Merge pull request #1344 in SNORT/snort3 from offload_active to master

Squashed commit of the following:

commit 9f8c35fd54dcd56b3212f025b6b8bf31b5359654
Author: Carter Waxman <cwaxman@cisco.com>
Date:   Mon Aug 27 13:37:58 2018 -0400

    DetectionEngine: run active actions at onload

diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc
index 10606d65d6f209baafb9ed6e41c5590b9e6c3f0f..53fae34df2ef8752c11e0322a4d4285becac6901 100644 (file)
--- a/src/detection/detection_engine.cc
+++ b/src/detection/detection_engine.cc
@@ -76,13 +76,10 @@ DetectionEngine::DetectionEngine()
 
 DetectionEngine::~DetectionEngine()
 {
-    ContextSwitcher* sw = Snort::get_switcher();
-
-    if ( context == sw->get_context() )
+    if ( context == Snort::get_switcher()->get_context() )
     {
+        // finish_packet is called here so that we clear wire packets at the right time
         finish_packet(context->packet);
-        sw->complete();
-        context->post_detection();
     }
 }
 
@@ -132,6 +129,36 @@ Packet* DetectionEngine::set_next_packet(Packet* parent)
     return p;
 }
 
+void DetectionEngine::finish_inspect_with_latency(Packet* p)
+{
+    DetectionEngine::set_check_tags();
+
+    // By checking tagging here, we make sure that we log the
+    // tagged packet whether it generates an alert or not.
+
+    if ( p->has_ip() )
+        check_tags(p);
+
+    InspectorManager::probe(p);
+}
+
+void DetectionEngine::finish_inspect(Packet* p, bool inspected)
+{
+    log_events(p);
+
+    Active::apply_delayed_action(p);
+
+    // clear closed sessions here after inspection since non-stream
+    // inspectors may depend on flow information
+    // this also handles block pending state
+    Stream::check_flow_closed(p);
+
+    if ( inspected )
+        InspectorManager::clear(p);
+
+    clear_events(p);
+}
+
 void DetectionEngine::finish_packet(Packet* p)
 {
     log_events(p);
@@ -141,6 +168,9 @@ void DetectionEngine::finish_packet(Packet* p)
     // clean up any failed rebuilds
     const IpsContext* c = Snort::get_switcher()->get_next();
     c->packet->release_helpers();
+
+    p->context->post_detection();
+    Snort::get_switcher()->complete();
 }
 
 uint8_t* DetectionEngine::get_buffer(unsigned& max)
@@ -304,11 +334,9 @@ void DetectionEngine::onload()
     sw->resume(id);
 
     fp_onload(p);
+    finish_inspect_with_latency(p); // FIXIT-L should latency be evaluated here?
+    finish_inspect(p, true);
     finish_packet(p);
-
-    InspectorManager::clear(p);
-    sw->complete();
-    c->post_detection();
 }
 
 bool DetectionEngine::offload(Packet* p)
@@ -411,29 +439,9 @@ void DetectionEngine::inspect(Packet* p)
                     return; // don't finish out offloaded packets
             }
         }
-        DetectionEngine::set_check_tags();
-
-        // By checking tagging here, we make sure that we log the
-        // tagged packet whether it generates an alert or not.
-
-        if ( p->has_ip() )
-            check_tags(p);
-
-        InspectorManager::probe(p);
+        finish_inspect_with_latency(p);
     }
-
-    log_events(p);
-    Active::apply_delayed_action(p);
-
-    // clear closed sessions here after inspection since non-stream
-    // inspectors may depend on flow information
-    // this also handles block pending state
-    Stream::check_flow_closed(p);
-
-    if ( inspected )
-        InspectorManager::clear(p);
-
-    clear_events(p);
+    finish_inspect(p, inspected);
 }
 
 //--------------------------------------------------------------------------

diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h
index e6015ab41ec61ec6ffb50b740a0bd09a44587e7b..4f5af57cf3c2b8f646d934fae352d3d1ffecb623 100644 (file)
--- a/src/detection/detection_engine.h
+++ b/src/detection/detection_engine.h
@@ -107,6 +107,8 @@ private:
 
     static int log_events(Packet*);
     static void clear_events(Packet*);
+    static void finish_inspect_with_latency(Packet*);
+    static void finish_inspect(Packet*, bool inspected);
     static void finish_packet(Packet*);
 
 private: