Merge pull request #2102 in SNORT/snort3 from ~STECHEW/snort3:detained_packet_with_ss...

author Steve Chew (stechew) <stechew@cisco.com>

Tue, 31 Mar 2020 14:41:57 +0000 (14:41 +0000)

committer Steve Chew (stechew) <stechew@cisco.com>

Tue, 31 Mar 2020 14:41:57 +0000 (14:41 +0000)
author Steve Chew (stechew) <stechew@cisco.com>
Tue, 31 Mar 2020 14:41:57 +0000 (14:41 +0000)
committer Steve Chew (stechew) <stechew@cisco.com>
Tue, 31 Mar 2020 14:41:57 +0000 (14:41 +0000)
diff --git a/src/flow/flow.h b/src/flow/flow.h

index 8e2bd8b0f8a8c1bbdf01ed0be1829b4331d268af..feafe12617e24e75f95c31fb6e21aa9c00d32772 100644 (file)
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -420,13 +420,13 @@ public:  // FIXIT-M privatize if possible
      {
          bool client_initiated : 1;
          bool disable_inspect : 1;
-        bool trigger_finalize_event : 1;
-        bool use_direct_inject : 1;
-
          bool reputation_src_dest : 1;
          bool reputation_blacklist : 1;
          bool reputation_monitor : 1;
          bool reputation_whitelist : 1;
+        bool trigger_detained_packet_event : 1;
+        bool trigger_finalize_event : 1;
+        bool use_direct_inject : 1;
      } flags;
  
      FlowState flow_state;
diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h

index 477d09ecac28990626ad65f014ee924034e4ab34..0209c27d82682c41e66923a4d405e0d64cbc3684 100644 (file)
--- a/src/framework/data_bus.h
+++ b/src/framework/data_bus.h
@@ -126,6 +126,9 @@ private:
  #define THREAD_IDLE_EVENT "thread.idle"
  #define THREAD_ROTATE_EVENT "thread.rotate"
  
+// A packet is being detained.
+#define DETAINED_PACKET_EVENT "analyzer.detained.packet"
+
  // A flow changed its service
  #define FLOW_SERVICE_CHANGE_EVENT "flow.service_change_event"
  
diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc

index 9197b51ac04ec845ed92004e9fc14d97348e0c3e..1e2020b6046c39cd0bb35508908ebad1ee072be9 100644 (file)
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -339,7 +339,12 @@ void Analyzer::post_process_daq_pkt_msg(Packet* p)
          retry_queue->put(p->daq_msg);
          daq_stats.retries_queued++;
      }
-    else if (!p->active->is_packet_held() || !Stream::set_packet_action_to_hold(p))
+    else if (p->active->is_packet_held() and Stream::set_packet_action_to_hold(p))
+    {
+        if (p->flow and p->flow->flags.trigger_detained_packet_event)
+            DataBus::publish(DETAINED_PACKET_EVENT, p);
+    }
+    else
          verdict = distill_verdict(p);
  
      if (PacketTracer::is_active())
diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc

index 724a452a7b0c3f4173fed92370a2515f15863f10..cbf463e8c1a10e735084c9ad7940d473911f1745 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -70,7 +70,7 @@ static inline DCE2_Ret DCE2_Smb2InsertTid(DCE2_SmbSsnData* ssd, const uint32_t t
              (ssd->max_file_depth ==
              -1 and DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1) )
      {
-        debug_logf(dce_smb_trace, "Not inserting TID (%u) for DISK share type"
+        debug_logf(dce_smb_trace, "Not inserting TID (%u) for DISK share type "
              "as mandatory configuration max_file_depth is not present."
              "This will result in non-inspection of file data.\n", tid);
          return ret;
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc

index 85c600bafb65465da1873229936432c5ac3700ca..6b1f65ed620197dd1a1e1fe4812919c1700fae33 100644 (file)
--- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
@@ -125,9 +125,16 @@ void HttpStreamSplitter::detain_packet(Packet* pkt)
          fprintf(HttpTestManager::get_output_file(), "Packet detain request\n");
          fflush(HttpTestManager::get_output_file());
      }
+
      if (!HttpTestManager::use_test_input(HttpTestManager::IN_HTTP))
+    {
  #endif
      pkt->active->hold_packet(pkt);
+#ifdef REG_TEST
+    }
+#endif
+
+    // Count attempted detains.
      HttpModule::increment_peg_counts(PEG_DETAINED);
  }
  
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc

index 145579d332d34d802cddff829cb920f7ae022cf2..62ebd4f4df91317bdbb7f01127d92c1f4ef83d80 100644 (file)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -412,7 +412,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
      { CountType::SUM, "uri_coding", "URIs with character coding problems" },
      { CountType::NOW, "concurrent_sessions", "total concurrent http sessions" },
      { CountType::MAX, "max_concurrent_sessions", "maximum concurrent http sessions" },
-    { CountType::SUM, "detained_packets", "TCP packets delayed by detained inspection" },
+    { CountType::SUM, "detained_packets", "packet hold requests for detained inspection" },
      { CountType::SUM, "partial_inspections", "pre-inspections for detained inspection" },
      { CountType::SUM, "excess_parameters", "repeat parameters exceeding max" },
      { CountType::SUM, "parameters", "HTTP parameters inspected" },
author	Steve Chew (stechew) <stechew@cisco.com>
	Tue, 31 Mar 2020 14:41:57 +0000 (14:41 +0000)
committer	Steve Chew (stechew) <stechew@cisco.com>
	Tue, 31 Mar 2020 14:41:57 +0000 (14:41 +0000)
src/flow/flow.h		patch \| blob \| blame \| history
src/framework/data_bus.h		patch \| blob \| blame \| history
src/main/analyzer.cc		patch \| blob \| blame \| history
src/service_inspectors/dce_rpc/dce_smb2.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_stream_splitter_scan.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_tables.cc		patch \| blob \| blame \| history