Merge in SNORT/snort3 from ~RDEMPSTE/snort3:expected_flows to master
Squashed commit of the following:
commit
0e0addce6885fcd71a01c1a81e632542ac4ac128
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date: Thu Oct 13 10:50:22 2022 -0400
flow: added an event to allow post processing of new expected flows
packet_expect_flows->clear();
}
+void ExpectFlow::handle_expected_flows(const Packet* p)
+{
+ if (p->flow && packet_expect_flows && !packet_expect_flows->empty())
+ {
+ ExpectedFlowsEvent event(*packet_expect_flows, *p);
+ DataBus::publish(EXPECT_EVENT_TYPE_HANDLE_FLOWS, event);
+ }
+}
+
FlowData* ExpectFlow::get_flow_data(unsigned id)
{
for (FlowData* p = data; p; p = p->next)
snort::FlowData* get_flow_data(unsigned);
static std::vector<ExpectFlow*>* get_expect_flows();
static void reset_expect_flows();
+ static void handle_expected_flows(const snort::Packet*);
};
}
unsigned long get_realized() { return realized; }
unsigned long get_prunes() { return prunes; }
unsigned long get_overflows() { return overflows; }
- void reset_stats()
+ void reset_stats()
{
expects = 0;
realized = 0;
#include "detection/detect.h"
#include "detection/detection_engine.h"
#include "detection/fp_utils.h"
+#include "flow/expect_cache.h"
#include "flow/flow.h"
#include "flow/session.h"
#include "log/messages.h"
internal_execute<true>(p);
else
internal_execute<false>(p);
+
+ if ( p->flow && ( !p->is_cooked() or p->is_defrag() ) )
+ ExpectFlow::handle_expected_flows(p);
}
template<bool T>
// stubs.h author Ron Dempster <rdempste@cisco.com>
#include "detection/detection_engine.h"
+#include "flow/expect_cache.h"
#include "main/policy.h"
#include "main/snort.h"
#include "main/snort_config.h"
DataBus::DataBus() { }
DataBus::~DataBus() { }
Module* ModuleManager::get_module(const char*) { return nullptr; }
+void ExpectFlow::handle_expected_flows(const Packet*) { }
NetworkPolicy* get_default_network_policy(const SnortConfig*) { return nullptr; }
void set_network_policy(NetworkPolicy*) { }
// by data bus subscribers
#include <list>
+#include <vector>
#include "framework/data_bus.h"
const snort::FlowData* flow_data;
};
+#define EXPECT_EVENT_TYPE_HANDLE_FLOWS "expect.handle_flows"
+
+class ExpectedFlowsEvent : public snort::DataEvent
+{
+public:
+ ExpectedFlowsEvent(std::vector<snort::ExpectFlow*>& expected_flows, const snort::Packet& p)
+ : expected_flows(expected_flows), pkt(p)
+ { }
+
+ std::vector<snort::ExpectFlow*>& get_expected_flows()
+ { return expected_flows; }
+
+ const snort::Packet* get_packet() const override
+ { return &pkt; }
+
+private:
+ std::vector<snort::ExpectFlow*>& expected_flows;
+ const snort::Packet& pkt;
+};
+
#endif
projects / thirdparty / snort3.git / commitdiff
