check_tags_flag = 1;
- // clear closed sessions here after inspection since non-stream
- // inspectors may depend on flow information
- // FIXIT-H but this result in double clearing? should normal
- // clear_session() calls be deleted from stream? this is a
- // performance hit on short-lived flows
- Stream::check_flow_closed(p);
-
/*
** By checking tagging here, we make sure that we log the
** tagged packet whether it generates an alert or not.
if ( inspected )
InspectorManager::clear(p);
+
+ // clear closed sessions here after inspection since non-stream
+ // inspectors may depend on flow information
+ // FIXIT-H but this result in double clearing? should normal
+ // clear_session() calls be deleted from stream? this is a
+ // performance hit on short-lived flows
+ Stream::check_flow_closed(p);
}
Profile profile(eventqPerfStats);
SnortEventqLog(p);
SnortEventqReset();
+
+ // Handle block pending state
+ Stream::check_flow_block_pending(p);
}
void snort_log(Packet* p)
#define STREAM_STATE_CLOSED 0x0800
#define STREAM_STATE_IGNORE 0x1000
#define STREAM_STATE_NO_PICKUP 0x2000
+#define STREAM_STATE_BLOCK_PENDING 0x4000
// FIXIT-L move to appid class if/when the application ids array
// is moved
void set_mpls_layer_per_dir(Packet*);
Layer get_mpls_layer_per_dir(bool);
- uint32_t update_session_flags( uint32_t flags )
+ uint32_t update_session_flags(uint32_t flags)
{
return ssn_state.session_flags = flags;
}
uint16_t ssn_policy;
uint16_t session_state;
- uint8_t inner_client_ttl, inner_server_ttl;
- uint8_t outer_client_ttl, outer_server_ttl;
+ uint8_t inner_client_ttl, inner_server_ttl;
+ uint8_t outer_client_ttl, outer_server_ttl;
- uint8_t response_count;
+ uint8_t response_count;
bool disable_inspect;
private:
uint32_t sent = 0;
const uint16_t maxPayload = PacketManager::encode_get_max_payload(p);
- if(maxPayload)
+ if (maxPayload)
{
do
{
buf += toSend;
sent += toSend;
- } while(blen -= toSend);
+ }
+ while (blen -= toSend);
}
plen = 0;
s_send(p->pkth, !(flags & ENC_FLAG_FWD), seg, plen);
-
if (flags & ENC_FLAG_RST_CLNT)
{
sent++;
active_action = ACT_BLOCK;
if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() )
- Stream::drop_flow(p);
+ Stream::block_flow(p);
}
void Active::reset_session(const Packet* p, bool force)
{
bool force = (active_status == AST_FORCE);
- switch(delayed_active_action)
+ switch (delayed_active_action)
{
case ACT_PASS:
break;
delayed_active_action = ACT_PASS;
}
+
//--------------------------------------------------------------------
bool Active::open(const char* dev)
// session status
//-------------------------------------------------------------------------
+void Stream::check_flow_block_pending(Packet* p)
+{
+ Flow* flow = p->flow;
+
+ if ( !flow )
+ return;
+
+ if (flow->session_state & STREAM_STATE_BLOCK_PENDING)
+ {
+ flow->session->clear();
+ flow->set_state(Flow::FlowState::BLOCK);
+
+ if ( !(p->packet_flags & PKT_STATELESS) )
+ drop_traffic(flow, SSN_DIR_BOTH);
+ flow->session_state &= ~STREAM_STATE_BLOCK_PENDING;
+ }
+}
+
void Stream::check_flow_closed(Packet* p)
{
Flow* flow = p->flow;
}
}
+void Stream::block_flow(const Packet* p)
+{
+ Flow* flow = p->flow;
+
+ if (!flow)
+ return;
+
+ // Postpone clear till inspection is completed
+ flow->session_state |= STREAM_STATE_BLOCK_PENDING;
+}
+
void Stream::drop_flow(const Packet* p)
{
Flow* flow = p->flow;
int Stream::set_application_protocol_id_expected(
const Packet* ctrlPkt, PktType type, IpProtocol ip_proto,
const sfip_t* srcIP, uint16_t srcPort,
- const sfip_t* dstIP, uint16_t dstPort,
+ const sfip_t* dstIP, uint16_t dstPort,
int16_t appId, FlowData* fd)
{
assert(flow_con);
// sequence must match FRAG_POLICY_* enum in stream_ip.h (1-based)
#define IP_POLICIES \
- "first | linux | bsd | bsd_right | last | windows | solaris"
+ "first | linux | bsd | bsd_right | last | windows | solaris"
// sequence must match STREAM_POLICY_* defines in tcp_session.cc (1-based)
#define TCP_POLICIES \
// subsequent packets received on this flow are dropped.
static void drop_flow(const Packet*);
+ // Mark flow session as block pending. Resources will be released
+ // at the end of inspection
+ static void block_flow(const Packet*);
+
// FIXIT-L flush_request() / flush_response() are misnomers in ips mode and may cause errors
// Flush queued data on the listener side of a stream flow. The listener is the side of the
// Flush queued data on the talker side of a stream flow. The talker is the side of the
// connection the packet originated from, so if the Packet is from the client, then the
// client side tracker is flushed.
- static void flush_response(Packet*); // flush talker
+ static void flush_response(Packet*); // flush talker
// Add session alert - true if added
static bool add_flow_alert(Flow*, Packet*, uint32_t gid, uint32_t sid);
// Snort does not have an active packet that is relevant.
static FlowData* get_flow_data(
PktType type, IpProtocol proto,
- const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2,
+ const sfip_t* a1, uint16_t p1, const sfip_t* a2, uint16_t p2,
uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, unsigned flow_id);
// Get pointer to application data for a flow using the FlowKey as the lookup criteria
// cases where Snort does not have an active packet that is relevant.
static Flow* get_flow(
PktType type, IpProtocol proto,
- const sfip_t *a1, uint16_t p1, const sfip_t *a2, uint16_t p2,
+ const sfip_t* a1, uint16_t p1, const sfip_t* a2, uint16_t p2,
uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId);
// Delete the session if it is in the closed session state.
static void check_flow_closed(Packet*);
+ // Handle session block pending state
+ static void check_flow_block_pending(Packet*);
+
// Create a session key from the Packet
static FlowKey* get_flow_key(Packet*);
projects / thirdparty / snort3.git / commitdiff
