Merge pull request #2204 in SNORT/snort3 from ~SMINUT/snort3:hpq_daq_verdict to master

Squashed commit of the following:

commit 006990ce86bed6fd6710ee2f868d4672887fa1eb
Author: Silviu Minut <sminut@cisco.com>
Date:   Thu May 7 16:31:26 2020 -0400

    stream_tcp: change the DAQ verdict from drop to blacklist for held packets that timed out

diff --git a/src/stream/tcp/held_packet_queue.cc b/src/stream/tcp/held_packet_queue.cc
index cb1a9092b85f664fda55c79f466dfad08e837b37..2c5656509e844a87fbfb158a36f2c7c8423a39fe 100644 (file)
--- a/src/stream/tcp/held_packet_queue.cc
+++ b/src/stream/tcp/held_packet_queue.cc
@@ -32,7 +32,7 @@
 using namespace snort;
 
 HeldPacket::HeldPacket(DAQ_Msg_h msg, uint32_t seq, const timeval& exp, TcpStreamTracker& trk)
-    : daq_msg(msg), seq_num(seq), expiration(exp), tracker(trk)
+    : daq_msg(msg), seq_num(seq), expiration(exp), tracker(trk), expired(false)
 {
 }
 

diff --git a/src/stream/tcp/held_packet_queue.h b/src/stream/tcp/held_packet_queue.h
index b78e027ea4b18b2383ce0f56d02ca085c86d8c25..ded1c8e700d632a1161f036e231d23bb89834bda 100644 (file)
--- a/src/stream/tcp/held_packet_queue.h
+++ b/src/stream/tcp/held_packet_queue.h
@@ -36,7 +36,13 @@ public:
 
     bool has_expired(const timeval& cur_time)
     {
-        return !timercmp(&cur_time, &expiration, <);
+        expired = (timercmp(&cur_time, &expiration, <) == 0);
+        return expired;
+    }
+
+    bool has_expired()
+    {
+        return expired;
     }
 
     TcpStreamTracker& get_tracker() const { return tracker; }
@@ -48,6 +54,7 @@ private:
     uint32_t seq_num;
     timeval expiration;
     TcpStreamTracker& tracker;
+    bool expired;
 };
 
 class HeldPacketQueue

diff --git a/src/stream/tcp/tcp_stream_tracker.cc b/src/stream/tcp/tcp_stream_tracker.cc
index b75ef7d90a0086346308883070f1d225c9932208..120ef09cce9c181fad4b56073f17881fecdcf378 100644 (file)
--- a/src/stream/tcp/tcp_stream_tracker.cc
+++ b/src/stream/tcp/tcp_stream_tracker.cc
@@ -704,7 +704,8 @@ void TcpStreamTracker::finalize_held_packet(Packet* cp)
     {
         if ( cp->active->packet_was_dropped() )
         {
-            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), DAQ_VERDICT_BLOCK);
+            DAQ_Verdict verdict = held_packet->has_expired() ? DAQ_VERDICT_BLACKLIST : DAQ_VERDICT_BLOCK;
+            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), verdict);
             tcpStats.held_packets_dropped++;
         }
         else
@@ -729,7 +730,8 @@ void TcpStreamTracker::finalize_held_packet(Flow* flow)
         if ( (flow->session_state & STREAM_STATE_BLOCK_PENDING) ||
              (flow->ssn_state.session_flags & SSNFLAG_BLOCK) )
         {
-            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), DAQ_VERDICT_BLOCK);
+            DAQ_Verdict verdict = held_packet->has_expired() ? DAQ_VERDICT_BLACKLIST : DAQ_VERDICT_BLOCK;
+            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), verdict);
             tcpStats.held_packets_dropped++;
         }
         else