Pull request #4439: Require 3whs

Merge in SNORT/snort3 from ~RUCOMBS/snort3:require_3whs to master

Squashed commit of the following:

commit 1fe3d9094bceea1d0f512c5b71c4da92b662407a
Author: Russ Combs <rucombs@cisco.com>
Date:   Wed Sep 4 11:56:27 2024 -0400

    stream: recheck flow eligibility if session times out

commit c2456283071ce2a9df50eff31bb7207f85eb0830
Author: Russ Combs <rucombs@cisco.com>
Date:   Thu Aug 22 15:44:01 2024 -0400

    stream_tcp: move require_3whs to stream to avoid undesired flow creation

diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc
index b12106b05b47d7d21174f70f22ea923010d871b1..16373c7749a046850584f7793f0d0e0e7ccd87b2 100644 (file)
--- a/src/flow/flow_control.cc
+++ b/src/flow/flow_control.cc
@@ -350,9 +350,6 @@ void FlowControl::init_proto(PktType type, InspectSsnFunc get_ssn)
     get_proto_session[to_utype(type)] = get_ssn;
 }
 
-// FIXIT-P apply more filtering logic here, eg require_3whs
-// delegate to stream inspectors but that requires binding
-// can't use session because goal is to avoid instantiation
 static bool want_flow(PktType type, Packet* p)
 {
     if ( type != PktType::TCP )
@@ -370,18 +367,21 @@ static bool want_flow(PktType type, Packet* p)
         // guessing direction based on ports is misleading
         return false;
 
-    if ( p->ptrs.tcph->is_syn_ack() or p->dsize )
-        return true;
-
     if ( p->ptrs.tcph->is_syn_only() )
     {
+        if ( Stream::require_3whs() )
+            return true;
+
         if ( p->context->conf->track_on_syn() )
             return true;
-        const unsigned DECODE_TCP_HS = DECODE_TCP_MSS | DECODE_TCP_TS | DECODE_TCP_WS;
-        if ( p->ptrs.decode_flags & DECODE_TCP_HS )
+
+        if ( p->ptrs.decode_flags & (DECODE_TCP_MSS | DECODE_TCP_TS | DECODE_TCP_WS) )
             return true;
     }
 
+    if ( p->ptrs.tcph->is_syn_ack() or p->dsize )
+        return Stream::midstream_allowed(p, true);
+
     p->packet_flags |= PKT_FROM_CLIENT;
     return false;
 }
@@ -471,8 +471,17 @@ unsigned FlowControl::process(Flow* flow, Packet* p, bool new_ha_flow)
         flow->set_direction(p);
 
         // This call can reset the flow state to SETUP in lazy flow timeout cases
-        if ( flow->flow_state != Flow::FlowState::ALLOW )
-            flow->session->precheck(p);
+        if ( flow->flow_state == Flow::FlowState::INSPECT and !flow->session->precheck(p) )
+        {
+            // flow expired, must recheck eligibility
+            if ( !want_flow(flow->pkt_type, p) )
+            {
+                flow->session_state |= STREAM_STATE_CLOSED;
+                return 0;  // flow will be deleted
+            }
+            // flow will restart using existing service
+            // FIXIT-M reuse direction or clear service and use wizard
+        }
     }
 
     if ( flow->flow_state != Flow::FlowState::SETUP )

diff --git a/src/flow/session.h b/src/flow/session.h
index fbd1e7a413c84939f5dcc068e0a60235dbb54032..4204af1472daaf891b75657a65f01cfdc17556b9 100644 (file)
--- a/src/flow/session.h
+++ b/src/flow/session.h
@@ -48,7 +48,7 @@ public:
     virtual int process(snort::Packet*) { return 0; }
 
     virtual void restart(snort::Packet*) { }
-    virtual void precheck(snort::Packet*) { }
+    virtual bool precheck(snort::Packet*) { return false; }
     virtual void clear() = 0;
     virtual void cleanup(snort::Packet* = nullptr) { clear(); }
 

diff --git a/src/flow/test/flow_cache_test.cc b/src/flow/test/flow_cache_test.cc
index 2341b5d3216083fe24633310bf43fbfa95a664f6..f96c3d0a2223e67537bd1c1dc475694e25e45f10 100644 (file)
--- a/src/flow/test/flow_cache_test.cc
+++ b/src/flow/test/flow_cache_test.cc
@@ -116,6 +116,8 @@ namespace ip
 {
 uint32_t IpApi::id() const { return 0; }
 }
+bool Stream::midstream_allowed(Packet const*, bool)
+{ return false; }
 }
 
 ExpectCache::ExpectCache(uint32_t) { }

diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc
index 234001d244d1e1b83c6ce35abfad5ba29d83588b..c238da128b695ab20c3f8f8f6d0875005517e66b 100644 (file)
--- a/src/flow/test/flow_control_test.cc
+++ b/src/flow/test/flow_control_test.cc
@@ -92,6 +92,8 @@ namespace ip
 {
 uint32_t IpApi::id() const { return 0; }
 }
+bool Stream::midstream_allowed(Packet const*, bool)
+{ return false; }
 }
 
 bool FlowKey::init(

diff --git a/src/main/policy.h b/src/main/policy.h
index 542f50eab56cf4a759fbec8f40b879d1b89a0afb..7dd0527a0ba2dcd51fcad5b213cbf44f45969aad 100644 (file)
--- a/src/main/policy.h
+++ b/src/main/policy.h
@@ -231,6 +231,8 @@ public:
     uint32_t checksum_eval = CHECKSUM_FLAG__ALL | CHECKSUM_FLAG__DEF;
     uint32_t checksum_drop = CHECKSUM_FLAG__DEF;
     uint32_t normal_mask = 0;
+
+    int hs_timeout = -1;
     bool cloned = false;
 
 private:

diff --git a/src/stream/base/stream_module.cc b/src/stream/base/stream_module.cc
index 1f52643a97c96c4e134b83797a819ba358debd9d..895510569bec2c1620a088949385527d97a14766 100644 (file)
--- a/src/stream/base/stream_module.cc
+++ b/src/stream/base/stream_module.cc
@@ -85,6 +85,9 @@ static const Parameter s_params[] =
       "use zero for production, non-zero for testing at given size (for TCP and user)" },
 #endif
 
+    { "held_packet_timeout", Parameter::PT_INT, "1:max32", "1000",
+      "timeout in milliseconds for held packets" },
+
     { "ip_frags_only", Parameter::PT_BOOL, nullptr, "false",
       "don't process non-frag flows" },
 
@@ -97,8 +100,8 @@ static const Parameter s_params[] =
     { "pruning_timeout", Parameter::PT_INT, "1:max32", "30",
       "minimum inactive time before being eligible for pruning" },
 
-    { "held_packet_timeout", Parameter::PT_INT, "1:max32", "1000",
-      "timeout in milliseconds for held packets" },
+    { "require_3whs", Parameter::PT_INT, "-1:max31", "-1",
+      "don't track midstream TCP sessions after given seconds from start up; -1 tracks all" },
 
     FLOW_TYPE_TABLE("ip_cache",   "ip",   ip_params),
     FLOW_TYPE_TABLE("icmp_cache", "icmp", icmp_params),
@@ -288,65 +291,61 @@ bool StreamModule::begin(const char* fqn, int, SnortConfig*)
 
 bool StreamModule::set(const char* fqn, Value& v, SnortConfig* c)
 {
-    PktType type = PktType::NONE;
-
 #ifdef REG_TEST
     if ( v.is("footprint") )
-    {
         config.footprint = v.get_uint32();
-        return true;
-    }
+    else
 #endif
 
-    if ( v.is("ip_frags_only") )
+    if ( v.is("held_packet_timeout") )
+        config.held_packet_timeout = v.get_uint32();
+
+    else if ( v.is("ip_frags_only") )
     {
         if ( v.get_bool() )
             c->set_run_flags(RUN_FLAG__IP_FRAGS_ONLY);
-        return true;
     }
     else if ( v.is("max_flows") )
-    {
         config.flow_cache_cfg.max_flows = v.get_uint32();
-        return true;
-    }
+
     else if ( v.is("prune_flows") )
-    {
         config.flow_cache_cfg.prune_flows = v.get_uint32();
-        return true;
-    }
+
     else if ( v.is("pruning_timeout") )
-    {
         config.flow_cache_cfg.pruning_timeout = v.get_uint32();
-        return true;
-    }
-    else if ( v.is("held_packet_timeout") )
+
+    else if ( v.is("require_3whs") )
+        config.hs_timeout = v.get_int32();
+
+    else if ( !strcmp(fqn, "stream.file_cache.idle_timeout") )
+        config.flow_cache_cfg.proto[to_utype(PktType::FILE)].nominal_timeout = v.get_uint32();
+
+    else if ( !strcmp(fqn, "stream.ip_cache.idle_timeout") )
+        config.flow_cache_cfg.proto[to_utype(PktType::IP)].nominal_timeout = v.get_uint32();
+
+    else if ( !strcmp(fqn, "stream.icmp_cache.idle_timeout") )
+        config.flow_cache_cfg.proto[to_utype(PktType::ICMP)].nominal_timeout = v.get_uint32();
+
+    else if ( !strcmp(fqn, "stream.tcp_cache.idle_timeout") )
+        config.flow_cache_cfg.proto[to_utype(PktType::TCP)].nominal_timeout = v.get_uint32();
+
+    else if ( !strcmp(fqn, "stream.udp_cache.idle_timeout") )
+        config.flow_cache_cfg.proto[to_utype(PktType::UDP)].nominal_timeout = v.get_uint32();
+
+    else
     {
-        config.held_packet_timeout = v.get_uint32();
-        return true;
+        assert(!strcmp(fqn, "stream.user_cache.idle_timeout"));
+        config.flow_cache_cfg.proto[to_utype(PktType::USER)].nominal_timeout = v.get_uint32();
     }
-    else if ( strstr(fqn, "ip_cache") )
-        type = PktType::IP;
-    else if ( strstr(fqn, "icmp_cache") )
-        type = PktType::ICMP;
-    else if ( strstr(fqn, "tcp_cache") )
-        type = PktType::TCP;
-    else if ( strstr(fqn, "udp_cache") )
-        type = PktType::UDP;
-    else if ( strstr(fqn, "user_cache") )
-        type = PktType::USER;
-    else if ( strstr(fqn, "file_cache") )
-        type = PktType::FILE;
-    else
-        return false;
-
-    if ( v.is("idle_timeout") )
-        config.flow_cache_cfg.proto[to_utype(type)].nominal_timeout = v.get_uint32();
 
     return true;
 }
 
 bool StreamModule::end(const char* fqn, int, SnortConfig* sc)
 {
+    if ( config.hs_timeout != -1 ) // condition required until stream_tcp.require_3whs is removed
+        get_network_parse_policy()->hs_timeout = config.hs_timeout;
+
     if ( Snort::is_reloading() && strcmp(fqn, MOD_NAME) == 0 )
     {
         StreamReloadResourceManager* reload_resource_manager = new StreamReloadResourceManager;
@@ -484,6 +483,7 @@ void StreamModuleConfig::show() const
     ConfigLogger::log_value("max_aux_ip", SnortConfig::get_conf()->max_aux_ip);
     ConfigLogger::log_value("pruning_timeout", flow_cache_cfg.pruning_timeout);
     ConfigLogger::log_value("prune_flows", flow_cache_cfg.prune_flows);
+    ConfigLogger::log_limit("require_3whs", hs_timeout, -1, hs_timeout < 0 ? hs_timeout : -1);
 
     for (int i = to_utype(PktType::IP); i < to_utype(PktType::PDU); ++i)
     {

diff --git a/src/stream/base/stream_module.h b/src/stream/base/stream_module.h
index 1af46bc33f9f88a502f295a99f5c778bcaf2dd02..d4ccdb619b458a460c9714bd189a0c5059007233 100644 (file)
--- a/src/stream/base/stream_module.h
+++ b/src/stream/base/stream_module.h
@@ -29,6 +29,8 @@
 #include "framework/module.h"
 #include "main/analyzer.h"
 #include "main/reload_tuner.h"
+#include "protocols/packet.h"
+#include "time/packet_time.h"
 
 namespace snort
 {
@@ -120,6 +122,7 @@ struct StreamModuleConfig
     unsigned footprint = 0;
 #endif
     uint32_t held_packet_timeout = 1000;  // in milliseconds
+    int hs_timeout = -1;
 
     void show() const;
 };

diff --git a/src/stream/stream.cc b/src/stream/stream.cc
index 7ac15a1d2ccacd421d4233cc78d577847cd71789..7ab70490496b67707414c31466910ccc3e118a9a 100644 (file)
--- a/src/stream/stream.cc
+++ b/src/stream/stream.cc
@@ -45,6 +45,7 @@
 #include "trace/trace_api.h"
 #include "utils/util.h"
 
+#include "tcp/tcp_module.h"
 #include "tcp/tcp_session.h"
 #include "tcp/tcp_stream_tracker.h"
 
@@ -157,6 +158,19 @@ FlowData* Stream::get_flow_data(
 // session status
 //-------------------------------------------------------------------------
 
+bool Stream::midstream_allowed(const Packet* p, bool alert)
+{
+    int t = get_network_policy()->hs_timeout;
+
+    if ( (t < 0) or (p->pkth->ts.tv_sec - packet_first_time() < t) )
+        return true;
+
+    if ( alert )
+        DetectionEngine::queue_event(GID_STREAM_TCP, STREAM_TCP_NO_3WHS);
+
+    return false;
+}
+
 void Stream::check_flow_closed(Packet* p)
 {
     Flow* flow = p->flow;

diff --git a/src/stream/stream.h b/src/stream/stream.h
index f355e42eed66da8ca5a1f7a778c3789b87b577df..89e5a4f1979b855dcfd163e69f85b973eff39c83 100644 (file)
--- a/src/stream/stream.h
+++ b/src/stream/stream.h
@@ -29,6 +29,9 @@
 #include <daq_common.h>
 
 #include "flow/flow.h"
+#include "main/policy.h"
+#include "protocols/packet.h"
+#include "time/packet_time.h"
 
 class HostAttributesDescriptor;
 typedef std::shared_ptr<HostAttributesDescriptor> HostAttributesEntry;
@@ -157,7 +160,6 @@ public:
         Flow*, Packet* p, uint32_t gid, uint32_t sid,
         uint32_t eventId, uint32_t eventSecond);
 
-
     static void disable_reassembly(Flow*);
 
     // Returns true if stream data for the flow is in sequence, otherwise return false.
@@ -217,13 +219,18 @@ public:
     // Handle session block pending state
     static void check_flow_closed(Packet*);
 
-    static void populate_flow_key(const Packet*, FlowKey*);
+    static bool require_3whs()
+    { return get_network_policy()->hs_timeout >= 0; }
 
-    static void set_snort_protocol_id_from_ha(Flow*, const SnortProtocolId);
+    static bool midstream_allowed(const Packet* p, bool alert = false);
 
     static bool is_midstream(Flow* flow)
     { return ((flow->ssn_state.session_flags & SSNFLAG_MIDSTREAM) != 0); }
 
+    static void populate_flow_key(const Packet*, FlowKey*);
+
+    static void set_snort_protocol_id_from_ha(Flow*, const SnortProtocolId);
+
     // Get the TTL value used at session setup
     // Set outer=false to get inner ip ttl for ip in ip; else outer=true
     static uint8_t get_flow_ttl(Flow*, char dir, bool outer);

diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc
index 894ffe5537e243ca0423016e9fc024b020a11f50..dbef615d80b15390e117bbca0dece87957b611e2 100644 (file)
--- a/src/stream/tcp/tcp_module.cc
+++ b/src/stream/tcp/tcp_module.cc
@@ -215,7 +215,7 @@ static const Parameter s_params[] =
       "queue data for reassembly before traffic is seen in both directions" },
 
     { "require_3whs", Parameter::PT_INT, "-1:max31", "-1",
-      "don't track midstream sessions after given seconds from start up; -1 tracks all" },
+      "deprecated: use stream.require_3whs instead" },
 
     { "show_rebuilt_packets", Parameter::PT_BOOL, nullptr, "false",
       "enable cmg like output of reassembled packets" },
@@ -372,9 +372,10 @@ bool StreamTcpModule::set(const char*, Value& v, SnortConfig*)
 
     else if ( v.is("require_3whs") )
     {
-        config->hs_timeout = v.get_int32();
+        int t = v.get_int32();
+        if ( t != -1 )
+            get_network_parse_policy()->hs_timeout = v.get_int32();
     }
-
     else if ( v.is("show_rebuilt_packets") )
     {
         if ( v.get_bool() )
@@ -409,13 +410,6 @@ bool StreamTcpModule::begin(const char* fqn, int, SnortConfig*)
     return true;
 }
 
-bool StreamTcpModule::end(const char*, int, SnortConfig* sc)
-{
-    if ( config->hs_timeout >= 0 )
-        sc->set_run_flags(RUN_FLAG__TRACK_ON_SYN);
-    return true;
-}
-
 const PegInfo* StreamTcpModule::get_pegs() const
 { return tcp_pegs; }
 

diff --git a/src/stream/tcp/tcp_module.h b/src/stream/tcp/tcp_module.h
index 6ed90c3c142eae1f81f6f176a748b945f0e91f28..01d27c030fe8017170ee2487f60a85da861e91e3 100644 (file)
--- a/src/stream/tcp/tcp_module.h
+++ b/src/stream/tcp/tcp_module.h
@@ -140,7 +140,6 @@ public:
 
     bool set(const char*, snort::Value&, snort::SnortConfig*) override;
     bool begin(const char*, int, snort::SnortConfig*) override;
-    bool end(const char*, int, snort::SnortConfig*) override;
 
     const snort::RuleMap* get_rules() const override;
 

diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index fde1c11c1ed74fbbb56fc2493e32b0d842834169..62904fc9daf29c5f412e238e94594ec8635741dd 100644 (file)
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -232,15 +232,13 @@ void TcpNormalizer::trim_mss_payload(
 }
 
 void TcpNormalizer::ecn_tracker(
-    TcpNormalizerState& tns, const tcp::TCPHdr* tcph, bool req3way)
+    TcpNormalizerState& tns, const tcp::TCPHdr* tcph)
 {
-    if ( tcph->is_syn_ack() )
-    {
-        if ( !req3way || tns.session->ecn )
-            tns.session->ecn = ((tcph->th_flags & (TH_ECE | TH_CWR)) == TH_ECE);
-    }
-    else if ( tcph->is_syn() )
+    if ( tcph->is_syn_only() )
         tns.session->ecn = tcph->are_flags_set(TH_ECE | TH_CWR);
+
+    else if ( tcph->is_syn_ack() )
+        tns.session->ecn = tns.session->ecn and ((tcph->th_flags & (TH_ECE | TH_CWR)) == TH_ECE);
 }
 
 void TcpNormalizer::ecn_stripper(

diff --git a/src/stream/tcp/tcp_normalizer.h b/src/stream/tcp/tcp_normalizer.h
index 1d00559438486058e1733c941d96d90c57270a1d..1df0c9d3fd03ffc6cc946a44b42733298c690928 100644 (file)
--- a/src/stream/tcp/tcp_normalizer.h
+++ b/src/stream/tcp/tcp_normalizer.h
@@ -79,7 +79,7 @@ public:
     virtual void trim_win_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0,
         bool force = false);
     virtual void trim_mss_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
-    virtual void ecn_tracker(State&, const snort::tcp::TCPHdr*, bool req3way);
+    virtual void ecn_tracker(State&, const snort::tcp::TCPHdr*);
     virtual void ecn_stripper(State&, TcpSegmentDescriptor&);
     virtual uint32_t get_zwp_seq(State&);
     virtual uint32_t get_stream_window(State&, TcpSegmentDescriptor&);

diff --git a/src/stream/tcp/tcp_normalizers.h b/src/stream/tcp/tcp_normalizers.h
index a52315da7ca48212e938c2bea4bc6f08b8533446..1c985e66e32531ecf6f75f38b13ec7959e8293f7 100644 (file)
--- a/src/stream/tcp/tcp_normalizers.h
+++ b/src/stream/tcp/tcp_normalizers.h
@@ -71,8 +71,8 @@ public:
     void trim_mss_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
     { norm->trim_mss_payload(tns, tsd, max); }
 
-    void ecn_tracker(const snort::tcp::TCPHdr* tcph, bool req3way)
-    { norm->ecn_tracker(tns, tcph, req3way); }
+    void ecn_tracker(const snort::tcp::TCPHdr* tcph)
+    { norm->ecn_tracker(tns, tcph); }
 
     void ecn_stripper(TcpSegmentDescriptor& tsd)
     { norm->ecn_stripper(tns, tsd); }

diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index 9ed5f7276cb575b41a763e7e66bee95ad75b8da8..11bc88670bf40f36f78839cc1964472c984dd3cc 100644 (file)
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -102,7 +102,6 @@ bool TcpSession::setup(Packet*)
     client.init_tcp_state(this);
     server.init_tcp_state(this);
     tcp_init = false;
-    generate_3whs_alert = true;
     cleaning = false;
     splitter_init = false;
 
@@ -415,20 +414,17 @@ bool TcpSession::handle_syn_on_reset_session(TcpSegmentDescriptor& tsd)
             flow->set_ttl(tsd.get_pkt(), true);
             init_session_on_syn(tsd);
             tcpStats.resyns++;
-            listener->normalizer.ecn_tracker(tcph, tcp_config->require_3whs());
+            listener->normalizer.ecn_tracker(tcph);
             flow->update_session_flags(SSNFLAG_SEEN_CLIENT);
         }
         else if ( tcph->is_syn_ack() )
         {
-            if ( tcp_config->midstream_allowed(tsd.get_pkt()) )
-            {
-                flow->ssn_state.direction = FROM_SERVER;
-                flow->set_ttl(tsd.get_pkt(), false);
-                init_session_on_synack(tsd);
-                tcpStats.resyns++;
-            }
+            flow->ssn_state.direction = FROM_SERVER;
+            flow->set_ttl(tsd.get_pkt(), false);
+            init_session_on_synack(tsd);
+            tcpStats.resyns++;
 
-            listener->normalizer.ecn_tracker(tcph, tcp_config->require_3whs());
+            listener->normalizer.ecn_tracker(tcph);
             flow->update_session_flags(SSNFLAG_SEEN_SERVER);
         }
     }
@@ -933,7 +929,7 @@ bool TcpSession::ignore_this_packet(Packet* p)
     return false;
 }
 
-void TcpSession::cleanup_session_if_expired(Packet* p)
+bool TcpSession::cleanup_session_if_expired(Packet* p)
 {
     // Check if the session is expired. Should be done before we do something with
     // the packet...Insert a packet, or handle state change SYN, FIN, RST, etc.
@@ -947,20 +943,22 @@ void TcpSession::cleanup_session_if_expired(Packet* p)
 
         tcpStats.timeouts++;
         TcpHAManager::process_deletion(*flow);
+
+        return true;
     }
+    return false;
 }
 
-void TcpSession::precheck(Packet* p)
+bool TcpSession::precheck(Packet* p)
 {
     // Check if the session is expired. Should be done before we do something with
     // the packet...Insert a packet, or handle state change SYN, FIN, RST, etc.
-    cleanup_session_if_expired(p);
+    return !cleanup_session_if_expired(p);
 }
 
 void TcpSession::init_tcp_packet_analysis(TcpSegmentDescriptor& tsd)
 {
-    if ( !splitter_init and tsd.is_data_segment() and
-        (tcp_init or is_midstream_allowed(tsd)) )
+    if ( !splitter_init and tsd.is_data_segment() )
     {
         if ( !(tcp_config->flags & STREAM_CONFIG_NO_REASSEMBLY) and
                 !(tsd.get_flow()->flags.disable_reassembly_by_ips) )

diff --git a/src/stream/tcp/tcp_session.h b/src/stream/tcp/tcp_session.h
index 42a6989842b0296722ab20c00eba4e98d06eb3b7..f71da8f3972c5dcc4bf89f53e50e1616d1daf881 100644 (file)
--- a/src/stream/tcp/tcp_session.h
+++ b/src/stream/tcp/tcp_session.h
@@ -23,6 +23,7 @@
 #include "flow/flow.h"
 #include "flow/session.h"
 #include "protocols/packet.h"
+#include "stream/stream.h"
 
 #include "tcp_event_logger.h"
 #include "tcp_state_machine.h"
@@ -48,7 +49,7 @@ public:
 
     bool setup(snort::Packet*) override;
     void restart(snort::Packet* p) override;
-    void precheck(snort::Packet* p) override;
+    bool precheck(snort::Packet* p) override;
     int process(snort::Packet*) override;
 
     void clear() override;
@@ -94,9 +95,6 @@ public:
     void handle_data_on_syn(TcpSegmentDescriptor&);
     void update_ignored_session(TcpSegmentDescriptor&);
 
-    bool is_midstream_allowed(const TcpSegmentDescriptor& tsd)
-    { return tcp_config->midstream_allowed(tsd.get_pkt()); }
-
     uint16_t get_mss(bool to_server) const;
     uint8_t get_tcp_options_len(bool to_server) const;
 
@@ -105,15 +103,6 @@ public:
     bool set_no_ack(bool);
     bool no_ack_mode_enabled() { return no_ack; }
 
-    void generate_no_3whs_event()
-    {
-        if ( generate_3whs_alert && flow->two_way_traffic())
-        {
-            tel.set_tcp_event(EVENT_NO_3WHS);
-            generate_3whs_alert = false;
-        }
-    }
-
     void set_pkt_action_flag(uint32_t flag)
     { pkt_action_mask |= flag; }
 
@@ -142,7 +131,6 @@ public:
     int16_t egress_group = DAQ_PKTHDR_UNKNOWN;
     uint32_t daq_flags = 0;
     uint32_t address_space_id = 0;
-    bool generate_3whs_alert = true;
     bool cleaning = false;
     uint8_t held_packet_dir = SSN_DIR_NONE;
     uint8_t ecn = 0;
@@ -155,7 +143,7 @@ private:
     void init_session_on_synack(TcpSegmentDescriptor&);
     void update_on_3whs_complete(TcpSegmentDescriptor&);
     bool ignore_this_packet(snort::Packet*);
-    void cleanup_session_if_expired(snort::Packet*);
+    bool cleanup_session_if_expired(snort::Packet*);
     void init_tcp_packet_analysis(TcpSegmentDescriptor&);
     void check_events_and_actions(const TcpSegmentDescriptor& tsd);
     void flush_tracker(TcpStreamTracker&, snort::Packet*, uint32_t dir, bool final_flush);

diff --git a/src/stream/tcp/tcp_state_close_wait.cc b/src/stream/tcp/tcp_state_close_wait.cc
index 70b3b23d8d75d84e0e6bd847c2901767bbfc497e..90b78ec6ad7b6c5ffeb82785bad25b65bc73e3c3 100644 (file)
--- a/src/stream/tcp/tcp_state_close_wait.cc
+++ b/src/stream/tcp/tcp_state_close_wait.cc
@@ -36,7 +36,7 @@ TcpStateCloseWait::TcpStateCloseWait(TcpStateMachine& tsm) :
 
 bool TcpStateCloseWait::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs() );
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
 
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);

diff --git a/src/stream/tcp/tcp_state_closing.cc b/src/stream/tcp/tcp_state_closing.cc
index e78e1711dda02b166c8db70331238e9d907f804d..c9a5c82462bea15ea4e6e06992b57b00a81694d1 100644 (file)
--- a/src/stream/tcp/tcp_state_closing.cc
+++ b/src/stream/tcp/tcp_state_closing.cc
@@ -42,7 +42,7 @@ bool TcpStateClosing::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 
 bool TcpStateClosing::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
     return true;

diff --git a/src/stream/tcp/tcp_state_established.cc b/src/stream/tcp/tcp_state_established.cc
index 26a25efdbd094c1c0527865db2987cd63f11cce6..8d0ae10a2d47bac6572866c29069a5006bad0c88 100644 (file)
--- a/src/stream/tcp/tcp_state_established.cc
+++ b/src/stream/tcp/tcp_state_established.cc
@@ -43,30 +43,27 @@ bool TcpStateEstablished::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker&
 bool TcpStateEstablished::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
     trk.session->check_for_repeated_syn(tsd);
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     return true;
 }
 
 bool TcpStateEstablished::syn_ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->tcp_config->midstream_allowed(tsd.get_pkt()) )
+    // FIXIT-M there may be an issue when syn/ack from server is seen
+    // after ack from client which causes some tracker state variables to
+    // not be initialized... update_tracker_ack_sent may fix that but needs
+    // more testing
+    //trk.update_tracker_ack_sent( tsd );
+    Flow* flow = tsd.get_flow();
+    if ( !(flow->session_state & STREAM_STATE_ESTABLISHED) )
     {
-        // FIXIT-M there may be an issue when syn/ack from server is seen
-        // after ack from client which causes some tracker state variables to
-        // not be initialized... update_tracker_ack_sent may fix that but needs
-        // more testing
-        //trk.update_tracker_ack_sent( tsd );
-        Flow* flow = tsd.get_flow();
-        if ( !(flow->session_state & STREAM_STATE_ESTABLISHED) )
-        {
-            /* SYN-ACK from server */
-            if (flow->session_state != STREAM_STATE_NONE)
-                trk.session->update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
-        }
+        /* SYN-ACK from server */
+        if (flow->session_state != STREAM_STATE_NONE)
+            trk.session->update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
     }
 
     if ( trk.is_server_tracker() )
-        trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs() );
+        trk.normalizer.ecn_tracker(tsd.get_tcph());
 
     return true;
 }

diff --git a/src/stream/tcp/tcp_state_fin_wait1.cc b/src/stream/tcp/tcp_state_fin_wait1.cc
index b7a9320c171cad1324e7401bba43a20470857d33..9ba2fd3c8677bfc70501164ce8bc4dfa241f7a5c 100644 (file)
--- a/src/stream/tcp/tcp_state_fin_wait1.cc
+++ b/src/stream/tcp/tcp_state_fin_wait1.cc
@@ -43,7 +43,7 @@ bool TcpStateFinWait1::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk
 
 bool TcpStateFinWait1::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
     return true;

diff --git a/src/stream/tcp/tcp_state_fin_wait2.cc b/src/stream/tcp/tcp_state_fin_wait2.cc
index 36ab6d1e95c200a1085c939310cf48ad31e9237e..faead05ff63b71ca65821386f2f120c3df468f47 100644 (file)
--- a/src/stream/tcp/tcp_state_fin_wait2.cc
+++ b/src/stream/tcp/tcp_state_fin_wait2.cc
@@ -42,7 +42,7 @@ bool TcpStateFinWait2::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk
 
 bool TcpStateFinWait2::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
     return true;

diff --git a/src/stream/tcp/tcp_state_last_ack.cc b/src/stream/tcp/tcp_state_last_ack.cc
index e4b985a5b2a5dd9bba0c88922f6aadb6a24391eb..bf9044d4372779f03571ea83c491d1982abb35dd 100644 (file)
--- a/src/stream/tcp/tcp_state_last_ack.cc
+++ b/src/stream/tcp/tcp_state_last_ack.cc
@@ -42,7 +42,7 @@ bool TcpStateLastAck::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 
 bool TcpStateLastAck::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
     return true;

diff --git a/src/stream/tcp/tcp_state_listen.cc b/src/stream/tcp/tcp_state_listen.cc
index 49ef29170a9c00ca67283ab2d287354ab8a62a9f..ba341bcc4736ad4e5c49f14747eebcfb99f590ab 100644 (file)
--- a/src/stream/tcp/tcp_state_listen.cc
+++ b/src/stream/tcp/tcp_state_listen.cc
@@ -42,7 +42,7 @@ TcpStateListen::TcpStateListen(TcpStateMachine& tsm) :
 bool TcpStateListen::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
     trk.init_on_syn_recv(tsd);
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     trk.session->set_pkt_action_flag(trk.normalizer.handle_paws(tsd) );
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
@@ -51,104 +51,45 @@ bool TcpStateListen::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 
 bool TcpStateListen::syn_ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        trk.init_on_synack_sent(tsd);
-        trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
-        trk.session->init_new_tcp_session(tsd);
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
-
-bool TcpStateListen::ack_sent(TcpSegmentDescriptor&, TcpStreamTracker& trk)
-{
-    if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
+    trk.init_on_synack_sent(tsd);
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
+    trk.session->init_new_tcp_session(tsd);
     return true;
 }
 
 bool TcpStateListen::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        Flow* flow = tsd.get_flow();
-        flow->session_state |= STREAM_STATE_MIDSTREAM;
-
-        if ( !Stream::is_midstream(flow) )
-        {
-            TcpStreamTracker* listener = tsd.get_listener();
-            TcpStreamTracker* talker = tsd.get_talker();
-
-            trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, listener, talker);
-            trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, talker, listener);
-            flow->set_session_flags(SSNFLAG_MIDSTREAM);
+    Flow* flow = tsd.get_flow();
+    flow->session_state |= STREAM_STATE_MIDSTREAM;
 
-            if ( PacketTracer::is_active() )
-                PacketTracer::log("Stream TCP did not see the complete 3-Way Handshake. "
-                "Not all normalizations will be in effect\n");
+    if ( !Stream::is_midstream(flow) )
+    {
+        TcpStreamTracker* listener = tsd.get_listener();
+        TcpStreamTracker* talker = tsd.get_talker();
 
-            DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
-        }
+        trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, listener, talker);
+        trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, talker, listener);
+        flow->set_session_flags(SSNFLAG_MIDSTREAM);
 
-        trk.init_on_data_seg_sent(tsd);
-        trk.session->init_new_tcp_session(tsd);
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
+        if ( PacketTracer::is_active() )
+            PacketTracer::log("Stream TCP did not see the complete 3-Way Handshake. "
+            "Not all normalizations will be in effect\n");
 
-bool TcpStateListen::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
-{
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        Flow* flow = tsd.get_flow();
-        flow->session_state |= STREAM_STATE_MIDSTREAM;
-        trk.init_on_data_seg_recv(tsd);
-        trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
-        trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
+        DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
     }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
 
-bool TcpStateListen::fin_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
-{
-    if ( !trk.session->is_midstream_allowed(tsd) && trk.session->tcp_config->require_3whs() )
-    {
-        // FIXIT-L listen gets fin triggers 129:20 ??
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
+    trk.init_on_data_seg_sent(tsd);
+    trk.session->init_new_tcp_session(tsd);
     return true;
 }
 
-bool TcpStateListen::fin_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
+bool TcpStateListen::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        // FIXIT-L handle FIN on midstream
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
+    Flow* flow = tsd.get_flow();
+    flow->session_state |= STREAM_STATE_MIDSTREAM;
+    trk.init_on_data_seg_recv(tsd);
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
+    trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
     return true;
 }
 

diff --git a/src/stream/tcp/tcp_state_listen.h b/src/stream/tcp/tcp_state_listen.h
index 3686e2bc854124f3a10b425d4e4f1c68b40af289..81ec2f0f14c1f2abe7a391ef6fa6558612072d27 100644 (file)
--- a/src/stream/tcp/tcp_state_listen.h
+++ b/src/stream/tcp/tcp_state_listen.h
@@ -31,11 +31,8 @@ public:
 
     bool syn_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool syn_ack_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool ack_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool data_seg_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool data_seg_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool fin_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool fin_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool rst_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
 
     bool do_post_sm_packet_actions(TcpSegmentDescriptor&, TcpStreamTracker&) override;

diff --git a/src/stream/tcp/tcp_state_mid_stream_recv.cc b/src/stream/tcp/tcp_state_mid_stream_recv.cc
index b510c862025b0422895f1149728123fdd2dd3cc8..476fcaffffb17ff3b55ce1f6e31e8ea2b3719079 100644 (file)
--- a/src/stream/tcp/tcp_state_mid_stream_recv.cc
+++ b/src/stream/tcp/tcp_state_mid_stream_recv.cc
@@ -45,7 +45,7 @@ bool TcpStateMidStreamRecv::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker
 bool TcpStateMidStreamRecv::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
     trk.session->check_for_repeated_syn(tsd);
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     return true;
 }
 

diff --git a/src/stream/tcp/tcp_state_mid_stream_sent.cc b/src/stream/tcp/tcp_state_mid_stream_sent.cc
index 4df685f2015a269ae446ebaf18c52f9e26bf993c..9ba371ec22a39ee0faecdd317c49c1851acce531 100644 (file)
--- a/src/stream/tcp/tcp_state_mid_stream_sent.cc
+++ b/src/stream/tcp/tcp_state_mid_stream_sent.cc
@@ -43,7 +43,7 @@ bool TcpStateMidStreamSent::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker
 bool TcpStateMidStreamSent::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
     trk.session->check_for_repeated_syn(tsd);
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
     return true;
 }

diff --git a/src/stream/tcp/tcp_state_none.cc b/src/stream/tcp/tcp_state_none.cc
index de26c2a6f7a0e1cffd33540769f2e4d9bd20cb27..d106d74fdbddd5f96c477b00b85b788ece1c49c9 100644 (file)
--- a/src/stream/tcp/tcp_state_none.cc
+++ b/src/stream/tcp/tcp_state_none.cc
@@ -48,125 +48,48 @@ bool TcpStateNone::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
     return true;
 }
 
-bool TcpStateNone::syn_ack_sent(TcpSegmentDescriptor&, TcpStreamTracker& trk)
-{
-    trk.session->generate_no_3whs_event();
-    return false;
-}
-
 bool TcpStateNone::syn_ack_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        trk.init_on_synack_recv(tsd);
-        trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
-        if ( tsd.is_data_segment() )
-            trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
-
-bool TcpStateNone::ack_sent(TcpSegmentDescriptor&, TcpStreamTracker& trk)
-{
-    if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
+    trk.init_on_synack_recv(tsd);
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
+    if ( tsd.is_data_segment() )
+        trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
     return true;
 }
 
 bool TcpStateNone::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        Flow* flow = tsd.get_flow();
-        flow->session_state |= STREAM_STATE_MIDSTREAM;
-
-        if ( !Stream::is_midstream(flow) )
-        {
-            TcpStreamTracker* listener = tsd.get_listener();
-            TcpStreamTracker* talker = tsd.get_talker();
-
-            trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, listener, talker);
-            trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, talker, listener);
-            flow->set_session_flags(SSNFLAG_MIDSTREAM);
-
-            if ( PacketTracer::is_active() )
-                PacketTracer::log("Stream TCP did not see the complete 3-Way Handshake. "
-                "Not all normalizations will be in effect\n");
-
-            DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
-        }
+    Flow* flow = tsd.get_flow();
+    flow->session_state |= STREAM_STATE_MIDSTREAM;
 
-        trk.init_on_data_seg_sent(tsd);
-        trk.session->init_new_tcp_session(tsd);
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
+    if ( !Stream::is_midstream(flow) )
     {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
+        TcpStreamTracker* listener = tsd.get_listener();
+        TcpStreamTracker* talker = tsd.get_talker();
 
-bool TcpStateNone::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
-{
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        Flow* flow = tsd.get_flow();
-        flow->session_state |= STREAM_STATE_MIDSTREAM;
-        trk.init_on_data_seg_recv(tsd);
-        trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
-        trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
+        trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, listener, talker);
+        trk.normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, talker, listener);
+        flow->set_session_flags(SSNFLAG_MIDSTREAM);
 
-bool TcpStateNone::fin_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
-{
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        // FIXIT-M handle FIN on midstream
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
-    }
-    return true;
-}
+        if ( PacketTracer::is_active() )
+            PacketTracer::log("Stream TCP did not see the complete 3-Way Handshake. "
+            "Not all normalizations will be in effect\n");
 
-bool TcpStateNone::fin_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
-{
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        // FIXIT-M handle FIN on midstream
-    }
-    else if ( trk.session->tcp_config->require_3whs() )
-    {
-        trk.session->generate_no_3whs_event();
-        return false;
+        DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
     }
+
+    trk.init_on_data_seg_sent(tsd);
+    trk.session->init_new_tcp_session(tsd);
     return true;
 }
 
-bool TcpStateNone::rst_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
+bool TcpStateNone::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->is_midstream_allowed(tsd) )
-    {
-        // FIXIT-M handle RST on midstream
-    }
+    Flow* flow = tsd.get_flow();
+    flow->session_state |= STREAM_STATE_MIDSTREAM;
+    trk.init_on_data_seg_recv(tsd);
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
+    trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
     return true;
 }
 

diff --git a/src/stream/tcp/tcp_state_none.h b/src/stream/tcp/tcp_state_none.h
index a4db260f749e9b4cb04ac0a286d3590f967a9454..692c1aa325855179b536e658fa807890e73f0855 100644 (file)
--- a/src/stream/tcp/tcp_state_none.h
+++ b/src/stream/tcp/tcp_state_none.h
@@ -30,14 +30,9 @@ public:
     TcpStateNone(TcpStateMachine&);
 
     bool syn_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool syn_ack_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool syn_ack_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool ack_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool data_seg_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool data_seg_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool fin_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool fin_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
-    bool rst_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
     bool rst_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
 
     bool do_post_sm_packet_actions(TcpSegmentDescriptor&, TcpStreamTracker&) override;

diff --git a/src/stream/tcp/tcp_state_syn_recv.cc b/src/stream/tcp/tcp_state_syn_recv.cc
index a9823fc9a21263f5eddbc5f456d705122d1b3508..bc50aed7ff0b111529ac73a052be152dc51e0ed4 100644 (file)
--- a/src/stream/tcp/tcp_state_syn_recv.cc
+++ b/src/stream/tcp/tcp_state_syn_recv.cc
@@ -38,7 +38,7 @@ TcpStateSynRecv::TcpStateSynRecv(TcpStateMachine& tsm) :
 bool TcpStateSynRecv::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
     trk.finish_server_init(tsd);
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     trk.session->update_timestamp_tracking(tsd);
     Flow* flow = tsd.get_flow();
     if ( tsd.get_tcph()->are_flags_set(TH_ECE) &&
@@ -65,7 +65,7 @@ bool TcpStateSynRecv::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 bool TcpStateSynRecv::syn_ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
     trk.finish_server_init(tsd);
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
 
     return true;
 }
@@ -76,7 +76,7 @@ bool TcpStateSynRecv::syn_ack_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker&
     {
         trk.irs = tsd.get_seq();
         trk.update_tracker_ack_recv(tsd);
-        trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+        trk.normalizer.ecn_tracker(tsd.get_tcph());
         trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
         if ( tsd.is_data_segment() )
             trk.session->handle_data_on_syn(tsd);
@@ -87,7 +87,7 @@ bool TcpStateSynRecv::syn_ack_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker&
 
 bool TcpStateSynRecv::ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->tcp_config->midstream_allowed(tsd.get_pkt()) && trk.session->flow->two_way_traffic() )
+    if ( trk.session->flow->two_way_traffic() )
     {
         TcpStreamTracker::TcpState listener_state = tsd.get_listener()->get_tcp_state();
         // Does this ACK finish 4-way handshake
@@ -119,20 +119,19 @@ bool TcpStateSynRecv::ack_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 
 bool TcpStateSynRecv::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    if ( trk.session->tcp_config->midstream_allowed(tsd.get_pkt()) )
+    trk.update_tracker_ack_sent(tsd);
+
+    if ( trk.session->no_ack_mode_enabled() )
+        trk.update_tracker_no_ack_recv(tsd);
+
+    if ( trk.session->flow->two_way_traffic() )
     {
-        trk.update_tracker_ack_sent(tsd);
-        if ( trk.session->no_ack_mode_enabled() )
-            trk.update_tracker_no_ack_recv(tsd);
-        if ( trk.session->flow->two_way_traffic() )
+        TcpStreamTracker::TcpState listener_state = tsd.get_listener()->get_tcp_state();
+        // Does this ACK finish 4-way handshake
+        if ( TcpStreamTracker::TCP_ESTABLISHED == listener_state )
         {
-            TcpStreamTracker::TcpState listener_state = tsd.get_listener()->get_tcp_state();
-            // Does this ACK finish 4-way handshake
-            if ( TcpStreamTracker::TCP_ESTABLISHED == listener_state )
-            {
-                trk.session->set_established(tsd);
-                trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
-            }
+            trk.session->set_established(tsd);
+            trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
         }
     }
     return true;

diff --git a/src/stream/tcp/tcp_state_time_wait.cc b/src/stream/tcp/tcp_state_time_wait.cc
index e2b8556745ca887213d9ebd1e3c99e27a61c8d64..691ceb747c0ba6bbcdae6ebadae1c0431bad1af0 100644 (file)
--- a/src/stream/tcp/tcp_state_time_wait.cc
+++ b/src/stream/tcp/tcp_state_time_wait.cc
@@ -43,7 +43,7 @@ bool TcpStateTimeWait::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk
 
 bool TcpStateTimeWait::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
+    trk.normalizer.ecn_tracker(tsd.get_tcph());
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
 

diff --git a/src/stream/tcp/tcp_stream_config.cc b/src/stream/tcp/tcp_stream_config.cc
index 4bf07654722d18fce0b40721c629cbf5a4ef7d43..29059ebd9f5b18ee70ddc07f68045b75597885e0 100644 (file)
--- a/src/stream/tcp/tcp_stream_config.cc
+++ b/src/stream/tcp/tcp_stream_config.cc
@@ -56,7 +56,6 @@ void TcpStreamConfig::show() const
     str += " }";
     ConfigLogger::log_value("asymmetric_ids", str.c_str());
     ConfigLogger::log_flag("reassemble_async", !(flags & STREAM_CONFIG_NO_ASYNC_REASSEMBLY));
-    ConfigLogger::log_limit("require_3whs", hs_timeout, -1, hs_timeout < 0 ? hs_timeout : -1);
     ConfigLogger::log_value("session_timeout", session_timeout);
 
     str = "{ count = ";

diff --git a/src/stream/tcp/tcp_stream_config.h b/src/stream/tcp/tcp_stream_config.h
index 5aa25605c59b4bd220f5e1a06a964d255fc459fb..ea94e9a13db828ea33fd8c19dfc55507a800d93e 100644 (file)
--- a/src/stream/tcp/tcp_stream_config.h
+++ b/src/stream/tcp/tcp_stream_config.h
@@ -37,19 +37,6 @@ class TcpStreamConfig
 public:
     TcpStreamConfig();
 
-    bool require_3whs()
-    {
-        return hs_timeout >= 0;
-    }
-
-    bool midstream_allowed(snort::Packet* p)
-    {
-        if ( ( hs_timeout < 0 ) || ( p->pkth->ts.tv_sec - packet_first_time() < hs_timeout ) )
-            return true;
-
-        return false;
-    }
-
     void show() const;
 
     StreamPolicy policy = StreamPolicy::OS_DEFAULT;
@@ -69,7 +56,6 @@ public:
     uint32_t max_consec_small_seg_size = STREAM_DEFAULT_MAX_SMALL_SEG_SIZE;
 
     uint32_t paf_max = 16384;
-    int hs_timeout = -1;
 
     bool no_ack = false;
     uint32_t embryonic_timeout = STREAM_DEFAULT_SSN_TIMEOUT;

diff --git a/src/stream/tcp/tcp_stream_tracker.h b/src/stream/tcp/tcp_stream_tracker.h
index a2096bb6f1590b67300dfe38107aa54c47305998..8ecaba36bfbfaa08aa9ef85fbb91706941ea24a0 100644 (file)
--- a/src/stream/tcp/tcp_stream_tracker.h
+++ b/src/stream/tcp/tcp_stream_tracker.h
@@ -338,7 +338,6 @@ public:
     TcpEvent tcp_event = TCP_MAX_EVENTS;
 
     bool client_tracker;
-    bool require_3whs = false;
     bool rst_pkt_sent = false;
     bool midstream_initial_ack_flush = false;
 

diff --git a/src/stream/tcp/test/tcp_normalizer_test.cc b/src/stream/tcp/test/tcp_normalizer_test.cc
index bb8364597106eaba305e1771e68ade83ae146f50..87f6810d0d5d2d768c6832bf348df03d690ccd2a 100644 (file)
--- a/src/stream/tcp/test/tcp_normalizer_test.cc
+++ b/src/stream/tcp/test/tcp_normalizer_test.cc
@@ -48,10 +48,10 @@ public:
 TcpSession::TcpSession( Flow* ) : Session( flow ) { }
 TcpSession::~TcpSession() = default;
 bool TcpSession::setup(Packet*){ return true; }
-void TcpSession::update_direction(char, SfIp const*, unsigned short){ }
-int TcpSession::process(Packet*){ return 0; }
-void TcpSession::restart(Packet*){ }
-void TcpSession::precheck(Packet*){ }
+void TcpSession::update_direction(char, SfIp const*, unsigned short) { }
+int TcpSession::process(Packet*) { return 0; }
+void TcpSession::restart(Packet*) { }
+bool TcpSession::precheck(Packet*) { return false; }
 void TcpSession::clear(){ }
 void TcpSession::cleanup(Packet* = nullptr){ }
 bool TcpSession::add_alert(Packet*, unsigned int, unsigned int){ return true; }