Merge pull request #1726 in SNORT/snort3 from ~MMATIRKO/snort3:bidirectional_icmp_ip_...

author Mike Stepanek (mstepane) <mstepane@cisco.com>

Wed, 4 Sep 2019 12:58:58 +0000 (08:58 -0400)

committer Mike Stepanek (mstepane) <mstepane@cisco.com>

Wed, 4 Sep 2019 12:58:58 +0000 (08:58 -0400)
author Mike Stepanek (mstepane) <mstepane@cisco.com>
Wed, 4 Sep 2019 12:58:58 +0000 (08:58 -0400)
committer Mike Stepanek (mstepane) <mstepane@cisco.com>
Wed, 4 Sep 2019 12:58:58 +0000 (08:58 -0400)
diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h

index fbd2e768c2e4cc61ddba3d6bc979f6f165253e81..47f66b67a59beb406f4a1daa2fdb8ec9164cea78 100644 (file)
--- a/src/framework/data_bus.h
+++ b/src/framework/data_bus.h
@@ -161,6 +161,11 @@ private:
  #define STREAM_IP_NEW_FLOW_EVENT "stream.ip_new_flow"
  #define STREAM_UDP_NEW_FLOW_EVENT "stream.udp_new_flow"
  
+// A flow has been determined to be bidirectional
+#define STREAM_ICMP_BIDIRECTIONAL_EVENT "stream.icmp_bidirectional"
+#define STREAM_IP_BIDIRECTIONAL_EVENT "stream.ip.bidirectional" 
+#define STREAM_UDP_BIDIRECTIONAL_EVENT "stream.udp.bidirectional" 
+
  // A TCP flow has the flag; a midstream flow may not publish other events
  #define STREAM_TCP_SYN_EVENT "stream.tcp_syn"
  #define STREAM_TCP_SYN_ACK_EVENT "stream.tcp_syn_ack"
diff --git a/src/network_inspectors/rna/rna_event_handler.cc b/src/network_inspectors/rna/rna_event_handler.cc

index 4e021abcd2346d169b35614783116c94dc782cf2..012a37947bf2125c08d009d4826dfadb8830b511 100644 (file)
--- a/src/network_inspectors/rna/rna_event_handler.cc
+++ b/src/network_inspectors/rna/rna_event_handler.cc
@@ -26,17 +26,31 @@
  
  using namespace snort;
  
-void RnaIcmpEventHandler::handle(DataEvent& event, Flow*)
+void RnaIcmpBidirectionalEventHandler::handle(DataEvent& event, Flow*)
  {
      Profile profile(rna_perf_stats);
-    ++rna_stats.icmp;
+    ++rna_stats.icmp_bidirectional;
      pnd.analyze_flow_icmp(event.get_packet());
  }
  
-void RnaIpEventHandler::handle(DataEvent& event, Flow*)
+void RnaIcmpNewFlowEventHandler::handle(DataEvent& event, Flow*)
  {
      Profile profile(rna_perf_stats);
-    ++rna_stats.ip;
+    ++rna_stats.icmp_new;
+    pnd.analyze_flow_icmp(event.get_packet());
+}
+
+void RnaIpBidirectionalEventHandler::handle(DataEvent& event, Flow*)
+{
+    Profile profile(rna_perf_stats);
+    ++rna_stats.ip_bidirectional;
+    pnd.analyze_flow_ip(event.get_packet());
+}
+
+void RnaIpNewFlowEventHandler::handle(DataEvent& event, Flow*)
+{
+    Profile profile(rna_perf_stats);
+    ++rna_stats.ip_new;
      pnd.analyze_flow_ip(event.get_packet());
  }
  
@@ -61,9 +75,16 @@ void RnaTcpMidstreamEventHandler::handle(DataEvent& event, Flow*)
      pnd.analyze_flow_tcp(event.get_packet(), TcpPacketType::MIDSTREAM);
  }
  
-void RnaUdpEventHandler::handle(DataEvent& event, Flow*)
+void RnaUdpBidirectionalEventHandler::handle(DataEvent& event, Flow*)
+{
+    Profile profile(rna_perf_stats);
+    ++rna_stats.udp_bidirectional;
+    pnd.analyze_flow_udp(event.get_packet());
+}
+
+void RnaUdpNewFlowEventHandler::handle(DataEvent& event, Flow*)
  {
      Profile profile(rna_perf_stats);
-    ++rna_stats.udp;
+    ++rna_stats.udp_new;
      pnd.analyze_flow_udp(event.get_packet());
  }
diff --git a/src/network_inspectors/rna/rna_event_handler.h b/src/network_inspectors/rna/rna_event_handler.h

index 2b4752a5a151449841217283ff3fa338bfbc69f9..cc6adbb29f8afa20e236d21577ca93047e1705db 100644 (file)
--- a/src/network_inspectors/rna/rna_event_handler.h
+++ b/src/network_inspectors/rna/rna_event_handler.h
@@ -26,19 +26,38 @@
  #include "rna_module.h"
  #include "rna_pnd.h"
  
-class RnaIcmpEventHandler : public snort::DataHandler
+class RnaIcmpNewFlowEventHandler : public snort::DataHandler
  {
  public:
-    RnaIcmpEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
+    RnaIcmpNewFlowEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
      void handle(snort::DataEvent&, snort::Flow*) override;
  private:
      RnaPnd& pnd;
  };
  
-class RnaIpEventHandler : public snort::DataHandler
+class RnaIcmpBidirectionalEventHandler : public snort::DataHandler
  {
  public:
-    RnaIpEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
+    RnaIcmpBidirectionalEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
+    void handle(snort::DataEvent&, snort::Flow*) override;
+private:
+    RnaPnd& pnd;
+};
+
+class RnaIpNewFlowEventHandler : public snort::DataHandler
+{
+public:
+    RnaIpNewFlowEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
+    void handle(snort::DataEvent&, snort::Flow*) override;
+private:
+    RnaPnd& pnd;
+};
+
+
+class RnaIpBidirectionalEventHandler : public snort::DataHandler
+{
+public:
+    RnaIpBidirectionalEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
      void handle(snort::DataEvent&, snort::Flow*) override;
  private:
      RnaPnd& pnd;
@@ -71,10 +90,19 @@ private:
      RnaPnd& pnd;
  };
  
-class RnaUdpEventHandler : public snort::DataHandler
+class RnaUdpNewFlowEventHandler : public snort::DataHandler
+{
+public:
+    RnaUdpNewFlowEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
+    void handle(snort::DataEvent&, snort::Flow*) override;
+private:
+    RnaPnd& pnd;
+};
+
+class RnaUdpBidirectionalEventHandler : public snort::DataHandler
  {
  public:
-    RnaUdpEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
+    RnaUdpBidirectionalEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { }
      void handle(snort::DataEvent&, snort::Flow*) override;
  private:
      RnaPnd& pnd;
diff --git a/src/network_inspectors/rna/rna_inspector.cc b/src/network_inspectors/rna/rna_inspector.cc

index 31f06c5e9c912a19750583ba56d929ed9c2da883..3dcdd84af6235b9dd6bf2b8fceb4399866b5b1bb 100644 (file)
--- a/src/network_inspectors/rna/rna_inspector.cc
+++ b/src/network_inspectors/rna/rna_inspector.cc
@@ -65,9 +65,15 @@ RnaInspector::~RnaInspector()
  
  bool RnaInspector::configure(SnortConfig*)
  {
-    DataBus::subscribe( STREAM_ICMP_NEW_FLOW_EVENT, new RnaIcmpEventHandler(*pnd) );
-    DataBus::subscribe( STREAM_IP_NEW_FLOW_EVENT, new RnaIpEventHandler(*pnd) );
-    DataBus::subscribe( STREAM_UDP_NEW_FLOW_EVENT, new RnaUdpEventHandler(*pnd) );
+    DataBus::subscribe( STREAM_ICMP_NEW_FLOW_EVENT, new RnaIcmpNewFlowEventHandler(*pnd) );
+    DataBus::subscribe( STREAM_ICMP_BIDIRECTIONAL_EVENT, new RnaIcmpBidirectionalEventHandler(*pnd) );
+
+    DataBus::subscribe( STREAM_IP_NEW_FLOW_EVENT, new RnaIpNewFlowEventHandler(*pnd) );
+    DataBus::subscribe( STREAM_IP_BIDIRECTIONAL_EVENT, new RnaIpBidirectionalEventHandler(*pnd) );
+
+    DataBus::subscribe( STREAM_UDP_NEW_FLOW_EVENT, new RnaUdpNewFlowEventHandler(*pnd) );
+    DataBus::subscribe( STREAM_UDP_BIDIRECTIONAL_EVENT, new RnaUdpBidirectionalEventHandler(*pnd) );
+
      DataBus::subscribe( STREAM_TCP_SYN_EVENT, new RnaTcpSynEventHandler(*pnd) );
      DataBus::subscribe( STREAM_TCP_SYN_ACK_EVENT, new RnaTcpSynAckEventHandler(*pnd) );
      DataBus::subscribe( STREAM_TCP_MIDSTREAM_EVENT, new RnaTcpMidstreamEventHandler(*pnd) );
diff --git a/src/network_inspectors/rna/rna_module.cc b/src/network_inspectors/rna/rna_module.cc

index 98cebdbff290a8eca43f3d94d31e23ddd15bca41..708dd6de41cac2aaa17d560df7e11eb567fd8d74 100644 (file)
--- a/src/network_inspectors/rna/rna_module.cc
+++ b/src/network_inspectors/rna/rna_module.cc
@@ -61,9 +61,12 @@ static const Parameter rna_params[] =
  
  static const PegInfo rna_pegs[] =
  {
-    { CountType::SUM, "icmp", "count of ICMP packets received" },
-    { CountType::SUM, "ip", "count of IP packets received" },
-    { CountType::SUM, "udp", "count of UDP packets received" },
+    { CountType::SUM, "icmp_bidirectional", "count of bidirectional ICMP flows received" },
+    { CountType::SUM, "icmp_new", "count of new ICMP flows received" },
+    { CountType::SUM, "ip_bidirectional", "count of bidirectional IP received" },
+    { CountType::SUM, "ip_new", "count of new IP flows received" },
+    { CountType::SUM, "udp_bidirectional", "count of bidirectional UDP flows received" },
+    { CountType::SUM, "udp_new", "count of new UDP flows received" },
      { CountType::SUM, "tcp_syn", "count of TCP SYN packets received" },
      { CountType::SUM, "tcp_syn_ack", "count of TCP SYN-ACK packets received" },
      { CountType::SUM, "tcp_midstream", "count of TCP midstream packets received" },
diff --git a/src/network_inspectors/rna/rna_module.h b/src/network_inspectors/rna/rna_module.h

index f5656380e81ac77dcc1356e44cf60baa9a156280..15f4157ef927ed84db31aab430cd21647122a599 100644 (file)
--- a/src/network_inspectors/rna/rna_module.h
+++ b/src/network_inspectors/rna/rna_module.h
@@ -31,9 +31,12 @@
  
  struct RnaStats
  {
-    PegCount icmp;
-    PegCount ip;
-    PegCount udp;
+    PegCount icmp_bidirectional;
+    PegCount icmp_new;
+    PegCount ip_bidirectional;
+    PegCount ip_new;
+    PegCount udp_bidirectional;
+    PegCount udp_new;
      PegCount tcp_syn;
      PegCount tcp_syn_ack;
      PegCount tcp_midstream;
diff --git a/src/stream/icmp/icmp_session.cc b/src/stream/icmp/icmp_session.cc

index a1f2bc3b4b00f9c9b84fc659457862203c32db7c..3c4d6b642eeaab2503c85b5fe0554beb705cc390 100644 (file)
--- a/src/stream/icmp/icmp_session.cc
+++ b/src/stream/icmp/icmp_session.cc
@@ -209,6 +209,12 @@ int IcmpSession::process(Packet* p)
      
      flow->set_expire(p, flow->default_session_timeout);
  
+    if (!(flow->ssn_state.session_flags & SSNFLAG_ESTABLISHED) and !(p->is_from_client()))
+    {
+        DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p);
+        flow->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
+    }
+
      switch (p->ptrs.icmph->type)
      {
      case ICMP_DEST_UNREACH:
diff --git a/src/stream/ip/ip_session.cc b/src/stream/ip/ip_session.cc

index 06b50f25e3958bb759f78cc2c01cda0ffabd0b86..588afdd11b7aba95f0df4a910a229d6beda19d86 100644 (file)
--- a/src/stream/ip/ip_session.cc
+++ b/src/stream/ip/ip_session.cc
@@ -23,6 +23,7 @@
  
  #include "ip_session.h"
  
+#include "framework/data_bus.h"
  #include "memory/memory_cap.h"
  #include "profiler/profiler_defs.h"
  #include "protocols/packet.h"
@@ -103,8 +104,16 @@ static inline void update_session(Packet* p, Flow* lws)
              (lws->ssn_state.session_flags & SSNFLAG_SEEN_SERVER) )
          {
              lws->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
-
              lws->set_ttl(p, false);
+
+            if ( p->type() == PktType::ICMP and p->ptrs.icmph) 
+            {
+                DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p);
+            } 
+            else 
+            {
+                DataBus::publish(STREAM_IP_BIDIRECTIONAL_EVENT, p);
+            }
          }
      }
  
diff --git a/src/stream/udp/udp_session.cc b/src/stream/udp/udp_session.cc

index 463f539a6fb1837b5ee83abacecd8112ffe3c705..df1fe1ca4b7ca07ba213d975f25c2477e0647013 100644 (file)
--- a/src/stream/udp/udp_session.cc
+++ b/src/stream/udp/udp_session.cc
@@ -89,6 +89,7 @@ static int ProcessUdp(
              (lwssn->ssn_state.session_flags & SSNFLAG_SEEN_RESPONDER))
          {
              lwssn->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
+            DataBus::publish(STREAM_UDP_BIDIRECTIONAL_EVENT, p);
          }
      }
author	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Wed, 4 Sep 2019 12:58:58 +0000 (08:58 -0400)
committer	Mike Stepanek (mstepane) <mstepane@cisco.com>
	Wed, 4 Sep 2019 12:58:58 +0000 (08:58 -0400)
src/framework/data_bus.h		patch \| blob \| blame \| history
src/network_inspectors/rna/rna_event_handler.cc		patch \| blob \| blame \| history
src/network_inspectors/rna/rna_event_handler.h		patch \| blob \| blame \| history
src/network_inspectors/rna/rna_inspector.cc		patch \| blob \| blame \| history
src/network_inspectors/rna/rna_module.cc		patch \| blob \| blame \| history
src/network_inspectors/rna/rna_module.h		patch \| blob \| blame \| history
src/stream/icmp/icmp_session.cc		patch \| blob \| blame \| history
src/stream/ip/ip_session.cc		patch \| blob \| blame \| history
src/stream/udp/udp_session.cc		patch \| blob \| blame \| history