Pull request #3691: Fc36

Merge in SNORT/snort3 from ~RUCOMBS/snort3:fc36 to master

Squashed commit of the following:

commit 4f9390f1b2414fb2592055501e47707d7b0bdbf3
Author: Russ Combs <rucombs@cisco.com>
Date:   Thu Dec 15 13:53:50 2022 -0500

    pop, imap: gracefully decline buffer requests when flow data is not present

commit 65518cead263c7b8990417fd2acb4ea50577c8a3
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Nov 29 23:22:44 2022 -0500

    alert_fast: fix initialization of http_inspect cheat codes

commit 11496a4b6bb98ee69db9fd6cd5f2c084748242f4
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Nov 29 09:01:20 2022 -0500

    host_cache: simplify dump_file with std::string

commit 6a8994a35402695fe73c7c4a948903d3a94c5d06
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Nov 29 08:58:18 2022 -0500

    host_cache: fix initialization from Lua

commit c009d930c5ddb5d00928dd11fa4cdd33d1aeea04
Author: Russ Combs <rucombs@cisco.com>
Date:   Mon Nov 28 16:09:54 2022 -0500

    config: ensure table state is reset when starting a new shell

commit c3ec2dcb0c3ea36ec22ef9ea6e6159a9cc19d45c
Author: Russ Combs <rucombs@cisco.com>
Date:   Sat Nov 26 14:57:19 2022 -0500

    talos: fix tweaks for the daq module

diff --git a/lua/talos.lua b/lua/talos.lua
index afa0a8f86d6b106d0a2491636d500b51ea8c059d..c420a7f72e7baa78327a6e150b67b51f2a8a83c7 100644 (file)
--- a/lua/talos.lua
+++ b/lua/talos.lua
@@ -13,16 +13,20 @@ function file_exists(name)
     end
 end
 
-snort =
+daq =
 {
-    ['-Q'] = true,
-    ['-s'] = 65535,
-    ['--daq'] = 'dump',
-    ['--daq-var'] = 'output=none'
+    modules =
+    {
+        {
+            name = 'dump',
+            variables = { 'output = none' }
+        }
+    },
+    snaplen = 65535
 }
 
 if file_exists('local.rules') then
-    snort['-R'] = 'local.rules'
+    ips.include = 'local.rules'
 end
 
 alert_talos = { }
@@ -35,3 +39,5 @@ profiler =
     rules = { show = true }
 }
 
+snort = { ['-Q'] = true }
+

diff --git a/src/host_tracker/host_cache_module.cc b/src/host_tracker/host_cache_module.cc
index a81341fe3f291d1687b17ce44c93012174b12197..3561b39c3b884a683cea1c19fe79ec8dc5a4f17e 100644 (file)
--- a/src/host_tracker/host_cache_module.cc
+++ b/src/host_tracker/host_cache_module.cc
@@ -356,9 +356,7 @@ bool HostCacheModule::set(const char*, Value& v, SnortConfig*)
 {
     if ( v.is("dump_file") )
     {
-        if ( dump_file )
-            snort_free((void*)dump_file);
-        dump_file = snort_strdup(v.get_string());
+        dump_file = v.get_string();
     }
     else if ( v.is("memcap") )
         memcap = v.get_size();
@@ -388,11 +386,8 @@ HostCacheModule::HostCacheModule() :
 
 HostCacheModule::~HostCacheModule()
 {
-    if ( dump_file )
-    {
-        log_host_cache(dump_file);
-        snort_free((void*)dump_file);
-    }
+    if ( !dump_file.empty() )
+        log_host_cache(dump_file.c_str());
 }
 
 void HostCacheModule::log_host_cache(const char* file_name, bool verbose)

diff --git a/src/host_tracker/host_cache_module.h b/src/host_tracker/host_cache_module.h
index 30e01ca551bf5c68857a71b7346b4cbfcf75e946..a469a6142389b7d6880f6a995c5739a7a00b9974 100644 (file)
--- a/src/host_tracker/host_cache_module.h
+++ b/src/host_tracker/host_cache_module.h
@@ -23,6 +23,8 @@
 
 //  Loads host cache configuration data.
 
+#include <string>
+
 #include "framework/module.h"
 #include "main/snort.h"
 #include "main/reload_tuner.h"
@@ -74,7 +76,7 @@ public:
     std::string get_host_cache_stats();
 
 private:
-    const char* dump_file = nullptr;
+    std::string dump_file;
     size_t memcap = 0;
 };
 

diff --git a/src/host_tracker/host_tracker_module.cc b/src/host_tracker/host_tracker_module.cc
index 1de162e3cc5330157a80eec20dd0f5a0381402e0..c84e71753a29574651594970f2eba97a89cb0a0c 100644 (file)
--- a/src/host_tracker/host_tracker_module.cc
+++ b/src/host_tracker/host_tracker_module.cc
@@ -63,13 +63,13 @@ bool HostTrackerModule::set(const char*, Value& v, SnortConfig*)
         v.get_addr(addr);
 
     else if ( v.is("port") )
-        host_cache[addr]->update_service_port(app, v.get_uint16());
+        app.port = v.get_uint16();
 
     else if ( v.is("proto") )
     {
         const IpProtocol mask[] =
         { IpProtocol::IP, IpProtocol::TCP, IpProtocol::UDP };
-        host_cache[addr]->update_service_proto(app, mask[v.get_uint8()]);
+        app.proto = mask[v.get_uint8()];
     }
 
     return true;
@@ -80,6 +80,7 @@ bool HostTrackerModule::begin(const char* fqn, int idx, SnortConfig*)
     if ( idx && !strcmp(fqn, "host_tracker") )
     {
         addr.clear();
+        apps.clear();
     }
     return true;
 }
@@ -87,17 +88,17 @@ bool HostTrackerModule::begin(const char* fqn, int idx, SnortConfig*)
 bool HostTrackerModule::end(const char* fqn, int idx, SnortConfig*)
 {
     if ( idx && !strcmp(fqn, "host_tracker.services") )
-    {
-        if ( addr.is_set() )
-            host_cache[addr]->add_service(app);
+        apps.emplace_back(app);
 
-        host_cache[addr]->clear_service(app);
-    }
     else if ( idx && !strcmp(fqn, "host_tracker") && addr.is_set() )
     {
         host_cache[addr];
-        host_cache[addr]->clear_service(app);
+
+        for ( auto& a : apps )
+            host_cache[addr]->add_service(a);
+
         addr.clear();
+        apps.clear();
     }
 
     return true;

diff --git a/src/host_tracker/host_tracker_module.h b/src/host_tracker/host_tracker_module.h
index 9e338d6a45d017b9e28a150aa1c40738bbd8f63f..8b2d87c15a87391870d3ed17a601b66a492fccff 100644 (file)
--- a/src/host_tracker/host_tracker_module.h
+++ b/src/host_tracker/host_tracker_module.h
@@ -28,6 +28,7 @@
 // one.
 
 #include <cassert>
+#include <vector>
 
 #include "framework/module.h"
 #include "host_tracker/cache_allocator.cc"
@@ -56,6 +57,7 @@ private:
     static const snort::Parameter host_tracker_params[];
     static const snort::Parameter service_params[];
 
+    std::vector<snort::HostApplication> apps;
     snort::HostApplication app;
     snort::SfIp addr;
 };

diff --git a/src/loggers/alert_fast.cc b/src/loggers/alert_fast.cc
index 150144a897ef7493277cd28ec8bf301d912480c0..26464da63caafa11594366ad8e773d952a662365 100644 (file)
--- a/src/loggers/alert_fast.cc
+++ b/src/loggers/alert_fast.cc
@@ -19,24 +19,11 @@
 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 //--------------------------------------------------------------------------
 
-/* alert_fast
- *
- * Purpose:  output plugin for fast alerting
- *
- * Arguments:  alert file
- *
- * Effect:
- *
- * Alerts are written to a file in the snort fast alert format
- *
- * Comments:   Allows use of fast alerts with other output plugin types
- *
- */
-
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
 
+#include <mutex>
 #include <vector>
 
 #include "detection/detection_engine.h"
@@ -67,6 +54,7 @@ using namespace std;
 #define FAST_BUF (4*K_BYTES)
 
 static THREAD_LOCAL TextLog* fast_log = nullptr;
+static once_flag init_flag;
 
 #define S_NAME "alert_fast"
 #define F_NAME S_NAME ".txt"
@@ -133,6 +121,7 @@ bool FastModule::begin(const char*, int, SnortConfig*)
 
 //-------------------------------------------------------------------------
 // helper
+//-------------------------------------------------------------------------
 
 static void load_buf_ids(
     Inspector* ins, const std::vector<const char*>& keys, std::vector<unsigned>& ids)
@@ -145,6 +134,8 @@ static void load_buf_ids(
     }
 }
 
+using BufferIds = std::vector<unsigned>;
+
 //-------------------------------------------------------------------------
 // logger stuff
 //-------------------------------------------------------------------------
@@ -162,42 +153,55 @@ public:
 private:
     void log_data(Packet*, const Event&);
 
+    static void set_buffer_ids(Inspector*);
+    const BufferIds& get_buffer_ids(Inspector*, Packet*);
+
 private:
     string file;
     unsigned long limit;
     bool packet;
 
-    std::vector<unsigned> req_ids;
-    std::vector<unsigned> rsp_ids;
+    static std::vector<unsigned> req_ids;
+    static std::vector<unsigned> rsp_ids;
 };
 
+std::vector<unsigned> FastLogger::req_ids;
+std::vector<unsigned> FastLogger::rsp_ids;
+
 FastLogger::FastLogger(FastModule* m)
 {
     file = m->file ? F_NAME : "stdout";
     limit = m->limit;
     packet = m->packet;
+}
 
-    //-----------------------------------------------------------------
-    // FIXIT-L generalize buffer sets when other inspectors get smarter
-    // this is only applicable to http_inspect
-    // could be configurable; and should be should be shared with u2
+//-----------------------------------------------------------------
+// FIXIT-L generalize buffer sets when other inspectors get smarter
+// this is only applicable to http_inspect
+// could be configurable; and should be should be shared with u2
+//-----------------------------------------------------------------
+void FastLogger::set_buffer_ids(Inspector* gadget)
+{
+    std::vector<const char*> req
+    { "http_method", "http_version", "http_uri", "http_header", "http_cookie", "http_client_body" };
 
-    Inspector* ins = InspectorManager::get_inspector("http_inspect");
+    std::vector<const char*> rsp
+    { "http_version", "http_stat_code", "http_stat_msg", "http_uri", "http_header", "http_cookie" };
 
-    if ( !ins )
-        return;
+    load_buf_ids(gadget, req, req_ids);
+    load_buf_ids(gadget, rsp, rsp_ids);
+}
 
-    std::vector<const char*> req
-    { "http_method", "http_version", "http_uri", "http_header", "http_cookie",
-      "http_client_body" };
+const BufferIds& FastLogger::get_buffer_ids(Inspector* gadget, Packet* p)
+{
+    // lazy init required because loggers don't have a configure (yet)
+    call_once(init_flag, set_buffer_ids, gadget);
 
-    std::vector<const char*> rsp
-    { "http_version", "http_stat_code", "http_stat_msg", "http_uri", "http_header",
-      "http_cookie" };
-    //-----------------------------------------------------------------
+    InspectionBuffer buf;
+    const std::vector<unsigned>& idv =
+            gadget->get_buf(HttpEnums::HTTP_BUFFER_RAW_STATUS, p, buf) ? rsp_ids : req_ids;
 
-    load_buf_ids(ins, req, req_ids);
-    load_buf_ids(ins, rsp, rsp_ids);
+    return idv;
 }
 
 void FastLogger::open()
@@ -252,11 +256,12 @@ void FastLogger::alert(Packet* p, const char* msg, const Event& event)
 // available if a response was processed by http_inspect
 void FastLogger::log_data(Packet* p, const Event& event)
 {
-    bool log_pkt = true;
-
     TextLog_NewLine(fast_log);
+
+    bool log_pkt = true;
     const char* ins_name = "snort";
     Inspector* gadget = nullptr;
+
     if ( p->flow and p->flow->session )
     {
         snort::StreamSplitter* ss = p->flow->session->get_splitter(p->is_from_client());
@@ -267,22 +272,20 @@ void FastLogger::log_data(Packet* p, const Event& event)
                 ins_name = gadget->get_name();
         }
     }
-    const char** buffers = gadget ? gadget->get_api()->buffers : nullptr;
+    const char** buffers = (gadget and !strcmp(ins_name, "http_inspect")) ? gadget->get_api()->buffers : nullptr;
 
     if ( buffers )
     {
-        InspectionBuffer buf;
-        const std::vector<unsigned>& idv = gadget->get_buf(HttpEnums::HTTP_BUFFER_RAW_STATUS,
-            p, buf) ? rsp_ids : req_ids;
-        bool rsp = (idv == rsp_ids);
+        const BufferIds& idv = get_buffer_ids(gadget, p);
 
         for ( auto id : idv )
         {
+            InspectionBuffer buf;
 
             if ( gadget->get_buf(id, p, buf) )
                 LogNetData(fast_log, buf.data, buf.len, p, buffers[id-1], ins_name);
 
-            log_pkt = rsp;
+            log_pkt = (idv == rsp_ids);
         }
     }
     else if ( gadget )

diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc
index 0c9ffbae89343ae0fc89f71f7d19da729f289ba9..bb1bad6715dbf4730b83ff78761fe135fa26e2e6 100644 (file)
--- a/src/managers/module_manager.cc
+++ b/src/managers/module_manager.cc
@@ -995,7 +995,14 @@ static list<ModHook*> get_all_modhooks()
 }
 
 void ModuleManager::set_config(SnortConfig* sc)
-{ s_config = sc; }
+{
+    s_config = sc;
+    s_current.clear();
+    s_aliased_name.clear();
+    s_aliased_type.clear();
+    s_ips_includer.clear();
+    s_file_id_includer.clear();
+}
 
 void ModuleManager::reset_errors()
 { s_errors = 0; }

diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc
index 6ad8c13f775ad844db7ccbb12a767067c4754809..b1160ca7f253d7d1221faded3ec1214ad73336c9 100644 (file)
--- a/src/service_inspectors/imap/imap.cc
+++ b/src/service_inspectors/imap/imap.cc
@@ -807,7 +807,9 @@ void Imap::eval(Packet* p)
 bool Imap::get_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b)
 {
     IMAPData* imap_ssn = get_session_data(p->flow);
-    assert(imap_ssn);
+
+    if (!imap_ssn)
+        return false;
 
     const void* dst = nullptr;
     size_t dst_len = 0;

diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc
index 657501a23649b0f5f7d2869d61c64d7c5be5541f..26863f6b4bb14bc92c42834dde93240037c238bc 100644 (file)
--- a/src/service_inspectors/pop/pop.cc
+++ b/src/service_inspectors/pop/pop.cc
@@ -745,7 +745,9 @@ void Pop::eval(Packet* p)
 bool Pop::get_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b)
 {
     POPData* pop_ssn = get_session_data(p->flow);
-    assert(pop_ssn);
+
+    if (!pop_ssn)
+        return false;
 
     const void* dst = nullptr;
     size_t dst_len = 0;