Pull request #4749: main: DAQ verdict changes

Merge in SNORT/snort3 from ~NIRMVENK/snort3:daq_verdict to master

Squashed commit of the following:

commit a711df5547eb10f15e8ba654504824b962a1d7ec
Author: Nirmala Subbaiah <nirmvenk@cisco.com>
Date:   Wed May 14 11:53:50 2025 -0400

    main: clarify the DAQ verdict for inject

diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index fb2bc13a69ef5534cafd2e3cb9796806919e7c17..123e9fb539cdffef1dc4405231d4603b91ce95f6 100644 (file)
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -260,7 +260,7 @@ static DAQ_Verdict distill_verdict(Packet* p)
         // we never increase, only trim, but daq doesn't support resizing wire packet
         PacketManager::encode_update(p);
 
-        if ( p->daq_instance->inject(p->daq_msg, 0, p->pkt, p->pktlen) == DAQ_SUCCESS )
+        if ( p->inject() == DAQ_SUCCESS )
             verdict = DAQ_VERDICT_BLOCK;
         // FIXIT-M X Should we be blocking the wire packet even if the injection fails?
     }
@@ -317,6 +317,8 @@ static void packet_trace_dump(Packet* p, DAQ_Verdict verdict, bool msg_was_held)
         PacketTracer::log("Verdict: Queuing for Retry\n");
     else if (msg_was_held)
         PacketTracer::log("Verdict: Holding for Detection\n");
+    else if (verdict == DAQ_VERDICT_BLOCK and p->is_pkt_injected())
+        PacketTracer::log("Verdict: Inject, original packet dropped\n");
     else
         PacketTracer::log("Verdict: %s\n", SFDAQ::verdict_to_string(verdict));
     PacketTracer::dump(p);

diff --git a/src/main/test/distill_verdict_stubs.h b/src/main/test/distill_verdict_stubs.h
index a29a9f534a9bf240e00808a47b3ceb8448650a0a..79d35c32736a7ebb530dc2f8b61d8f271968c644 100644 (file)
--- a/src/main/test/distill_verdict_stubs.h
+++ b/src/main/test/distill_verdict_stubs.h
@@ -148,6 +148,7 @@ Packet::Packet(bool)
     packet_flags = PKT_FROM_CLIENT;
 }
 Packet::~Packet()  = default;
+int Packet::inject() { return 0; }
 IpsPolicy* get_ips_policy() { return nullptr; }
 void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
 void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { }

diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc
index 3e1140a9a068b8b0d5133fe86ac0ce5255928e9f..4d1d736212c537f4ce53407a20dd78bf13b877c3 100644 (file)
--- a/src/protocols/packet.cc
+++ b/src/protocols/packet.cc
@@ -30,6 +30,7 @@
 #include "log/obfuscator.h"
 #include "main/snort_config.h"
 #include "packet_io/active.h"
+#include "packet_io/sfdaq_instance.h"
 
 #include "packet_manager.h"
 #include "vlan.h"
@@ -322,5 +323,11 @@ bool Packet::is_from_application_server() const
         return is_from_server();
 }
 
+int Packet::inject()
+{
+    set_pkt_injected();
+    return daq_instance->inject(daq_msg, 0, pkt, pktlen);
+}
+
 } // namespace snort
 

diff --git a/src/protocols/packet.h b/src/protocols/packet.h
index 3376362d25797e35a4219253ae12c2ca6e1edb12..0fa595000cfffdd86297910c2f25085ac1193bdc 100644 (file)
--- a/src/protocols/packet.h
+++ b/src/protocols/packet.h
@@ -91,6 +91,7 @@ class SFDAQInstance;
 #define PKT_TCP_PSEUDO_EST        0x80000000 // A one-sided or bidirectional without LWS TCP session was detected
 
 #define TS_PKT_OFFLOADED          0x01
+#define TS_PKT_INJECT             0x02
 
 #define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL)
 
@@ -327,6 +328,12 @@ struct SO_PUBLIC Packet
     void clear_offloaded()
     { ts_packet_flags &= (~TS_PKT_OFFLOADED); }
 
+    bool is_pkt_injected() const
+    { return (ts_packet_flags & TS_PKT_INJECT) != 0; }
+
+    void set_pkt_injected()
+    { ts_packet_flags |= TS_PKT_INJECT; }
+
     bool has_parent() const
     { return (packet_flags & PKT_HAS_PARENT) != 0; }
 
@@ -383,6 +390,8 @@ struct SO_PUBLIC Packet
     void set_pdu_section(PduSection pdu_sect)
     { sect = pdu_sect; }
 
+    int inject();
+
 private:
     bool allocated;
 };

diff --git a/src/protocols/test/decode_err_len_test.cc b/src/protocols/test/decode_err_len_test.cc
index 53a97b7479805b92360f77def5b39d7e267a7876..8d7548b6fc738b22151a5f0998f1d22e954cd0c0 100644 (file)
--- a/src/protocols/test/decode_err_len_test.cc
+++ b/src/protocols/test/decode_err_len_test.cc
@@ -30,6 +30,7 @@
 #include "managers/codec_manager.h"
 #include "packet_io/packet_tracer.h"
 #include "packet_io/sfdaq.h"
+#include "packet_io/sfdaq_instance.h"
 #include "profiler/profiler_defs.h"
 #include "stream/stream.h"
 #include "trace/trace_api.h"
@@ -70,6 +71,7 @@ int layer::get_inner_ip_lyr_index(const Packet* const) { return 0; }
 int layer::get_inner_ip6_frag_index(const Packet* const) { return 0; }
 uint8_t Stream::get_flow_ttl(Flow*, char, bool) { return 0; }
 bool SFDAQ::forwarding_packet(const DAQ_PktHdr_t*) { return false; }
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 void sum_stats(PegCount*, PegCount*, unsigned, bool) {}
 IpsContext::IpsContext(unsigned):
     packet(nullptr), encode_packet(nullptr), pkth (nullptr), buf(nullptr),

diff --git a/src/protocols/test/get_geneve_opt_test.cc b/src/protocols/test/get_geneve_opt_test.cc
index 05093bd62d4a08e195535e4a7b132faccb6d9bca..bc44c30695cf73f4ea12c7f321d4a9ea34010695 100644 (file)
--- a/src/protocols/test/get_geneve_opt_test.cc
+++ b/src/protocols/test/get_geneve_opt_test.cc
@@ -23,6 +23,7 @@
 
 #include "flow/expect_flow.h"
 #include "framework/api_options.h"
+#include "packet_io/sfdaq_instance.h"
 #include "protocols/packet.h"
 #include "protocols/packet_manager.h"
 
@@ -37,6 +38,7 @@ const char* PacketManager::get_proto_name(ProtocolId) { return nullptr; }
 const vlan::VlanTagHdr* layer::get_vlan_layer(const Packet*) { return nullptr; }
 const geneve::GeneveLyr* layer::get_geneve_layer(const Packet*, bool) { return nullptr; }
 void ip::IpApi::reset() {}
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 
 uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX;
 

diff --git a/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc b/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc
index ef471ef7e90a90e6a751c5bd7d3ee1ba00b8b4d7..f57869ce510eab8ffa46d5195e17c6570460443b 100644 (file)
--- a/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc
+++ b/src/service_inspectors/http2_inspect/test/http2_hpack_int_decode_test.cc
@@ -27,6 +27,7 @@
 using namespace Http2Enums;
 #include "../http2_hpack_int_decode.h"
 #include "../http2_varlen_int_decode_impl.h"
+#include "packet_io/sfdaq_instance.h"
 
 #include <CppUTest/CommandLineTestRunner.h>
 #include <CppUTest/TestHarness.h>
@@ -36,6 +37,7 @@ namespace snort
 {
 // Stubs whose sole purpose is to make the test code link
 int DetectionEngine::queue_event(unsigned int, unsigned int) { return 0; }
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 }
 
 

diff --git a/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc b/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc
index e2c390fb78d7c1b57174bf933474dd60fe0e1529..608b153ff8d0ef114a4cec82fe168e5db8544d3f 100644 (file)
--- a/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc
+++ b/src/service_inspectors/http2_inspect/test/http2_hpack_string_decode_test.cc
@@ -32,6 +32,7 @@ using namespace Http2Enums;
 #include "../http2_varlen_string_decode_impl.h"
 #include "../../http_inspect/http_common.h"
 #include "../../http_inspect/http_enum.h"
+#include "packet_io/sfdaq_instance.h"
 
 #include <CppUTest/CommandLineTestRunner.h>
 #include <CppUTest/TestHarness.h>
@@ -41,6 +42,7 @@ namespace snort
 {
 // Stubs whose sole purpose is to make the test code link
 int DetectionEngine::queue_event(unsigned int, unsigned int) { return 0; }
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 }
 
 using namespace HttpCommon;

diff --git a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc
index 642dbb6ecd5b5d6cd537162178b82f6c14bfa2e9..061597782a4aa80b2eeb5b51f2bf5b2727f3d5f9 100755 (executable)
--- a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc
+++ b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc
@@ -27,6 +27,7 @@
 #include "log/messages.h"
 
 #include "main/thread_config.h"
+#include "packet_io/sfdaq_instance.h"
 #include "service_inspectors/http_inspect/http_js_norm.h"
 #include "service_inspectors/http_inspect/http_uri_norm.h"
 
@@ -54,6 +55,7 @@ void DecodeConfig::set_decompress_pdf(bool) {}
 void DecodeConfig::set_decompress_swf(bool) {}
 void DecodeConfig::set_decompress_zip(bool) {}
 void DecodeConfig::set_decompress_vba(bool) {}
+int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; }
 SearchTool::~SearchTool() {}
 unsigned get_instance_id()
 { return 0; }

diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index 853e27512d2171c4a374237fe2f3ec2fc1181497..70deb56a3ad685dc0873508f5393fc83ab6a969e 100644 (file)
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -121,6 +121,9 @@ bool TcpNormalizer::trim_payload(TcpNormalizerState&, TcpSegmentDescriptor& tsd,
         tsd.set_len(max);
         tsd.set_packet_flags(PKT_RESIZED);
         tsd.set_end_seq(tsd.get_end_seq() - fat);
+        if (stream_tcp_trace_enabled)
+            trace_logf(TRACE_WARNING_LEVEL, stream_tcp_trace, DEFAULT_TRACE_OPTION_ID, \
+                       tsd.get_pkt(), "stream_tcp: Packet resized, length set to %u bytes", max);
         return true;
     }
     return false;