Merge pull request #1848 in SNORT/snort3 from ~BBANTWAL/snort3:fix_offload_sclear...

Squashed commit of the following:

commit 2a913fe450cc4d25ed02fed62827c97c98b83791
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Tue Nov 19 14:35:19 2019 -0500

    detection: disable rule evaluation when detection is disabled for offload packets

commit 520f55a8bfea4f6b43b5a452e9beaad6dfa837c0
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Tue Nov 19 12:53:21 2019 -0500

    flow: check if there are offloaded packets in the flow before clearing out the alert count

commit 12163b08cc3718f82b1df982dee826aff31ec7b8
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Mon Nov 18 14:26:24 2019 -0500

    detection: move the inspector manager thread local flag used to determine whether or not to call inspector clear to context

diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc
index 2b6ccfb14a0dc9d7afc0d6258046ecc0cf47429e..040c09c1b49b38ffc728b4d8880f4c037d58feba 100644 (file)
--- a/src/detection/detection_engine.cc
+++ b/src/detection/detection_engine.cc
@@ -488,8 +488,9 @@ void DetectionEngine::complete(Packet* p)
 
     ContextSwitcher* sw = Analyzer::get_switcher();
     sw->resume(p->context);
-    
-    fp_complete(p);
+   
+    if ( p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT) ) 
+        fp_complete(p);
 }
 
 void DetectionEngine::resume(Packet* p)

diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc
index 29f97bad85ba6e4d8930975c7c636c9e44817dfc..1d6e0b29da85ac2949d7ff2b03e92fa9b2fafd96 100644 (file)
--- a/src/detection/ips_context.cc
+++ b/src/detection/ips_context.cc
@@ -65,6 +65,7 @@ IpsContext::IpsContext(unsigned size) :
 
     active_rules = CONTENT;
     check_tags = false;
+    clear_inspectors = false;
 }
 
 IpsContext::~IpsContext()

diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h
index 5793699e48d794b04a22c85012e224fdf5dde7b4..17ec32ab37f11ddb4167cad179ce0837d135b93e 100644 (file)
--- a/src/detection/ips_context.h
+++ b/src/detection/ips_context.h
@@ -155,6 +155,7 @@ public:
     ActiveRules active_rules;
     State state; 
     bool check_tags;
+    bool clear_inspectors;
 
     static const unsigned buf_size = Codec::PKT_MAX;
 

diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc
index 35e6a4d348f3c9c7896230cf51de251b5663ea44..25aac0e861e4bf67802472f48bcf6a16484433f9 100644 (file)
--- a/src/managers/inspector_manager.cc
+++ b/src/managers/inspector_manager.cc
@@ -161,7 +161,6 @@ static PHList s_trash2;
 static bool s_sorted = false;
 
 static THREAD_LOCAL vector<PHGlobal>* s_tl_handlers = nullptr;
-static THREAD_LOCAL bool s_clear = false;
 
 struct FrameworkConfig
 {
@@ -1021,7 +1020,7 @@ void InspectorManager::full_inspection(Packet* p)
     else if ( flow->gadget && flow->gadget->likes(p) )
     {
         flow->gadget->eval(p);
-        s_clear = true;
+        p->context->clear_inspectors = true;
     }
 }
 
@@ -1098,12 +1097,12 @@ void InspectorManager::probe(Packet* p)
 
 void InspectorManager::clear(Packet* p)
 {
-    if ( !s_clear )
+    if ( !p->context->clear_inspectors )
         return;
 
     if ( p->flow and p->flow->gadget )
         p->flow->gadget->clear(p);
 
-    s_clear = false;
+    p->context->clear_inspectors = false;
 }
 

diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index fcc79aa86e4995ae4e1257c1b763c598524f0be6..54fc67c033d3389d6777b6a25359eff65de0493a 100644 (file)
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -261,7 +261,8 @@ void TcpReassembler::purge_alerts(TcpReassemblerState& trs)
         StreamAlertInfo* ai = trs.tracker->alerts + i;
         Stream::log_extra_data(flow, trs.xtradata_mask, ai->event_id, ai->event_second);
     }
-    trs.tracker->alert_count = 0;
+    if ( !flow->is_suspended() )
+        trs.tracker->alert_count = 0;
 }
 
 void TcpReassembler::purge_to_seq(TcpReassemblerState& trs, uint32_t flush_seq)