case Actions::DROP:
p->active->drop_packet(p);
- p->active->set_drop_reason("ips");
alert(p, otn);
SetTags(p, otn, event_id);
break;
case Actions::BLOCK:
p->active->block_session(p);
- p->active->set_drop_reason("ips");
alert(p, otn);
SetTags(p, otn, event_id);
break;
case FILE_VERDICT_BLOCK:
// can't block session inside a session
act->set_delayed_action(Active::ACT_BLOCK, true);
- act->set_drop_reason("file");
break;
case FILE_VERDICT_REJECT:
// can't reset session inside a session
act->set_delayed_action(Active::ACT_RESET, true);
- act->set_drop_reason("file");
break;
case FILE_VERDICT_STOP_CAPTURE:
file_ctx->stop_file_capture();
FileCache* file_cache = FileService::get_file_cache();
if (file_cache)
file_cache->apply_verdict(p, this, verdict, false, policy);
-
- if ( PacketTracer::is_active() and ( verdict == FILE_VERDICT_BLOCK
- or verdict == FILE_VERDICT_REJECT ))
- {
- PacketTracer::log("File: signature lookup verdict %s\n",
- verdict == FILE_VERDICT_BLOCK ? "block" : "reject");
- }
log_file_event(flow, policy);
config_file_signature(false);
file_stats->signatures_processed[get_file_type()][get_file_direction()]++;
FileCache* file_cache = FileService::get_file_cache();
if (file_cache)
file_cache->apply_verdict(p, this, v, false, policy);
-
- if ( PacketTracer::is_active() and ( v == FILE_VERDICT_BLOCK
- or v == FILE_VERDICT_REJECT ))
- {
- PacketTracer::log("File: file type verdict %s\n",
- v == FILE_VERDICT_BLOCK ? "block" : "reject");
- }
}
log_file_event(flow, policy);
else
p->active->block_again();
- p->active->set_drop_reason("session");
DetectionEngine::disable_all(p);
- if ( PacketTracer::is_active() )
- PacketTracer::log("Session: session has been blocked, drop\n");
break;
case Flow::FlowState::RESET:
p->active->reset_again();
Stream::blocked_flow(p);
- p->active->set_drop_reason("session");
DetectionEngine::disable_all(p);
- if ( PacketTracer::is_active() )
- PacketTracer::log("Session: session has been reset\n");
break;
}
THREAD_LOCAL PacketTracer* snort::s_pkt_trace = nullptr;
void Active::drop_packet(snort::Packet const*, bool) { }
+PacketTracer::PacketTracer() { }
PacketTracer::~PacketTracer() { }
void PacketTracer::log(const char*, ...) { }
void PacketTracer::open_file() { }
void PacketTracer::dump_to_daq(Packet*) { }
void PacketTracer::reset() { }
-void Active::set_drop_reason(char const*) { }
Packet::Packet(bool) { }
Packet::~Packet() { }
Flow::Flow() { memset(this, 0, sizeof(*this)); }
THREAD_LOCAL PacketTracer* snort::s_pkt_trace = nullptr;
void Active::drop_packet(snort::Packet const*, bool) { }
+PacketTracer::PacketTracer() = default;
PacketTracer::~PacketTracer() = default;
void PacketTracer::log(const char*, ...) { }
void PacketTracer::open_file() { }
void PacketTracer::dump_to_daq(Packet*) { }
void PacketTracer::reset() { }
-void Active::set_drop_reason(char const*) { }
Packet::Packet(bool) { }
Packet::~Packet() = default;
FlowCache::FlowCache(const FlowCacheConfig& cfg) : config(cfg) { }
set (INCLUDES
analyzer_command.h
policy.h
- snort.h
snort_config.h
snort_debug.h
snort_types.h
DataBus::publish(FINALIZE_PACKET_EVENT, event);
}
- if (verdict == DAQ_VERDICT_BLOCK or verdict == DAQ_VERDICT_BLACKLIST)
- p->active->send_reason_to_daq(*p);
-
p->pkth = nullptr; // No longer avail after finalize_message.
{
#include "stubs.h"
#include "main/analyzer.h"
-#include "packet_io/sfdaq_instance.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
int SFDAQ::inject(DAQ_Msg_h, int, const uint8_t*, uint32_t) { return -1; }
bool SFDAQ::can_inject() { return false; }
bool SFDAQ::can_inject_raw() { return false; }
-int SFDAQInstance::set_packet_verdict_reason(DAQ_Msg_h, uint8_t) { return 0; }
DetectionEngine::DetectionEngine() { }
DetectionEngine::~DetectionEngine() { }
void DetectionEngine::onload() { }
#include "detection/ips_context.h"
#include "log/log.h"
#include "log/messages.h"
-#include "packet_io/active.h"
#include "packet_io/sfdaq_instance.h"
#include "protocols/eth.h"
#include "protocols/icmp4.h"
// static variables
// -----------------------------------------------------------------------------
+static const uint8_t VERDICT_REASON_NO_BLOCK = 2; /* Not blocking packet; all enum defined after this indicates blocking */
+
+// FIXIT-M currently non-thread-safe accesses being done in packet threads against this
+static std::unordered_map<uint8_t, uint8_t> reasons = { {VERDICT_REASON_NO_BLOCK, PacketTracer::PRIORITY_UNSET} };
+
// FIXIT-M refactor the way this is used so all methods are members called against this pointer
THREAD_LOCAL PacketTracer* snort::s_pkt_trace = nullptr;
// static functions
// -----------------------------------------------------------------------------
+void PacketTracer::register_verdict_reason(uint8_t reason_code, uint8_t priority)
+{
+ assert(reasons.find(reason_code) == reasons.end());
+ reasons[reason_code] = priority;
+}
+
void PacketTracer::set_log_file(const std::string& file)
{ log_file = file; }
if (s_pkt_trace->daq_activated)
s_pkt_trace->dump_to_daq(p);
- if ((s_pkt_trace->buff_len > 0)
- and (s_pkt_trace->user_enabled or s_pkt_trace->shell_enabled))
- {
- const char* drop_reason = p->active->get_drop_reason();
- if (drop_reason)
- PacketTracer::log("Verdict Reason: %s\n", drop_reason);
+ if (s_pkt_trace->user_enabled or s_pkt_trace->shell_enabled)
LogMessage(s_pkt_trace->log_fh, "%s\n", s_pkt_trace->buffer);
- }
s_pkt_trace->reset();
}
+void PacketTracer::set_reason(uint8_t reason)
+{
+ if ( reasons[reason] > reasons[s_pkt_trace->reason] )
+ s_pkt_trace->reason = reason;
+}
+
void PacketTracer::log(const char* format, ...)
{
if (is_paused())
// non-static functions
// -----------------------------------------------------------------------------
+// constructor
+PacketTracer::PacketTracer()
+{ reason = VERDICT_REASON_NO_BLOCK; }
+
// destructor
PacketTracer::~PacketTracer()
{
void PacketTracer::dump_to_daq(Packet* p)
{
assert(p);
- p->daq_instance->set_packet_trace_data(p->daq_msg,
+ p->daq_instance->modify_flow_pkt_trace(p->daq_msg, reason,
(uint8_t *)buffer, buff_len + 1);
}
{
buff_len = 0;
buffer[0] = '\0';
+ reason = VERDICT_REASON_NO_BLOCK;
for ( unsigned i = 0; i < mutes.size(); i++ )
mutes[i] = false;
}
+
// --------------------------------------------------------------------------
// unit tests
// --------------------------------------------------------------------------
class TestPacketTracer : public PacketTracer
{
public:
+ uint8_t dump_reason = VERDICT_REASON_NO_BLOCK;
+
static void thread_init()
{ PacketTracer::_thread_init<TestPacketTracer>(); }
static bool is_paused()
{ return ((TestPacketTracer*)s_pkt_trace)->pause_count; }
+ static uint8_t get_reason()
+ { return ((TestPacketTracer*)s_pkt_trace)->reason; }
+
+ static uint8_t get_dump_reason()
+ { return ((TestPacketTracer*)s_pkt_trace)->dump_reason; }
+
void dump_to_daq(Packet*) override
- { }
+ { dump_reason = reason; }
static std::vector<bool> get_mutes()
{ return ((TestPacketTracer*)s_pkt_trace)->mutes; }
TestPacketTracer::thread_term();
}
+TEST_CASE("reasons", "[PacketTracer]")
+{
+ TestPacketTracer::thread_init();
+ TestPacketTracer::set_daq_enable(true);
+ uint8_t low1 = 100, low2 = 101, high = 102;
+ TestPacketTracer::register_verdict_reason(low1, PacketTracer::PRIORITY_LOW);
+ TestPacketTracer::register_verdict_reason(low2, PacketTracer::PRIORITY_LOW);
+ TestPacketTracer::register_verdict_reason(high, PacketTracer::PRIORITY_HIGH);
+
+ // Init
+ CHECK((TestPacketTracer::get_reason() == VERDICT_REASON_NO_BLOCK));
+
+ // Update
+ TestPacketTracer::set_reason(low1);
+ CHECK((TestPacketTracer::get_reason() == low1));
+
+ // Don't update if already set
+ TestPacketTracer::set_reason(VERDICT_REASON_NO_BLOCK);
+ CHECK((TestPacketTracer::get_reason() == low1));
+ TestPacketTracer::set_reason(low2);
+ CHECK((TestPacketTracer::get_reason() == low1));
+
+ // Always update for high priority
+ TestPacketTracer::set_reason(high);
+ CHECK((TestPacketTracer::get_reason() == high));
+
+ // Dump resets reason
+ TestPacketTracer::dump(nullptr);
+ CHECK((TestPacketTracer::get_reason() == VERDICT_REASON_NO_BLOCK));
+
+ // Dump delivers reason to daq
+ CHECK((TestPacketTracer::get_dump_reason() == high));
+
+ TestPacketTracer::thread_term();
+}
+
TEST_CASE("verbosity", "[PacketTracer]")
{
TestPacketTracer::thread_init();
class PacketTracer
{
public:
- PacketTracer() = default;
+ enum VerdictPriority : uint8_t
+ {
+ PRIORITY_UNSET = 0,
+ PRIORITY_LOW = 1,
+ PRIORITY_HIGH = 2
+ };
+
+ PacketTracer();
virtual ~PacketTracer();
typedef uint8_t TracerMute;
static SO_PUBLIC TracerMute get_mute();
+ static SO_PUBLIC void register_verdict_reason(uint8_t reason_code, uint8_t priority);
+ static SO_PUBLIC void set_reason(uint8_t);
static SO_PUBLIC void log(const char* format, ...) __attribute__((format (printf, 1, 2)));
static SO_PUBLIC void log(TracerMute, const char* format, ...) __attribute__((format (printf, 2, 3)));
std::vector<bool> mutes;
char buffer[max_buff_size];
unsigned buff_len = 0;
+ uint8_t reason;
unsigned pause_count = 0;
bool user_enabled = false;
#include "reputation_parse.h"
+#define VERDICT_REASON_REPUTATION 19
+
using namespace snort;
THREAD_LOCAL ProfileStats reputation_perf_stats;
// disable all preproc analysis and detection for this packet
DetectionEngine::disable_all(p);
act->block_session(p, true);
- act->set_drop_reason("reputation");
reputationstats.blacklisted++;
if (PacketTracer::is_active())
+ {
+ PacketTracer::set_reason(VERDICT_REASON_REPUTATION);
PacketTracer::log("Reputation: packet blacklisted, drop\n");
+ }
}
else if (MONITORED_SRC == decision or MONITORED_DST == decision)
static void mod_dtor(Module* m)
{ delete m; }
+static void reputation_init()
+{
+ PacketTracer::register_verdict_reason(VERDICT_REASON_REPUTATION, PacketTracer::PRIORITY_LOW);
+}
static Inspector* reputation_ctor(Module* m)
{
PROTO_BIT__ANY_IP,
nullptr, // buffers
nullptr, // service
- nullptr, // pinit
+ reputation_init, // pinit
nullptr, // pterm
nullptr, // tinit
nullptr, // tterm
static THREAD_LOCAL send_t s_send = SFDAQ::inject;
static ResetAction default_reset;
-static int default_drop_reason_id = -1;
-
-static std::unordered_map<std::string, uint8_t> drop_reason_id_map;
//--------------------------------------------------------------------
// helpers
active_action = ACT_ALLOW;
delayed_active_action = ACT_ALLOW;
delayed_reject = nullptr;
- drop_reason = nullptr;
}
void Active::clear_queue(Packet* p)
}
}
-void Active::set_default_drop_reason(uint8_t reason_id)
-{
- default_drop_reason_id = reason_id;
-}
-
-void Active::map_drop_reason_id(const char* verdict_reason, uint8_t id)
-{
- drop_reason_id_map[verdict_reason] = id;
-}
-
-void Active::set_drop_reason(const char* reason)
-{
- if ( drop_reason == nullptr )
- drop_reason = reason;
-}
-
-int Active::get_drop_reason_id()
-{
- const auto iter = drop_reason_id_map.find(drop_reason);
- if ( iter != drop_reason_id_map.end() )
- return iter->second;
-
- return default_drop_reason_id;
-}
-
-void Active::send_reason_to_daq(Packet& p)
-{
- if ( drop_reason == nullptr )
- return;
-
- int reason = get_drop_reason_id();
- if ( reason != -1 )
- p.daq_instance->set_packet_verdict_reason(p.daq_msg, reason);
-}
void reset();
- static void set_default_drop_reason(uint8_t reason_id);
- static void map_drop_reason_id(const char* verdict_reason, uint8_t id);
- void set_drop_reason(const char*);
- void send_reason_to_daq(Packet&);
-
- const char* get_drop_reason()
- { return drop_reason; }
-
private:
static bool open(const char*);
static void close();
void cant_drop();
- int get_drop_reason_id();
-
private:
static const char* act_str[ACT_MAX][AST_MAX];
static bool enabled;
static THREAD_LOCAL bool s_suspend;
int active_tunnel_bypass;
- const char* drop_reason;
bool prevent_trust_action;
return daq_instance_ioctl(instance, DIOCTL_SET_FLOW_OPAQUE, &d_sfo, sizeof(d_sfo));
}
-int SFDAQInstance::set_packet_verdict_reason(DAQ_Msg_h msg, uint8_t verdict_reason)
-{
- DIOCTL_SetPacketVerdictReason d_spvr;
-
- d_spvr.msg = msg;
- d_spvr.verdict_reason = verdict_reason;
-
- return daq_instance_ioctl(instance, DIOCTL_SET_PACKET_VERDICT_REASON, &d_spvr, sizeof(d_spvr));
-}
-
-int SFDAQInstance::set_packet_trace_data(DAQ_Msg_h msg, uint8_t* buff, uint32_t buff_len)
+int SFDAQInstance::modify_flow_pkt_trace(DAQ_Msg_h msg, uint8_t verdict_reason, uint8_t* buff, uint32_t buff_len)
{
DIOCTL_SetPacketTraceData d_sptd;
d_sptd.msg = msg;
+ d_sptd.verdict_reason = verdict_reason;
d_sptd.trace_data_len = buff_len;
d_sptd.trace_data = buff;
SO_PUBLIC int ioctl(DAQ_IoctlCmd cmd, void *arg, size_t arglen);
SO_PUBLIC int modify_flow_opaque(DAQ_Msg_h, uint32_t opaque);
- int set_packet_verdict_reason(DAQ_Msg_h msg, uint8_t verdict_reason);
- int set_packet_trace_data(DAQ_Msg_h, uint8_t* buff, uint32_t buff_len);
+ int modify_flow_pkt_trace(DAQ_Msg_h, uint8_t verdict_reason,
+ uint8_t* buff, uint32_t buff_len);
int add_expected(const Packet* ctrlPkt, const SfIp* cliIP, uint16_t cliPort,
const SfIp* srvIP, uint16_t srvPort, IpProtocol, unsigned timeout_ms,
unsigned /* flags */);
#include "file_api/file_api.h"
#include "main/snort.h"
#include "main/snort_debug.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
#include "utils/util.h"
if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT))
{
DCE2_SmbInjectDeletePdu(ssd->fb_ftracker);
- DetectionEngine::get_current_packet()->active->set_drop_reason("smb");
}
ssd->fb_ftracker = nullptr;
FileVerdict verdict = DCE2_get_file_verdict();
if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT))
- {
ssd->fb_ftracker = ftracker;
- if (PacketTracer::is_active())
- PacketTracer::log("Dce2_smb: smb file verdict %s\n",
- verdict == FILE_VERDICT_BLOCK ? "block" : "reject");
- }
}
}
dce2_smb_stats.smb_files_processed++;
|| (verdict == FILE_VERDICT_PENDING))
{
ssd->fb_ftracker = ftracker;
- if (verdict != FILE_VERDICT_PENDING and PacketTracer::is_active())
- {
- PacketTracer::log("Dce2_smb: smb file verdict %s\n",
- verdict == FILE_VERDICT_BLOCK ? "block" : "reject");
- }
}
}
ftracker->ff_sequential_only = false;
if (data_ssn->packet_flags & FTPDATA_FLG_REST)
{
p->active->block_again();
- p->active->set_drop_reason("ftp");
- if (PacketTracer::is_active())
- PacketTracer::log("FTP: session reset, drop\n");
return;
}
#include "main/snort.h"
#include "main/snort_config.h"
#include "main/snort_debug.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
#include "protocols/vlan.h"
#include "stream/base/stream_module.h"
flow->set_state(Flow::FlowState::BLOCK);
if ( !(p->packet_flags & PKT_STATELESS) )
- {
drop_traffic(p, SSN_DIR_BOTH);
- p->active->set_drop_reason("stream");
- if (PacketTracer::is_active())
- PacketTracer::log("Stream: pending block, drop\n");
- }
flow->session_state &= ~STREAM_STATE_BLOCK_PENDING;
}
}
if ( !(p->packet_flags & PKT_STATELESS) )
drop_traffic(p, SSN_DIR_BOTH);
-
- p->active->set_drop_reason("stream");
- if (PacketTracer::is_active())
- PacketTracer::log("Stream: session has been dropped\n");
}
//-------------------------------------------------------------------------
DetectionEngine::disable_content(p);
p->active->drop_packet(p);
active_response(p, flow);
- p->active->set_drop_reason("stream");
- if (PacketTracer::is_active())
- PacketTracer::log("Stream: session was already blocked\n");
return true;
}
return false;
#include "detection/rules.h"
#include "filters/sfrf.h"
#include "main/snort_config.h"
-#include "packet_tracer/packet_tracer.h"
#include "tcp_module.h"
{
uint32_t event_id;
uint32_t sid;
- const char* event_description;
};
// ffs returns 1 as bit position of lsb so event id array
// has dummy entry for index 0
struct tcp_event_sid tcp_event_sids[] =
{
- { 0, 0, nullptr },
- { EVENT_SYN_ON_EST, STREAM_TCP_SYN_ON_EST, "SYN_ON_EST" },
- { EVENT_DATA_ON_SYN, STREAM_TCP_DATA_ON_SYN, "DATA_ON_SYN" },
- { EVENT_DATA_ON_CLOSED, STREAM_TCP_DATA_ON_CLOSED, "DATA_ON_CLOSED" },
- { EVENT_BAD_TIMESTAMP, STREAM_TCP_BAD_TIMESTAMP, "BAD_TIMESTAMP" },
- { EVENT_WINDOW_TOO_LARGE, STREAM_TCP_WINDOW_TOO_LARGE, "WINDOW_TOO_LARGE" },
- { EVENT_DATA_AFTER_RESET, STREAM_TCP_DATA_AFTER_RESET, "DATA_AFTER_RESET" },
- { EVENT_SESSION_HIJACK_CLIENT, STREAM_TCP_SESSION_HIJACKED_CLIENT, "SESSION_HIJACK_CLIENT" },
- { EVENT_SESSION_HIJACK_SERVER, STREAM_TCP_SESSION_HIJACKED_SERVER, "SESSION_HIJACK_SERVER" },
- { EVENT_DATA_WITHOUT_FLAGS, STREAM_TCP_DATA_WITHOUT_FLAGS, "DATA_WITHOUT_FLAGS" },
- { EVENT_4WHS, STREAM_TCP_4WAY_HANDSHAKE, "4WHS" },
- { EVENT_NO_TIMESTAMP, STREAM_TCP_NO_TIMESTAMP, "NO_TIMESTAMP" },
- { EVENT_BAD_RST, STREAM_TCP_BAD_RST, "BAD_RST" },
- { EVENT_BAD_FIN, STREAM_TCP_BAD_FIN, "BAD_FIN" },
- { EVENT_BAD_ACK, STREAM_TCP_BAD_ACK, "BAD_ACK" },
- { EVENT_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD, "DATA_AFTER_RST_RCVD" },
- { EVENT_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM, "WINDOW_SLAM" },
- { EVENT_NO_3WHS, STREAM_TCP_NO_3WHS, "NO_3WHS" },
- { EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT, "BAD_SEGMENT" },
- { EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, "EXCESSIVE_OVERLAP" },
- { EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT, "MAX_SMALL_SEGS_EXCEEDED" },
- { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr },
- { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr },
- { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }, { 0, 0, nullptr }
+ { 0, 0 },
+ { EVENT_SYN_ON_EST, STREAM_TCP_SYN_ON_EST },
+ { EVENT_DATA_ON_SYN, STREAM_TCP_DATA_ON_SYN },
+ { EVENT_DATA_ON_CLOSED, STREAM_TCP_DATA_ON_CLOSED },
+ { EVENT_BAD_TIMESTAMP, STREAM_TCP_BAD_TIMESTAMP },
+ { EVENT_WINDOW_TOO_LARGE, STREAM_TCP_WINDOW_TOO_LARGE },
+ { EVENT_DATA_AFTER_RESET, STREAM_TCP_DATA_AFTER_RESET },
+ { EVENT_SESSION_HIJACK_CLIENT, STREAM_TCP_SESSION_HIJACKED_CLIENT },
+ { EVENT_SESSION_HIJACK_SERVER, STREAM_TCP_SESSION_HIJACKED_SERVER },
+ { EVENT_DATA_WITHOUT_FLAGS, STREAM_TCP_DATA_WITHOUT_FLAGS },
+ { EVENT_4WHS, STREAM_TCP_4WAY_HANDSHAKE },
+ { EVENT_NO_TIMESTAMP, STREAM_TCP_NO_TIMESTAMP },
+ { EVENT_BAD_RST, STREAM_TCP_BAD_RST },
+ { EVENT_BAD_FIN, STREAM_TCP_BAD_FIN },
+ { EVENT_BAD_ACK, STREAM_TCP_BAD_ACK },
+ { EVENT_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD },
+ { EVENT_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM },
+ { EVENT_NO_3WHS, STREAM_TCP_NO_3WHS },
+ { EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT },
+ { EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS },
+ { EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT },
+ { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0, 0 },
+ { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0, 0 }, { 0, 0 }
};
void TcpEventLogger::log_internal_event(uint32_t eventSid)
uint32_t idx = ffs(tcp_events);
if ( idx )
{
- DetectionEngine::queue_event(GID_STREAM_TCP, tcp_event_sids[idx].sid);
- if ( PacketTracer::is_active() )
- PacketTracer::log("Stream: TCP normalization error in %s\n",
- tcp_event_sids[idx].event_description);
- tcp_events ^= tcp_event_sids[idx].event_id;
+ DetectionEngine::queue_event(GID_STREAM_TCP, tcp_event_sids[ idx ].sid);
+ tcp_events ^= tcp_event_sids[ idx ].event_id;
tcpStats.events++;
}
}
#include "tcp_stream_session.h"
#include "tcp_stream_tracker.h"
+
using namespace snort;
THREAD_LOCAL PegCount tcp_norm_stats[PC_TCP_MAX][NORM_MODE_MAX];
{
Packet* p = tsd.get_pkt();
p->active->drop_packet(p);
- p->active->set_drop_reason("stream");
return true;
}
{
if ( SEQ_GT(tsd.get_seg_ack(), trk.get_snd_nxt() ) )
{
- trk.session->tel.set_tcp_event(EVENT_BAD_ACK);
trk.normalizer.packet_dropper(tsd, NORM_TCP_BLOCK);
+ trk.session->tel.set_tcp_event(EVENT_BAD_ACK);
trk.session->set_pkt_action_flag(ACTION_BAD_PKT);
}
else
{
if ( SEQ_GT(tsd.get_seg_ack(), trk.get_snd_nxt() ) )
{
- trk.session->tel.set_tcp_event(EVENT_BAD_ACK);
trk.normalizer.packet_dropper(tsd, NORM_TCP_BLOCK);
+ trk.session->tel.set_tcp_event(EVENT_BAD_ACK);
trk.session->set_pkt_action_flag(ACTION_BAD_PKT);
}
else
else
{
inc_tcp_discards();
- trk.session->tel.set_tcp_event(EVENT_BAD_RST);
trk.normalizer.packet_dropper(tsd, NORM_TCP_BLOCK);
+ trk.session->tel.set_tcp_event(EVENT_BAD_RST);
}
// FIXIT-L might be good to create alert specific to RST with data
projects / thirdparty / snort3.git / commitdiff
