_id)
{
- Flow* flow = get_session(key);
+ Flow* flow = get_flow(key);
return flow->get_flow_data(flow_id);
}
uint16_t vlan, uint32_t mplsId,
uint16_t addressSpaceID, unsigned flow_id)
{
- Flow* flow;
-
- flow = get_session_ptr(
+ Flow* flow = get_flow(
type, proto,
srcIP, srcPort, dstIP, dstPort,
vlan, mplsId, addressSpaceID);
// session status
//-------------------------------------------------------------------------
-void Stream::check_session_closed(Packet* p)
+void Stream::check_flow_closed(Packet* p)
{
Flow* flow = p->flow;
}
}
-int Stream::ignore_session(
+int Stream::ignore_flow(
const sfip_t* srcIP, uint16_t srcPort,
const sfip_t* dstIP, uint16_t dstPort,
PktType protocol, char direction,
uint32_t flow_id)
{
assert(flow_con);
-
FlowData* fd = new FlowData(flow_id);
-
- return flow_con->add_expected(
- srcIP, srcPort, dstIP, dstPort, protocol, direction, fd);
+ return flow_con->add_expected(srcIP, srcPort, dstIP, dstPort, protocol, direction, fd);
}
void Stream::proxy_started(Flow* flow, unsigned dir)
tcpssn->flush();
if ( dir & SSN_DIR_FROM_SERVER )
- stream.set_splitter(flow, true, new LogSplitter(true));
+ set_splitter(flow, true, new LogSplitter(true));
if ( dir & SSN_DIR_FROM_CLIENT )
- stream.set_splitter(flow, false, new LogSplitter(false));
+ set_splitter(flow, false, new LogSplitter(false));
tcpssn->start_proxy();
flow->set_proxied();
}
}
-void Stream::drop_session(const Packet* p)
+void Stream::drop_flow(const Packet* p)
{
Flow* flow = p->flow;
flow->session->clear();
flow->set_state(Flow::FlowState::BLOCK);
- if (!(p->packet_flags & PKT_STATELESS))
+ if ( !(p->packet_flags & PKT_STATELESS) )
drop_traffic(flow, SSN_DIR_BOTH);
}
flow->set_expire(p, snort_conf->min_interval);
}
+void Stream::purge_flows()
+{
+ if ( !flow_con )
+ return;
+
+ flow_con->purge_flows(PktType::IP);
+ flow_con->purge_flows(PktType::ICMP);
+ flow_con->purge_flows(PktType::TCP);
+ flow_con->purge_flows(PktType::UDP);
+ flow_con->purge_flows(PktType::PDU);
+ flow_con->purge_flows(PktType::FILE);
+}
+
+void Stream::timeout_flows(time_t cur_time)
+{
+ if ( flow_con )
+ // FIXIT-M batch here or loop vs looping over idle?
+ flow_con->timeout_flows(cur_time);
+}
+
+void Stream::prune_flows()
+{
+ if ( flow_con )
+ flow_con->prune_one(PruneReason::MEMCAP, false);
+}
+
+bool Stream::expected_flow(Flow* f, Packet* p)
+{
+ return flow_con->expected_flow(f, p) != SSN_DIR_NONE;
+}
+
//-------------------------------------------------------------------------
// app proto id foo
//-------------------------------------------------------------------------
/* Not caching the source and dest host_entry in the session so we can
* swap the table out after processing this packet if we need
* to. */
- HostAttributeEntry* host_entry = NULL;
int16_t protocol = 0;
if (!flow)
set_ip_protocol(flow);
}
- host_entry = SFAT_LookupHostEntryByIP(&flow->server_ip);
- if (host_entry)
+ if ( HostAttributeEntry* host_entry = SFAT_LookupHostEntryByIP(&flow->server_ip) )
{
set_application_protocol_id(flow, host_entry, FROM_SERVER);
if (flow->ssn_state.application_protocol != 0)
- {
return flow->ssn_state.application_protocol;
- }
}
- host_entry = SFAT_LookupHostEntryByIP(&flow->client_ip);
- if (host_entry)
+ if ( HostAttributeEntry* host_entry = SFAT_LookupHostEntryByIP(&flow->client_ip) )
{
set_application_protocol_id(flow, host_entry, FROM_CLIENT);
if (flow->ssn_state.application_protocol != 0)
- {
return flow->ssn_state.application_protocol;
- }
}
flow->ssn_state.application_protocol = -1;
-
return 0;
}
void Stream::log_extra_data(
Flow* flow, uint32_t mask, uint32_t id, uint32_t sec)
{
- if ( mask && extra_data_log )
+ if ( mask && stream.extra_data_log )
{
- extra_data_log(
- flow, extra_data_config, xtradata_map,
- xtradata_func_count, mask, id, sec);
+ stream.extra_data_log(
+ flow, stream.extra_data_config, stream.xtradata_map,
+ stream.xtradata_func_count, mask, id, sec);
}
}
uint32_t Stream::reg_xtra_data_cb(LogFunction f)
{
uint32_t i = 0;
- while (i < xtradata_func_count)
+ while (i < stream.xtradata_func_count)
{
- if (xtradata_map[i++] == f)
- {
+ if (stream.xtradata_map[i++] == f)
return i;
- }
}
- if ( xtradata_func_count == MAX_LOG_FN)
+ if ( stream.xtradata_func_count == MAX_LOG_FN)
return 0;
- xtradata_map[xtradata_func_count++] = f;
- return xtradata_func_count;
+
+ stream.xtradata_map[stream.xtradata_func_count++] = f;
+ return stream.xtradata_func_count;
}
uint32_t Stream::get_xtra_data_map(LogFunction** f)
{
if (f)
{
- *f = xtradata_map;
- return xtradata_func_count;
+ *f = stream.xtradata_map;
+ return stream.xtradata_func_count;
}
- else
- return 0;
+ return 0;
}
void Stream::reg_xtra_data_log(LogExtraData f, void* config)
{
- extra_data_log = f;
- extra_data_config = config;
+ stream.extra_data_log = f;
+ stream.extra_data_config = config;
}
//-------------------------------------------------------------------------
// other foo
//-------------------------------------------------------------------------
-uint8_t Stream::get_session_ttl(Flow* flow, char dir, bool outer)
+uint8_t Stream::get_flow_ttl(Flow* flow, char dir, bool outer)
{
if ( !flow )
return 0;
}
}
-bool Stream::blocked_session(Flow* flow, Packet* p)
+bool Stream::blocked_flow(Flow* flow, Packet* p)
{
if ( !(flow->ssn_state.session_flags & (SSNFLAG_DROP_CLIENT|SSNFLAG_DROP_SERVER)) )
return false;
return false;
}
-bool Stream::ignored_session(Flow* flow, Packet* p)
+bool Stream::ignored_flow(Flow* flow, Packet* p)
{
if (((p->is_from_server()) &&
(flow->ssn_state.ignore_direction & SSN_DIR_FROM_CLIENT)) ||
return 1;
}
-bool Stream::expired_session(Flow* flow, Packet* p)
+bool Stream::expired_flow(Flow* flow, Packet* p)
{
if ( (flow->session_state & STREAM_STATE_TIMEDOUT)
|| StreamExpire(p, flow) )
}
// return true if added
-bool Stream::add_session_alert(
+bool Stream::add_flow_alert(
Flow* flow, Packet* p, uint32_t gid, uint32_t sid)
{
if ( !flow )
}
// return true if gid/sid have already been seen
-bool Stream::check_session_alerted(
+bool Stream::check_flow_alerted(
Flow* flow, Packet* p, uint32_t gid, uint32_t sid)
{
if ( !flow )
return flow->session->check_alerted(p, gid, sid);
}
-int Stream::update_session_alert(
+int Stream::update_flow_alert(
Flow* flow, Packet* p,
uint32_t gid, uint32_t sid,
uint32_t event_id, uint32_t event_second)
#ifdef UNIT_TEST
-#include "framework/cursor.h"
-
TEST_CASE("Stream API", "[stream_api][stream]")
{
// initialization code here
pkt->flow->session = new TcpSession(flow);
Stream::stop_inspection(flow, pkt, SSN_DIR_FROM_SERVER, 0, 0);
- bool ignored = Stream::ignored_session(flow, pkt);
+ bool ignored = Stream::ignored_flow(flow, pkt);
CHECK(ignored);
delete pkt->flow->session;
pkt->flow->session = new TcpSession(flow);
Stream::stop_inspection(flow, pkt, SSN_DIR_FROM_SERVER, 0, 0);
- bool ignored = Stream::ignored_session(flow, pkt);
+ bool ignored = Stream::ignored_flow(flow, pkt);
CHECK(!ignored);
delete pkt->flow->session;
delete pkt;
pkt->flow->session = new TcpSession(flow);
Stream::stop_inspection(flow, pkt, SSN_DIR_FROM_CLIENT, 0, 0);
- bool ignored = Stream::ignored_session(flow, pkt);
+ bool ignored = Stream::ignored_flow(flow, pkt);
CHECK(!ignored);
delete pkt->flow->session;
pkt->flow->session = new TcpSession(flow);
Stream::stop_inspection(flow, pkt, SSN_DIR_FROM_CLIENT, 0, 0);
- bool ignored = Stream::ignored_session(flow, pkt);
+ bool ignored = Stream::ignored_flow(flow, pkt);
CHECK(ignored);
delete pkt->flow->session;
delete pkt;
pkt->flow->session = new TcpSession(flow);
Stream::stop_inspection(flow, pkt, SSN_DIR_BOTH, 0, 0);
- bool ignored = Stream::ignored_session(flow, pkt);
+ bool ignored = Stream::ignored_flow(flow, pkt);
CHECK(ignored);
delete pkt->flow->session;
pkt->flow->session = new TcpSession(flow);
Stream::stop_inspection(flow, pkt, SSN_DIR_BOTH, 0, 0);
- bool ignored = Stream::ignored_session(flow, pkt);
+ bool ignored = Stream::ignored_flow(flow, pkt);
CHECK(ignored);
delete pkt->flow->session;
delete pkt;
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
+// stream.h author Steven Sturges
+
#ifndef STREAM_H
#define STREAM_H
+// provides a common flow management interface
+
#include <sys/types.h>
-#include <netinet/in.h>
+#include "sfip/sfip_t.h"
+#include "protocols/packet.h"
+#include "flow/flow.h"
#include "main/snort_types.h"
-#include "stream/stream_api.h"
-#include "network_inspectors/normalize/norm.h"
-#include "flow/session.h"
-
-#define STREAM_DEFAULT_SSN_TIMEOUT 30 /* seconds to timeout a session */
-#define STREAM_MAX_SSN_TIMEOUT 3600*24 /* max timeout (approx 1 day) */
-#define STREAM_MIN_SSN_TIMEOUT 1 /* min timeout (1 second) */
-
-#define STREAM_TRACK_YES 1
-#define STREAM_TRACK_NO 0
-
-// FIXIT-L move to proto specific where possible
-#define STREAM_CONFIG_STATEFUL_INSPECTION 0x00000001
-#define STREAM_CONFIG_LOG_STREAMS 0x00000004
-#define STREAM_CONFIG_REASS_CLIENT 0x00000008
-#define STREAM_CONFIG_REASS_SERVER 0x00000010
-#define STREAM_CONFIG_ASYNC 0x00000020
-#define STREAM_CONFIG_SHOW_PACKETS 0x00000040
-#define STREAM_CONFIG_MIDSTREAM_DROP_NOALERT 0x00000080
-#define STREAM_CONFIG_IGNORE_ANY 0x00000100
-#define STREAM_CONFIG_STATIC_FLUSHPOINTS 0x00000200
-#define STREAM_CONFIG_IPS 0x00000400
-#define STREAM_CONFIG_NO_ASYNC_REASSEMBLY 0x00000800
-
-// shared stream state
-extern THREAD_LOCAL class FlowControl* flow_con;
-extern const PegInfo base_pegs[];
-
-const PegInfo* Stream_GetNormPegs();
-NormPegs Stream_GetNormCounts(unsigned&);
+
+/* traffic direction identification */
+#define FROM_SERVER 0
+#define FROM_CLIENT 1
+
+#define SSN_MISSING_NONE 0x00
+#define SSN_MISSING_BEFORE 0x01
+#define SSN_MISSING_AFTER 0x02
+#define SSN_MISSING_BOTH (SSN_MISSING_BEFORE | SSN_MISSING_AFTER)
+
+#define SSN_DIR_NONE 0x00
+#define SSN_DIR_FROM_CLIENT 0x01
+#define SSN_DIR_FROM_SERVER 0x02
+#define SSN_DIR_BOTH 0x03
+
+// sequence must match FRAG_POLICY_* enum in stream_ip.h (1-based)
+#define IP_POLICIES \
+ "first | linux | bsd | bsd_right | last | windows | solaris"
+
+// sequence must match STREAM_POLICY_* defines in tcp_session.cc (1-based)
+#define TCP_POLICIES \
+ "first | last | linux | old_linux | bsd | macos | solaris | irix | " \
+ "hpux11 | hpux10 | windows | win_2003 | vista | proxy"
+
+class Flow;
+
+typedef int (* LogFunction)(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type);
+typedef void (* LogExtraData)(Flow*, void* config, LogFunction* funcs,
+ uint32_t max_count, uint32_t xtradata_mask, uint32_t id, uint32_t sec);
+
+#define MAX_LOG_FN 32
+
+//-------------------------------------------------------------------------
+
+class SO_PUBLIC Stream
+{
+public:
+ // for shutdown only
+ static void purge_flows();
+
+ static void timeout_flows(time_t cur_time);
+ static void prune_flows();
+ static bool expected_flow(Flow*, Packet*);
+ static Flow* new_flow(FlowKey*);
+
+ // Looks in the flow cache for flow session with specified key and returns
+ // pointer to flow session oject if found, otherwise null.
+ static Flow* get_flow(const FlowKey*);
+
+ // Allocates a flow session object from the flow cache table for the protocol
+ // type of the specified key. If no cache exists for that protocol type null is
+ // returned. If a flow already exists for the key a pointer to that session
+ // object is returned.
+ // If a new session object can not be allocated the program is terminated.
+ static Flow* new_flow(const FlowKey*);
+
+ // Removes the flow session object from the flow cache table and returns
+ // the resources allocated to that flow to the free list.
+ static void delete_flow(const FlowKey*);
+
+ // Examines the source and destination ip addresses and ports to determine if the
+ // packet is from the client or server side of the flow and sets bits in the
+ // packet_flags field of the Packet struct to indicate the direction determined.
+ static uint32_t get_packet_direction(Packet*);
+
+ // Sets the stream session into proxy mode.
+ static void proxy_started(Flow*, unsigned dir); // FIXIT-L method name is misleading
+
+ // Stop inspection on a flow for up to count bytes (-1 to ignore for life or until resume).
+ // If response flag is set, automatically resume inspection up to count bytes when a data
+ // packet in the other direction is seen. Also marks the packet to be ignored
+ // FIXIT-L stop_inspection() does not currently support the bytes/response parameters
+ static void stop_inspection(Flow*, Packet*, char dir, int32_t bytes, int rspFlag);
+
+ // Adds entry to the expected session cache with a flow key generated from the network
+ // n-tuple parameters specified. Inspection will be turned off for this expected session
+ // when it arrives.
+ static int ignore_flow(
+ const sfip_t *addr1, uint16_t p1, const sfip_t *addr2, uint16_t p2,
+ PktType, char dir, uint32_t ppId);
+
+ // Resume inspection for flow.
+ // FIXIT-L does resume work only for a flow that has been stopped by call to stop_inspection?
+ static void resume_inspection(Flow*, char dir);
+
+ // Set Active status to force drop the current packet and set flow state to drop
+ // subsequent packets arriving from the direction specified.
+ static void drop_traffic(Flow*, char dir);
+
+ // Mark a flow as dropped, release allocated resources, and set flow state such that any
+ // subsequent packets received on this flow are dropped.
+ static void drop_flow(const Packet*);
+
+ // FIXIT-L flush_request() / flush_response() are misnomers in ips mode and may cause errors
+
+ // Flush queued data on the listener side of a stream flow. The listener is the side of the
+ // connection the packet is destined, so if the Packet is from the client, then the
+ // server side tracker is flushed.
+ static void flush_request(Packet*); // flush listener
+
+ // Flush queued data on the talker side of a stream flow. The talker is the side of the
+ // connection the packet originated from, so if the Packet is from the client, then the
+ // client side tracker is flushed.
+ static void flush_response(Packet*); // flush talker
+
+ // Add session alert - true if added
+ static bool add_flow_alert(Flow*, Packet*, uint32_t gid, uint32_t sid);
+
+ // Check session alert - true if previously alerted
+ static bool check_flow_alerted(Flow*, Packet* p, uint32_t gid, uint32_t sid);
+
+ // Set Extra Data Logging
+ static int update_flow_alert(
+ Flow*, Packet* p, uint32_t gid, uint32_t sid,
+ uint32_t eventId, uint32_t eventSecond);
+
+ // Get reassembly direction for given session
+ static char get_reassembly_direction(Flow*);
+
+ // Returns true if stream data for the flow is in sequence, otherwise return false.
+ static bool is_stream_sequenced(Flow*, uint8_t dir);
+
+ // Get state of missing packets for the flow.
+ // SSN_MISSING_BOTH if missing before and after
+ // SSN_MISSING_BEFORE if missing before
+ // SSN_MISSING_AFTER if missing after
+ // SSN_MISSING_NONE if none missing
+ static int missing_in_reassembled(Flow*, uint8_t dir);
+
+ // Returns true if packets were missed on the stream, otherwise returns false.
+ static bool missed_packets(Flow*, uint8_t dir);
+
+ // Get the protocol identifier from a stream
+ static int16_t get_application_protocol_id(Flow*);
+
+ // Set the protocol identifier for a stream
+ static int16_t set_application_protocol_id(Flow*, int16_t appId);
+
+ // initialize response count and expiration time
+ static void init_active_response(const Packet*, Flow*);
+
+ static void set_splitter(Flow*, bool toServer, class StreamSplitter* = nullptr);
+ static StreamSplitter* get_splitter(Flow*, bool toServer);
+ static bool is_paf_active(Flow*, bool toServer);
+
+ // Turn off inspection for potential session. Adds session identifiers to a hash table.
+ // TCP only.
+ static int set_application_protocol_id_expected(
+ const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2, PktType,
+ int16_t appId, FlowData*);
+
+ // Get pointer to application data for a flow based on the lookup tuples for cases where
+ // Snort does not have an active packet that is relevant.
+ static FlowData* get_flow_data(
+ PktType type, IpProtocol proto,
+ const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2,
+ uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, unsigned flow_id);
+
+ // Get pointer to application data for a flow using the FlowKey as the lookup criteria
+ static FlowData* get_flow_data(const FlowKey*, unsigned flow_id);
+
+ // Get pointer to a session flow instance for a flow based on the lookup tuples for
+ // cases where Snort does not have an active packet that is relevant.
+ static Flow* get_flow(
+ PktType type, IpProtocol proto,
+ const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2,
+ uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId);
+
+ // Delete the session if it is in the closed session state.
+ static void check_flow_closed(Packet*);
+
+ // Create a session key from the Packet
+ static FlowKey* get_flow_key(Packet*);
+
+ // Populate a session key from the Packet
+ static void populate_flow_key(Packet*, FlowKey*);
+
+ static void update_direction(Flow*, char dir, const sfip_t* ip, uint16_t port);
+
+ static void set_application_protocol_id(
+ Flow*, const struct HostAttributeEntry*, int direction);
+
+ static bool is_midstream(Flow* flow)
+ { return flow->ssn_state.session_flags & SSNFLAG_MIDSTREAM; }
+
+ // Get the TTL value used at session setup
+ // Set outer=false to get inner ip ttl for ip in ip; else outer=true
+ static uint8_t get_flow_ttl(Flow*, char dir, bool outer);
+
+ static bool expired_flow(Flow*, Packet*);
+ static bool ignored_flow(Flow*, Packet*);
+ static bool blocked_flow(Flow*, Packet*);
+
+ // extra data methods
+ static void set_extra_data(Flow*, Packet*, uint32_t);
+ static void clear_extra_data(Flow*, Packet*, uint32_t);
+ static void log_extra_data(Flow*, uint32_t mask, uint32_t id, uint32_t sec);
+
+ static uint32_t reg_xtra_data_cb(LogFunction);
+ static void reg_xtra_data_log(LogExtraData, void*);
+ static uint32_t get_xtra_data_map(LogFunction**);
+
+private:
+ static void set_ip_protocol(Flow*);
+};
#endif
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// stream_api.h author Steven Sturges
-
-#ifndef STREAM_API_H
-#define STREAM_API_H
-
-/*
- * Purpose: Definition of the StreamAPI. To be used as a common interface
- * for TCP (and later UDP & ICMP) Stream access for other
- * preprocessors and detection plugins.
- */
-
-#include <sys/types.h>
-
-#include "sfip/sfip_t.h"
-#include "protocols/packet.h"
-#include "flow/flow.h"
-#include "main/snort_types.h"
-
-/* traffic direction identification */
-#define FROM_SERVER 0
-#define FROM_CLIENT 1
-
-#define SSN_MISSING_NONE 0x00
-#define SSN_MISSING_BEFORE 0x01
-#define SSN_MISSING_AFTER 0x02
-#define SSN_MISSING_BOTH (SSN_MISSING_BEFORE | SSN_MISSING_AFTER)
-
-#define SSN_DIR_NONE 0x00
-#define SSN_DIR_FROM_CLIENT 0x01
-#define SSN_DIR_FROM_SERVER 0x02
-#define SSN_DIR_BOTH 0x03
-
-// sequence must match FRAG_POLICY_* enum in stream_ip.h (1-based)
-#define IP_POLICIES \
- "first | linux | bsd | bsd_right | last | windows | solaris"
-
-// sequence must match STREAM_POLICY_* defines in tcp_session.cc (1-based)
-#define TCP_POLICIES \
- "first | last | linux | old_linux | bsd | macos | solaris | irix | " \
- "hpux11 | hpux10 | windows | win_2003 | vista | proxy"
-
-class Flow;
-
-typedef int (* LogFunction)(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type);
-typedef void (* LogExtraData)(Flow*, void* config, LogFunction* funcs,
- uint32_t max_count, uint32_t xtradata_mask, uint32_t id, uint32_t sec);
-
-typedef int (* PacketIterator)
-(
- DAQ_PktHdr_t*,
- uint8_t*, /* pkt pointer */
- void* /* user-defined data pointer */
-);
-
-typedef int (* StreamSegmentIterator)
-(
- DAQ_PktHdr_t*,
- uint8_t*, /* pkt pointer */
- uint8_t*, /* payload pointer */
- uint32_t, /* sequence number */
- void* /* user-defined data pointer */
-);
-
-#define MAX_LOG_FN 32
-
-//-------------------------------------------------------------------------
-// public methods other than ctor / dtor must all be declared SO_PUBLIC
-//-------------------------------------------------------------------------
-
-class SO_PUBLIC Stream
-{
-public:
- SO_PRIVATE Stream();
- SO_PRIVATE ~Stream();
-
- // Looks in the flow cache for flow session with specified key and returns
- // pointer to flow session oject if found, otherwise null.
- static Flow* get_session(const FlowKey*);
-
- // Allocates a flow session object from the flow cache table for the protocol
- // type of the specified key. If no cache exists for that protocol type null is
- // returned. If a flow already exists for the key a pointer to that session
- // object is returned.
- // If a new session object can not be allocated the program is terminated.
- static Flow* new_session(const FlowKey*);
-
- // Removes the flow session object from the flow cache table and returns
- // the resources allocated to that flow to the free list.
- static void delete_session(const FlowKey*);
-
- // Examines the source and destination ip addresses and ports to determine if the
- // packet is from the client or server side of the flow and sets bits in the
- // packet_flags field of the Packet struct to indicate the direction determined.
- static uint32_t get_packet_direction(Packet*);
-
- // Sets the stream session into proxy mode.
- static void proxy_started(Flow*, unsigned dir); // FIXIT-L method name is misleading
-
- // Stop inspection on a flow for up to count bytes (-1 to ignore for life or until resume).
- // If response flag is set, automatically resume inspection up to count bytes when a data
- // packet in the other direction is seen. Also marks the packet to be ignored
- // FIXIT-L stop_inspection() does not currently support the bytes/response parameters
- static void stop_inspection(Flow*, Packet*, char dir, int32_t bytes, int rspFlag);
-
- // Adds entry to the expected session cache with a flow key generated from the network
- // n-tuple parameters specified. Inspection will be turned off for this expected session
- // when it arrives.
- int ignore_session( const sfip_t *addr1, uint16_t p1, const sfip_t *addr2, uint16_t p2,
- PktType, char dir, uint32_t ppId);
-
- // Resume inspection for flow.
- // FIXIT-L does resume work only for a flow that has been stopped by call to stop_inspection?
- static void resume_inspection(Flow*, char dir);
-
- // Set Active status to force drop the current packet and set flow state to drop
- // subsequent packets arriving from the direction specified.
- static void drop_traffic(Flow*, char dir);
-
- // Mark a flow as dropped, release allocated resources, and set flow state such that any
- // subsequent packets received on this flow are dropped.
- static void drop_session(const Packet*);
-
- // FIXIT-L flush_request() / flush_response() are misnomers in ips mode and may cause errors
-
- // Flush queued data on the listener side of a stream flow. The listener is the side of the
- // connection the packet is destined, so if the Packet is from the client, then the
- // server side tracker is flushed.
- static void flush_request(Packet*); // flush listener
-
- // Flush queued data on the talker side of a stream flow. The talker is the side of the
- // connection the packet originated from, so if the Packet is from the client, then the
- // client side tracker is flushed.
- static void flush_response(Packet*); // flush talker
-
- // Add session alert - true if added
- static bool add_session_alert(Flow*, Packet*, uint32_t gid, uint32_t sid);
-
- // Check session alert - true if previously alerted
- static bool check_session_alerted(Flow*, Packet* p, uint32_t gid, uint32_t sid);
-
- // Set Extra Data Logging
- static int update_session_alert(
- Flow*, Packet* p, uint32_t gid, uint32_t sid,
- uint32_t eventId, uint32_t eventSecond);
-
- // Get reassembly direction for given session
- static char get_reassembly_direction(Flow*);
-
- // Returns true if stream data for the flow is in sequence, otherwise return false.
- static bool is_stream_sequenced(Flow*, uint8_t dir);
-
- // Get state of missing packets for the flow.
- // SSN_MISSING_BOTH if missing before and after
- // SSN_MISSING_BEFORE if missing before
- // SSN_MISSING_AFTER if missing after
- // SSN_MISSING_NONE if none missing
- static int missing_in_reassembled(Flow*, uint8_t dir);
-
- // Returns true if packets were missed on the stream, otherwise returns false.
- static bool missed_packets(Flow*, uint8_t dir);
-
- // Get the protocol identifier from a stream
- static int16_t get_application_protocol_id(Flow*);
-
- // Set the protocol identifier for a stream
- static int16_t set_application_protocol_id(Flow*, int16_t appId);
-
- // initialize response count and expiration time
- static void init_active_response(const Packet*, Flow*);
-
- static void set_splitter(Flow*, bool toServer, class StreamSplitter* = nullptr);
- static StreamSplitter* get_splitter(Flow*, bool toServer);
- static bool is_paf_active(Flow*, bool toServer);
-
- // Turn off inspection for potential session. Adds session identifiers to a hash table.
- // TCP only.
- int set_application_protocol_id_expected(
- const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2, PktType,
- int16_t appId, FlowData*);
-
- // Get pointer to application data for a flow based on the lookup tuples for cases where
- // Snort does not have an active packet that is relevant.
- static FlowData* get_flow_data(
- PktType type, IpProtocol proto,
- const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2,
- uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, unsigned flow_id);
-
- // Get pointer to application data for a flow using the FlowKey as the lookup criteria
- static FlowData* get_flow_data(const FlowKey*, unsigned flow_id);
-
- // -- extra data methods
- uint32_t reg_xtra_data_cb(LogFunction);
- void reg_xtra_data_log(LogExtraData, void*);
- uint32_t get_xtra_data_map(LogFunction**);
-
- static void set_extra_data(Flow*, Packet*, uint32_t);
- static void clear_extra_data(Flow*, Packet*, uint32_t);
- void log_extra_data(Flow*, uint32_t mask, uint32_t id, uint32_t sec);
-
- // Get pointer to a session flow instance for a flow based on the lookup tuples for
- // cases where Snort does not have an active packet that is relevant.
- static Flow* get_session_ptr(
- PktType type, IpProtocol proto,
- const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2,
- uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId);
-
- // Delete the session if it is in the closed session state.
- void check_session_closed(Packet*);
-
- // Create a session key from the Packet
- static FlowKey* get_session_key(Packet*);
-
- // Populate a session key from the Packet
- static void populate_session_key(Packet*, FlowKey*);
-
- void update_direction(Flow*, char dir, const sfip_t* ip, uint16_t port);
-
- static void set_application_protocol_id(
- Flow*, const struct HostAttributeEntry*, int direction);
-
- static bool is_midstream(Flow* flow)
- { return flow->ssn_state.session_flags & SSNFLAG_MIDSTREAM; }
-
- // Get the TTL value used at session setup
- // Set outer=false to get inner ip ttl for ip in ip; else outer=true
- static uint8_t get_session_ttl(Flow*, char dir, bool outer);
-
- static bool expired_session(Flow*, Packet*);
- static bool ignored_session(Flow*, Packet*);
- static bool blocked_session(Flow*, Packet*);
-
-private:
- static void set_ip_protocol(Flow*);
-
-private:
- uint32_t xtradata_func_count = 0;
- LogFunction xtradata_map[MAX_LOG_FN];
- LogExtraData extra_data_log = NULL;
- void* extra_data_config = NULL;
-};
-
-SO_PUBLIC extern Stream stream;
-
-#endif
-
if ( srod.direction & SSN_DIR_FROM_SERVER )
{
tcpssn->server->flush_policy = STREAM_FLPOLICY_IGNORE;
- stream.set_splitter(lwssn, true);
+ Stream::set_splitter(lwssn, true);
}
if ( srod.direction & SSN_DIR_FROM_CLIENT )
{
tcpssn->client->flush_policy = STREAM_FLPOLICY_IGNORE;
- stream.set_splitter(lwssn, false);
+ Stream::set_splitter(lwssn, false);
}
}
else
if ( srod.direction & SSN_DIR_FROM_SERVER )
{
tcpssn->server->flush_policy = STREAM_FLPOLICY_ON_ACK;
- stream.set_splitter(lwssn, true, new AtomSplitter(true));
+ Stream::set_splitter(lwssn, true, new AtomSplitter(true));
}
if ( srod.direction & SSN_DIR_FROM_CLIENT )
{
tcpssn->client->flush_policy = STREAM_FLPOLICY_ON_ACK;
- stream.set_splitter(lwssn, false, new AtomSplitter(false));
+ Stream::set_splitter(lwssn, false, new AtomSplitter(false));
}
}
IpsOption* ropt = reassemble_api.ctor(reassembler, nullptr);
int rc = ropt->eval(cursor, pkt);
CHECK( ( rc == DETECTION_OPTION_MATCH ) );
- StreamSplitter* ss = stream.get_splitter(flow, true);
+ StreamSplitter* ss = Stream::get_splitter(flow, true);
CHECK( ( ss != nullptr ) );
CHECK( ( !ss->is_paf() ) );
CHECK( ( ( ( TcpSession* )pkt->flow->session)->server.flush_policy
#ifndef SEGMENT_OVERLAP_EDITOR_H
#define SEGMENT_OVERLAP_EDITOR_H
+#include "normalize/normalize.h"
#include "tcp_defs.h"
#include "tcp_segment_node.h"
#include "tcp_session.h"
#define STREAM_TCP_H
#include "flow/flow.h"
-#include "stream/stream_api.h"
#include "protocols/packet.h"
#include "tcp_defs.h"
#define SLAM_MAX 4
-// target-based policy types - changes to this enum require changes to stream_api.h::TCP_POLICIES
+// target-based policy types - changes to this enum require changes to stream.h::TCP_POLICIES
enum class StreamPolicy
{
OS_INVALID = 0,
#include "tcp_ha.h"
-#include "flow/flow_control.h"
#include "main/snort_debug.h"
-#include "stream/tcp/tcp_session.h"
+#include "stream/stream.h"
+#include "tcp_session.h"
Flow* TcpHA::create_session(FlowKey* key)
{
- DebugMessage(DEBUG_HA,"TcpHA::create_session)\n");
+ assert(key);
- assert ( key );
-
- Flow* flow = flow_con->new_flow(key);
+ Flow* flow = Stream::new_flow(key);
if ( (flow != nullptr ) && (flow->session == nullptr) )
{
#include <string>
#include "profiler/profiler.h"
-#include "stream_tcp.h"
#include "stream/stream.h"
+#include "stream_tcp.h"
using namespace std;
#include "main/snort_types.h"
#include "main/thread.h"
+#include "flow/session.h"
#include "framework/module.h"
-#include "stream/stream.h"
#include "tcp_stream_config.h"
#define GID_STREAM_TCP 129
#include "main/snort.h"
#include "protocols/packet.h"
-#include "stream/stream.h"
+#include "protocols/packet_manager.h"
#include "profiler/profiler.h"
#include "flow/flow_control.h"
//if (SEQ_LT(ai->seq, flush_seq) )
{
- stream.log_extra_data(flow, xtradata_mask, ai->event_id, ai->event_second);
+ Stream::log_extra_data(flow, xtradata_mask, ai->event_id, ai->event_second);
memset(ai, 0, sizeof(*ai));
}
#if 0
#include "framework/counts.h"
#include "detection/detect.h"
#include "normalize/normalize.h"
-#include "stream/stream_api.h"
#include "segment_overlap_editor.h"
#include "tcp_defs.h"
#include "log/log_text.h"
#include "stream/stream.h"
#include "stream/stream_splitter.h"
-#include "flow/flow_control.h"
#include "flow/session.h"
#include "profiler/profiler.h"
#include "file_api/file_api.h"
-#include "normalize/normalize.h"
#include "perf_monitor/flow_tracker.h"
#include "filters/sfrf.h"
{
// FIXIT-L why flush here instead of just purge?
// s5_ignored_session() may be disabling detection too soon if we really want to flush
- if (stream.ignored_session(flow, tsd.get_pkt()))
+ if (Stream::ignored_flow(flow, tsd.get_pkt()))
{
if ( talker && ( talker->get_tf_flags() & TF_FORCE_FLUSH ) )
{
flow_ready = false;
}
- if (stream.blocked_session(flow, p) || (flow->session_state & STREAM_STATE_IGNORE))
+ if (Stream::blocked_flow(flow, p) || (flow->session_state & STREAM_STATE_IGNORE))
flow_ready = false;
- // FIXIT-L expected flow should be checked by flow_con before we get here
+ // FIXIT-L expected flow should be checked by Stream before we get here
// harmonize this with that and the checks above
- char ignore = flow_con->expected_flow(flow, p);
- if (ignore)
+
+ if ( Stream::expected_flow(flow, p) )
{
server->flush_policy = STREAM_FLPOLICY_IGNORE;
client->flush_policy = STREAM_FLPOLICY_IGNORE;
{
// Check if the session is expired. Should be done before we do something with
// the packet...Insert a packet, or handle state change SYN, FIN, RST, etc.
- if (stream.expired_session(flow, p))
+ if (Stream::expired_flow(flow, p))
{
/* Session is timed out, if also reset then restart, otherwise clear */
if (flow->get_session_flags() & SSNFLAG_RESET)
// tcp_state_closed.cc author davis mcpherson <davmcphe@@cisco.com>
// Created on: Jul 30, 2015
-#include "stream/stream.h"
+#include "tcp_state_closed.h"
#include "tcp_module.h"
#include "tcp_tracker.h"
#include "tcp_session.h"
#include "tcp_normalizer.h"
-#include "tcp_state_closed.h"
#ifdef UNIT_TEST
#include "catch/catch.hpp"
// tcp_state_none.cc author davis mcpherson <davmcphe@@cisco.com>
// Created on: Jul 30, 2015
-#include "stream/stream.h"
+#include "tcp_state_none.h"
#include "tcp_module.h"
#include "tcp_tracker.h"
#include "tcp_session.h"
#include "tcp_normalizer.h"
-#include "tcp_state_none.h"
#ifdef UNIT_TEST
#include "catch/catch.hpp"
#define TCP_STREAM_CONFIG_H
#include "time/packet_time.h"
-#include "stream/stream.h"
-
#include "tcp_defs.h"
+#define STREAM_CONFIG_STATEFUL_INSPECTION 0x00000001
+#define STREAM_CONFIG_LOG_STREAMS 0x00000004
+#define STREAM_CONFIG_REASS_CLIENT 0x00000008
+#define STREAM_CONFIG_REASS_SERVER 0x00000010
+#define STREAM_CONFIG_ASYNC 0x00000020
+#define STREAM_CONFIG_SHOW_PACKETS 0x00000040
+#define STREAM_CONFIG_MIDSTREAM_DROP_NOALERT 0x00000080
+#define STREAM_CONFIG_IGNORE_ANY 0x00000100
+#define STREAM_CONFIG_STATIC_FLUSHPOINTS 0x00000200
+#define STREAM_CONFIG_IPS 0x00000400
+#define STREAM_CONFIG_NO_ASYNC_REASSEMBLY 0x00000800
+
+#define STREAM_DEFAULT_SSN_TIMEOUT 30
+
class TcpStreamConfig
{
public:
#include "udp_ha.h"
-#include "flow/flow_control.h"
#include "main/snort_debug.h"
-#include "stream/udp/udp_session.h"
-
-extern THREAD_LOCAL class FlowControl* flow_con;
+#include "stream/stream.h"
+#include "udp_session.h"
Flow* UdpHA::create_session(FlowKey* key)
{
- DebugMessage(DEBUG_HA,"UdpHA::create_session\n");
-
- assert ( key );
+ assert(key);
- Flow* flow = flow_con->new_flow(key);
+ Flow* flow = Stream::new_flow(key);
if ( (flow != nullptr ) && (flow->session == nullptr) )
{
#include "main/snort_types.h"
#include "main/thread.h"
+#include "flow/session.h"
#include "framework/module.h"
-#include "stream/stream.h"
struct SnortConfig;
#include "config.h"
#endif
-#include "stream_udp.h"
-#include "udp_module.h"
-#include "udp_ha.h"
-
#include "stream/stream.h"
#include "main/snort_types.h"
#include "main/snort_debug.h"
#include "hash/sfxhash.h"
#include "utils/util.h"
#include "protocols/packet.h"
-#include "flow/flow_control.h"
#include "flow/session.h"
#include "packet_io/active.h"
+#include "perf_monitor/flow_ip_tracker.h"
#include "profiler/profiler.h"
#include "sfip/sf_ip.h"
-#include "perf_monitor/flow_ip_tracker.h"
+#include "stream/stream.h"
+
+#include "stream_udp.h"
+#include "udp_module.h"
+#include "udp_ha.h"
// NOTE: sender is assumed to be client
// responder is assumed to be server
{
assert(lwssn->pkt_type == PktType::UDP);
- if ( stream.blocked_session(lwssn, p) )
+ if ( Stream::blocked_flow(lwssn, p) )
return 0;
- if ( stream.ignored_session(lwssn, p) )
+ if ( Stream::ignored_flow(lwssn, p) )
return 0;
/* if both seen, mark established */
&flow->server_ip, SFS_STATE_UDP_CREATED);
}
- if ( flow_con->expected_flow(flow, p) )
+ if ( Stream::expected_flow(flow, p) )
{
udpStats.sessions--; // incremented in SESSIONS_STATS_ADD
return false;
StreamUdpConfig* pc = get_udp_cfg(flow->ssn_server);
// Check if the session is expired.
// Should be done before we do something with the packet...
- if ( stream.expired_session(flow, p) )
+ if ( Stream::expired_flow(flow, p) )
{
UdpSessionCleanup(flow);
flow->restart();
#include "stream_user.h"
#include "main/snort_config.h"
-#include "stream/stream.h"
//-------------------------------------------------------------------------
// stream_user module
#include "config.h"
#endif
-#include "stream_user.h"
-#include "user_module.h"
-
-#include "stream/stream.h"
-#include "stream/stream_splitter.h"
-#include "stream/paf.h"
-
-#include "flow/flow_control.h"
#include "main/snort.h"
#include "perf_monitor/perf_monitor.h"
#include "profiler/profiler.h"
#include "sfip/sf_ip.h"
#include "utils/util.h"
+#include "stream/stream.h"
+#include "stream/stream_splitter.h"
+#include "stream/paf.h"
+
+#include "stream_user.h"
+#include "user_module.h"
+
THREAD_LOCAL ProfileStats user_perf_stats;
// we always get exactly one copy of user data in order
server.init();
#ifdef ENABLE_EXPECTED_USER
- if ( flow_con->expected_session(flow, p))
+ if ( Stream::expected_flow(flow, p) )
return false;
#endif
return true;
{
Profile profile(user_perf_stats);
- if ( stream.expired_session(flow, p) )
+ if ( Stream::expired_flow(flow, p) )
{
flow->restart();
// FIXIT-M count user session timeouts here
#ifdef ENABLE_EXPECTED_USER
- if ( flow_con->expected_session(flow, p))
+ if ( Stream::expected_flow(flow, p))
return 0;
#endif
}
flow->set_direction(p);
- if ( stream.blocked_session(flow, p) || stream.ignored_session(flow, p) )
+ if ( Stream::blocked_flow(flow, p) || Stream::ignored_flow(flow, p) )
return 0;
update(p, flow);
#include <vector>
using namespace std;
+#include "hash/sfghash.h"
+#include "main/snort_debug.h"
+#include "utils/util.h"
+#include "stream/stream.h"
+
#include "sftarget_reader.h"
#include "sftarget_hostentry.h"
#include "sftarget_data.h"
-#include "hash/sfghash.h"
-#include "utils/util.h"
-#include "main/snort_debug.h"
-#include "stream/stream_api.h"
-
struct SFTargetProtocolReference
{
char name[SFAT_BUFSZ];
if ( p->flow )
{
/* Use session information via Stream API */
- protocol = stream.get_application_protocol_id(p->flow);
+ protocol = Stream::get_application_protocol_id(p->flow);
if ( protocol )
break;
#include "ips_options/ips_pcre.h"
#include "time/packet_time.h"
#include "time/timersub.h"
-#include "stream/stream.h"
#ifdef PATH_MAX
#define PATH_MAX_UTIL PATH_MAX
if ((lua_option != nullptr) && snort_option->compare(*lua_option))
{
retval = parse_int_option(*lua_option, stream, false);
- table_api.add_diff_option_comment("config " + *snort_option +
- ":", *lua_option);
+ table_api.add_diff_option_comment("config " + *snort_option + ":", *lua_option);
}
else
{
const std::string* lua_option = nullptr>
static ConversionState* config_int_ctor(Converter& c)
{
- return new ConfigIntOption(c,
- snort_option,
- lua_table,
- lua_option);
+ return new ConfigIntOption(c, snort_option, lua_table, lua_option);
}
} // namespace
bool use_string_array = false>
static ConversionState* config_string_ctor(Converter& c)
{
- return new ConfigStringOption(c,
- snort_option,
- lua_table,
- lua_option,
- use_string_array);
+ return new ConfigStringOption(c, snort_option, lua_table, lua_option, use_string_array);
}
} // namespace
projects / thirdparty / snort3.git / commitdiff
