Pull request #3307: analyzer: avoid distilling sticky verdicts

Merge in SNORT/snort3 from ~MASHASAN/snort3:sticky_verdict to master

Squashed commit of the following:

commit 3bac1487b51334c6ed6caf9549d3efb991f03f68
Author: Masud Hasan <mashasan@cisco.com>
Date:   Fri Mar 11 12:53:49 2022 -0500

    analyzer: avoid distilling sticky verdicts

diff --git a/src/flow/flow.h b/src/flow/flow.h
index 356d188bb6f5d5dae3ebf4c46332dad25ee3dc40..bce283bb34ebe8f7834af4b9ebe984920d28cc7c 100644 (file)
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -27,6 +27,7 @@
 // state.  Inspector state is stored in FlowData, and Flow manages a list
 // of FlowData items.
 
+#include <daq_common.h>
 #include <sys/time.h>
 
 #include "detection/ips_context_chain.h"
@@ -496,6 +497,8 @@ public:  // FIXIT-M privatize if possible
 
     FilteringState filtering_state;
 
+    DAQ_Verdict last_verdict = MAX_DAQ_VERDICT;
+
 private:
     void clean();
 };

diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index 05d3902863087d272579ea177b6f5a9e264441a0..3feca6d4a6998db18bf2091cb60588c9690b803a 100644 (file)
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -209,9 +209,18 @@ static bool process_packet(Packet* p)
     return true;
 }
 
+static inline bool is_sticky_verdict(const DAQ_Verdict verdict)
+{
+    return verdict == DAQ_VERDICT_WHITELIST or verdict == DAQ_VERDICT_BLACKLIST
+        or verdict == DAQ_VERDICT_IGNORE;
+}
+
 // Finalize DAQ message verdict
 static DAQ_Verdict distill_verdict(Packet* p)
 {
+    if ( p->flow and is_sticky_verdict(p->flow->last_verdict) )
+        return p->flow->last_verdict;
+
     DAQ_Verdict verdict = DAQ_VERDICT_PASS;
     Active* act = p->active;
 
@@ -281,6 +290,10 @@ static DAQ_Verdict distill_verdict(Packet* p)
             daq_stats.internal_whitelist++;
         }
     }
+
+    if ( p->flow )
+        p->flow->last_verdict = verdict;
+
     return verdict;
 }