#include "appid_http_session.h"
#include "appid_inspector.h"
#include "appid_session.h"
-#include "utils/util.h"
using namespace snort;
void HttpEventHandler::handle(DataEvent& event, Flow* flow)
{
+ if ( !pkt_thread_odp_ctxt )
+ return;
+
assert(flow);
AppIdSession* asd = appid_api.get_appid_session(*flow);
- if (!asd)
- return;
- else
+ Packet* p = DetectionEngine::get_current_packet();
+ assert(p);
+ auto direction = event_type == REQUEST_EVENT ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
+
+ if ( !asd )
{
- // Skip detection for sessions using old odp context after odp reload
- if (!pkt_thread_odp_ctxt or
- (asd->get_odp_ctxt_version() != pkt_thread_odp_ctxt->get_version()))
- return;
+ // The event is received before appid has seen any packet, e.g., data on SYN
+ auto inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME);
+ asd = AppIdSession::allocate_session( p, p->get_ip_proto_next(), direction,
+ inspector, *pkt_thread_odp_ctxt );
+ if ( appidDebug->is_enabled() )
+ {
+ appidDebug->activate(flow, asd, inspector->get_ctxt().config.log_all_sessions);
+ if ( appidDebug->is_active() )
+ LogMessage("AppIdDbg %s New AppId session at HTTP event\n",
+ appidDebug->get_debug_session());
+ }
}
+ else if ( asd->get_odp_ctxt_version() != pkt_thread_odp_ctxt->get_version() )
+ return; // Skip detection for sessions using old odp context after odp reload
- AppidSessionDirection direction;
const uint8_t* header_start;
int32_t header_length;
HttpEvent* http_event = (HttpEvent*)&event;
appidDebug->get_debug_session(), http_event->get_http2_stream_id());
asd->set_session_flags(APPID_SESSION_HTTP_SESSION);
- direction = event_type == REQUEST_EVENT ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
AppIdHttpSession* hsession;
if (http_event->get_is_http2())
else
asd->set_application_ids_service(APP_ID_HTTP2, change_bits);
- Packet* p = DetectionEngine::get_current_packet();
- assert(p);
asd->publish_appid_event(change_bits, *p, http_event->get_is_http2(),
asd->get_api().get_hsessions_size() - 1);
}
};
FakeHttpMsgHeader* fake_msg_header = nullptr;
+AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, AppidSessionDirection,
+ AppIdInspector*, OdpContext&)
+{
+ return nullptr;
+}
void AppIdSession::set_application_ids_service(AppId, AppidChangeBits&) {}
void AppIdSession::set_ss_application_ids(AppId, AppId, AppId, AppId, AppId, AppidChangeBits&) {}
AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) const
return tcp_norm_stats;
}
-void TcpNormalizer::trim_payload(
+bool TcpNormalizer::trim_payload(
TcpNormalizerState&, TcpSegmentDescriptor& tsd, uint32_t max, NormMode mode, TcpPegCounts peg)
{
+ tcp_norm_stats[peg][mode]++;
if (mode == NORM_MODE_ON)
{
uint16_t fat = tsd.get_len() - max;
tsd.set_len(max);
tsd.set_packet_flags(PKT_RESIZED);
tsd.set_end_seq(tsd.get_end_seq() - fat);
+ return true;
}
-
- tcp_norm_stats[peg][mode]++;
+ return false;
}
bool TcpNormalizer::strip_tcp_timestamp(
return false;
}
-void TcpNormalizer::trim_syn_payload(
+bool TcpNormalizer::trim_syn_payload(
TcpNormalizerState& tns, TcpSegmentDescriptor& tsd, uint32_t max)
{
if (tsd.get_len() > max)
- trim_payload(tns, tsd, max, (NormMode)tns.trim_syn, PC_TCP_TRIM_SYN);
+ return trim_payload(tns, tsd, max, (NormMode)tns.trim_syn, PC_TCP_TRIM_SYN);
+ return false;
}
void TcpNormalizer::trim_rst_payload(
virtual void init(State&) { }
virtual bool packet_dropper(State&, TcpSegmentDescriptor&, NormFlags);
- virtual void trim_syn_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
+ virtual bool trim_syn_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
virtual void trim_rst_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
virtual void trim_win_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
virtual void trim_mss_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
protected:
TcpNormalizer() = default;
- virtual void trim_payload(State&, TcpSegmentDescriptor&, uint32_t, NormMode, TcpPegCounts);
+ virtual bool trim_payload(State&, TcpSegmentDescriptor&, uint32_t, NormMode, TcpPegCounts);
virtual bool strip_tcp_timestamp(
State&, TcpSegmentDescriptor&, const snort::tcp::TcpOption*, NormMode);
virtual bool validate_rst_seq_geq(State&, TcpSegmentDescriptor&);
bool packet_dropper(TcpSegmentDescriptor& tsd, NormFlags nflags)
{ return norm->packet_dropper(tns, tsd, nflags); }
- void trim_syn_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
- { norm->trim_syn_payload(tns, tsd, max); }
+ bool trim_syn_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
+ { return norm->trim_syn_payload(tns, tsd, max); }
void trim_rst_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
{ norm->trim_rst_payload(tns, tsd, max); }
uint32_t seq = tsd.get_seq();
if ( tcph->is_syn() )
- {
- if (listener->normalizer.get_os_policy() == StreamPolicy::OS_MACOS)
- seq++;
- else
- {
- listener->normalizer.trim_syn_payload(tsd);
- return STREAM_UNALIGNED;
- }
- }
+ seq++;
/* we're aligned, so that's nice anyway */
if (seq == listener->rcv_nxt)
void TcpSession::handle_data_on_syn(TcpSegmentDescriptor& tsd)
{
TcpStreamTracker* listener = tsd.get_listener();
- TcpStreamTracker* talker = tsd.get_talker();
- /* MacOS accepts data on SYN, so don't alert if policy is MACOS */
- if ( talker->normalizer.get_os_policy() == StreamPolicy::OS_MACOS )
- handle_data_segment(tsd);
- else
+ if ( !listener->normalizer.trim_syn_payload(tsd) )
{
- listener->normalizer.trim_syn_payload(tsd);
+ handle_data_segment(tsd);
tel.set_tcp_event(EVENT_DATA_ON_SYN);
- set_pkt_action_flag(ACTION_BAD_PKT);
}
}
projects / thirdparty / snort3.git / commitdiff
