]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
Merge pull request #2419 in SNORT/snort3 from ~EBURMAI/snort3:sip_future_session...
authorShravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Tue, 25 Aug 2020 19:58:49 +0000 (19:58 +0000)
committerShravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Tue, 25 Aug 2020 19:58:49 +0000 (19:58 +0000)
Squashed commit of the following:

commit a8138a99828ef883106248ea028750845c71e888
Author: Eduard Burmai <eburmai@cisco.com>
Date:   Tue Aug 25 08:14:58 2020 -0400

    appid: Pass snort protocol id instead of appid while creating future flow

14 files changed:
src/network_inspectors/appid/appid_api.cc
src/network_inspectors/appid/appid_config.cc
src/network_inspectors/appid/appid_config.h
src/network_inspectors/appid/appid_session.cc
src/network_inspectors/appid/detector_plugins/detector_sip.cc
src/network_inspectors/appid/detector_plugins/detector_sip.h
src/network_inspectors/appid/service_plugins/service_ftp.cc
src/network_inspectors/appid/service_plugins/service_rexec.cc
src/network_inspectors/appid/service_plugins/service_rpc.cc
src/network_inspectors/appid/service_plugins/service_rshell.cc
src/network_inspectors/appid/service_plugins/service_snmp.cc
src/network_inspectors/appid/service_plugins/service_tftp.cc
src/network_inspectors/appid/test/appid_api_test.cc
src/network_inspectors/appid/tp_appid_utils.cc

index 3ede28b9b11ca3b930166066d07fefee6eeb971f..c37ccb1200f262cf3c0aea8203107da9dcd99baf 100644 (file)
@@ -348,7 +348,8 @@ bool AppIdApi::is_inspection_needed(const Inspector& inspector) const
         true);
 
     if (appid_inspector and
-        (inspector.get_service() == appid_inspector->get_ctxt().config.snortId_for_http2))
+        (inspector.get_service() ==
+            appid_inspector->get_ctxt().config.snort_proto_ids[PROTO_INDEX_HTTP2]))
         return true;
 
     return false;
index 844d27d799e8cda7745e99938ff4469dd72c13a6..6167801ca6fcecc25018c65697e660e454a40b61 100644 (file)
@@ -52,16 +52,16 @@ OdpContext* AppIdContext::odp_ctxt = nullptr;
 
 static void map_app_names_to_snort_ids(SnortConfig* sc, AppIdConfig& config)
 {
-    config.snortId_for_unsynchronized = sc->proto_ref->add("unsynchronized");
-    config.snortId_for_ftp_data = sc->proto_ref->add("ftp-data");
-    config.snortId_for_http2    = sc->proto_ref->add("http2");
-
     // Have to create SnortProtocolIds during configuration initialization.
-    sc->proto_ref->add("rexec");
-    sc->proto_ref->add("rsh-error");
-    sc->proto_ref->add("snmp");
-    sc->proto_ref->add("sunrpc");
-    sc->proto_ref->add("tftp");
+    config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED] = sc->proto_ref->add("unsynchronized");
+    config.snort_proto_ids[PROTO_INDEX_FTP_DATA] = sc->proto_ref->add("ftp-data");
+    config.snort_proto_ids[PROTO_INDEX_HTTP2] = sc->proto_ref->add("http2");
+    config.snort_proto_ids[PROTO_INDEX_REXEC] = sc->proto_ref->add("rexec");
+    config.snort_proto_ids[PROTO_INDEX_RSH_ERROR] = sc->proto_ref->add("rsh-error");
+    config.snort_proto_ids[PROTO_INDEX_SNMP] = sc->proto_ref->add("snmp");
+    config.snort_proto_ids[PROTO_INDEX_SUNRPC] = sc->proto_ref->add("sunrpc");
+    config.snort_proto_ids[PROTO_INDEX_TFTP] = sc->proto_ref->add("tftp");
+    config.snort_proto_ids[PROTO_INDEX_SIP] = sc->proto_ref->add("sip");
 }
 
 AppIdConfig::~AppIdConfig()
index 08edfe6abbd3f4fd820d014732b4f2d8988659f3..dadeb0437dbe36f3e6859b85d2119a6f653d8a5d 100644 (file)
 #define MIN_MAX_PKTS_BEFORE_SERVICE_FAIL 5
 #define MIN_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES 15
 
+enum SnortProtoIdIndex
+{
+    PROTO_INDEX_UNSYNCHRONIZED = 0,
+    PROTO_INDEX_FTP_DATA,
+    PROTO_INDEX_HTTP2,
+    PROTO_INDEX_REXEC,
+    PROTO_INDEX_RSH_ERROR,
+    PROTO_INDEX_SNMP,
+    PROTO_INDEX_SUNRPC,
+    PROTO_INDEX_TFTP,
+    PROTO_INDEX_SIP,
+
+    PROTO_INDEX_MAX
+};
+
 class PatternClientDetector;
 class PatternServiceDetector;
 
@@ -75,9 +90,7 @@ public:
     size_t memcap = 0;
     bool list_odp_detectors = false;
     bool log_all_sessions = false;
-    SnortProtocolId snortId_for_unsynchronized;
-    SnortProtocolId snortId_for_ftp_data;
-    SnortProtocolId snortId_for_http2;
+    SnortProtocolId snort_proto_ids[PROTO_INDEX_MAX];
     void show() const;
 };
 
index 82fb40d9a89d93931d856862f41f3bb7a6f78480..582169af7627ed6f97846ae259228b7a262a923c 100644 (file)
@@ -88,7 +88,7 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto,
     AppIdSession* asd = new AppIdSession(proto, ip, port, *inspector, odp_context);
     asd->flow = p->flow;
     asd->stats.first_packet_second = p->pkth->ts.tv_sec;
-    asd->snort_protocol_id = asd->config.snortId_for_unsynchronized;
+    asd->snort_protocol_id = asd->config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED];
     p->flow->set_flow_data(asd);
     return asd;
 }
index 24f7b2f035746bbfec098dec5f17d8ad67f45cc0..3b8daad8b7b97b7256470c7565678fcb9c1f13a7 100644 (file)
@@ -177,14 +177,11 @@ struct ServiceSIPData
 };
 
 void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp,
-    uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol, int16_t app_id)
+    uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol)
 {
-    // FIXIT-E: Passing app_id instead of SnortProtocolId to
-    // create_future_session is incorrect. We need to look up
-    // snort_protocol_id.
-
     AppIdSession* fp = AppIdSession::create_future_session(
-        pkt, cliIp, cliPort, srvIp, srvPort, protocol, app_id);
+        pkt, cliIp, cliPort, srvIp, srvPort, protocol,
+        asd.config.snort_proto_ids[PROTO_INDEX_SIP]);
 
     if ( fp )
     {
@@ -203,7 +200,8 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con
     // create an RTCP flow as well
 
     AppIdSession* fp2 = AppIdSession::create_future_session(
-        pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, app_id);
+        pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol,
+        asd.config.snort_proto_ids[PROTO_INDEX_SIP]);
 
     if ( fp2 )
     {
@@ -238,9 +236,9 @@ void SipServiceDetector::addFutureRtpFlows(SipEvent& event, AppIdSession& asd)
     while ( media_a && media_b )
     {
         createRtpFlow(asd, event.get_packet(), media_a->get_address(), media_a->get_port(),
-            media_b->get_address(), media_b->get_port(), IpProtocol::UDP, APP_ID_RTP);
+            media_b->get_address(), media_b->get_port(), IpProtocol::UDP);
         createRtpFlow(asd, event.get_packet(), media_b->get_address(), media_b->get_port(),
-            media_a->get_address(), media_b->get_port(), IpProtocol::UDP, APP_ID_RTP);
+            media_a->get_address(), media_b->get_port(), IpProtocol::UDP);
 
         media_a = session_a->next_media_data();
         media_b = session_b->next_media_data();
index d4c081f67d34e52cdd1db804c5c704b138f8026c..9dddfef6b9d638d9563cc522a1e905c1f5990892 100644 (file)
@@ -63,7 +63,7 @@ public:
 
 private:
     void createRtpFlow(AppIdSession&, const snort::Packet*, const snort::SfIp* cliIp,
-        uint16_t cliPort, const snort::SfIp* srvIp, uint16_t srvPort, IpProtocol, int16_t app_id);
+        uint16_t cliPort, const snort::SfIp* srvIp, uint16_t srvPort, IpProtocol);
 };
 
 class SipEventHandler : public snort::DataHandler
index a8a497345814e619a6449ee1af8ad9b7a5da1d7d..f5da9064ba539b86ad65ce14a7260d0f1ae2acd3 100644 (file)
@@ -884,15 +884,10 @@ static inline void WatchForCommandResult(ServiceFTPData* fd, AppIdSession& asd,
 void FtpServiceDetector::create_expected_session(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp,
     uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol, AppidSessionDirection dir)
 {
-    // FIXIT-M - Avoid thread locals
-    static THREAD_LOCAL SnortProtocolId ftp_data_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
-    if(ftp_data_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
-        ftp_data_snort_protocol_id = pkt->context->conf->proto_ref->find("ftp-data");
-
     bool swap_flow_app_direction = (dir == APP_ID_FROM_RESPONDER) ? true : false;
 
     AppIdSession* fp = AppIdSession::create_future_session(pkt, cliIp, cliPort, srvIp, srvPort,
-        protocol, ftp_data_snort_protocol_id, swap_flow_app_direction);
+        protocol, asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA], swap_flow_app_direction);
 
     if (fp) // initialize data session
     {
index c3ed30e015e3baeb749095af3be18d1d999ac620..20a2bbdaa270ae8578c2d1bdedb4513160f02d18 100644 (file)
@@ -123,8 +123,6 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args)
     uint32_t port = 0;
     const uint8_t* data = args.data;
     uint16_t size = args.size;
-    // FIXIT-M - Avoid thread locals
-    static THREAD_LOCAL SnortProtocolId rexec_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
 
     ServiceREXECData* rd = (ServiceREXECData*)data_get(args.asd);
     if (!rd)
@@ -141,9 +139,6 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args)
     switch (rd->state)
     {
     case REXEC_STATE_PORT:
-        if(rexec_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
-            rexec_snort_protocol_id = args.pkt->context->conf->proto_ref->find("rexec");
-
         if (args.dir != APP_ID_FROM_INITIATOR)
             goto bail;
         if (size > REXEC_MAX_PORT_PACKET)
@@ -167,8 +162,10 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args)
 
             dip = args.pkt->ptrs.ip_api.get_dst();
             sip = args.pkt->ptrs.ip_api.get_src();
-            AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, (uint16_t)port,
-                IpProtocol::TCP, rexec_snort_protocol_id);
+            AppIdSession* pf = AppIdSession::create_future_session(args.pkt,
+                dip, 0, sip,(uint16_t)port, IpProtocol::TCP,
+                args.asd.config.snort_proto_ids[PROTO_INDEX_REXEC]);
+
             if (pf)
             {
                 ServiceREXECData* tmp_rd = (ServiceREXECData*)snort_calloc(
index 2107c3144bca4ec9abbb7097947f9c4b7e15b150..31cd6bc07eece861e8e297b509bf4d6fb001eb10 100644 (file)
@@ -402,19 +402,15 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
                     pmr = (const ServiceRPCPortmapReply*)data;
                     if (pmr->port)
                     {
-                        // FIXIT-M - Avoid thread locals
-                        static THREAD_LOCAL SnortProtocolId sunrpc_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
-
-                        if(sunrpc_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
-                            sunrpc_snort_protocol_id = pkt->context->conf->proto_ref->find("sunrpc");
-
                         const SfIp* dip = pkt->ptrs.ip_api.get_dst();
                         const SfIp* sip = pkt->ptrs.ip_api.get_src();
                         tmp = ntohl(pmr->port);
 
                         AppIdSession* pf = AppIdSession::create_future_session(
                             pkt, dip, 0, sip, (uint16_t)tmp,
-                            (IpProtocol)ntohl((uint32_t)rd->proto), sunrpc_snort_protocol_id);
+                            (IpProtocol)ntohl((uint32_t)rd->proto),
+                            asd.config.snort_proto_ids[PROTO_INDEX_SUNRPC]);
+
                         if (pf)
                         {
                             pf->add_flow_data_id((uint16_t)tmp, this);
index 0f14d8798b7a81439f6528e6fd721ca0f81063a5..6d375cdbaf7c90d1235258116204ced45ac4d0df 100644 (file)
@@ -118,8 +118,6 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args)
     uint32_t port = 0;
     const uint8_t* data = args.data;
     uint16_t size = args.size;
-    //FIXIT-M - Avoid thread locals
-    static THREAD_LOCAL SnortProtocolId rsh_error_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
 
     ServiceRSHELLData* rd = (ServiceRSHELLData*)data_get(args.asd);
     if (!rd)
@@ -155,13 +153,12 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args)
             goto bail;
         if (port)
         {
-            if(rsh_error_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
-                rsh_error_snort_protocol_id = args.pkt->context->conf->proto_ref->find("rsh-error");
-
             const SfIp* dip = args.pkt->ptrs.ip_api.get_dst();
             const SfIp* sip = args.pkt->ptrs.ip_api.get_src();
-            AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip,
-                (uint16_t)port, IpProtocol::TCP, rsh_error_snort_protocol_id);
+            AppIdSession* pf = AppIdSession::create_future_session(args.pkt,
+                dip, 0, sip, (uint16_t)port, IpProtocol::TCP,
+                args.asd.config.snort_proto_ids[PROTO_INDEX_RSH_ERROR]);
+
             if (pf)
             {
                 ServiceRSHELLData* tmp_rd = (ServiceRSHELLData*)snort_calloc(
index c4778bbfac3da9f9ea189e8c6d8bff361ffef69e..8cfd50937b319b2a72aadd68138f80db8e5433d5 100644 (file)
@@ -395,8 +395,6 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args)
     const char* version_str = nullptr;
     const uint8_t* data = args.data;
     uint16_t size = args.size;
-    //FIXIT-M - Avoid thread locals
-    static THREAD_LOCAL SnortProtocolId snmp_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
 
     if (!size)
         goto inprocess;
@@ -465,13 +463,12 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args)
         sd->state = SNMP_STATE_RESPONSE;
 
         /*adding expected connection in case the server doesn't send from 161*/
-        if(snmp_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
-            snmp_snort_protocol_id = args.pkt->context->conf->proto_ref->find("snmp");
-
         const SfIp* dip = args.pkt->ptrs.ip_api.get_dst();
         const SfIp* sip = args.pkt->ptrs.ip_api.get_src();
-        AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip,
-            args.pkt->ptrs.sp, args.asd.protocol, snmp_snort_protocol_id);
+        AppIdSession* pf = AppIdSession::create_future_session(args.pkt,
+            dip, 0, sip, args.pkt->ptrs.sp, args.asd.protocol,
+            args.asd.config.snort_proto_ids[PROTO_INDEX_SNMP]);
+
         if (pf)
         {
             tmp_sd = (ServiceSNMPData*)snort_calloc(sizeof(ServiceSNMPData));
index a886999129e2713fd91c35ee260b402b90055686..d6193014a2332fc0a6181fadd6b62b327d01a53f 100644 (file)
@@ -133,8 +133,6 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args)
     AppIdSession* pf = nullptr;
     const uint8_t* data = args.data;
     uint16_t size = args.size;
-    //FIXIT-M - Avoid thread locals
-    static THREAD_LOCAL SnortProtocolId tftp_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
 
     if (!size)
         goto inprocess;
@@ -184,15 +182,15 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args)
         if (strcasecmp((const char*)data, "netascii") && strcasecmp((const char*)data, "octet"))
             goto bail;
 
-        if(tftp_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
-            tftp_snort_protocol_id = args.pkt->context->conf->proto_ref->find("tftp");
 
         tmp_td = (ServiceTFTPData*)snort_calloc(sizeof(ServiceTFTPData));
         tmp_td->state = TFTP_STATE_TRANSFER;
         dip = args.pkt->ptrs.ip_api.get_dst();
         sip = args.pkt->ptrs.ip_api.get_src();
-        pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip,
-            args.pkt->ptrs.sp, args.asd.protocol, tftp_snort_protocol_id);
+        pf = AppIdSession::create_future_session(args.pkt,
+            dip, 0, sip, args.pkt->ptrs.sp, args.asd.protocol,
+            args.asd.config.snort_proto_ids[PROTO_INDEX_TFTP]);
+
         if (pf)
         {
             data_add(*pf, tmp_td, &snort_free);
index 780eafc19d00437aff8748175055b79fa7d32230..d10053ed3c41f5b83f3a4766290d2dc6c1bb12a5 100644 (file)
@@ -352,7 +352,9 @@ TEST(appid_api, is_inspection_needed)
 {
     DummyInspector inspector;
     inspector.set_service(dummy_http2_protocol_id);
-    dummy_appid_inspector.get_ctxt().config.snortId_for_http2 = dummy_http2_protocol_id;
+    dummy_appid_inspector.get_ctxt().config.snort_proto_ids[PROTO_INDEX_HTTP2] =
+        dummy_http2_protocol_id;
+
     CHECK_TRUE(appid_api.is_inspection_needed(inspector));
 
     inspector.set_service(dummy_http2_protocol_id + 1);
index 0056cd2d05303d036014705003740aa3d97506c0..e803b8208787a241570f716ceab239cd230c1c6a 100644 (file)
@@ -716,7 +716,8 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
     }
 
     if (tp_app_id == APP_ID_SSL &&
-        (Stream::get_snort_protocol_id(p->flow) == asd.config.snortId_for_ftp_data))
+        (Stream::get_snort_protocol_id(p->flow) ==
+            asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA]))
     {
         //  If we see SSL on an FTP data channel set tpAppId back
         //  to APP_ID_NONE so the FTP preprocessor picks up the flow.