if ( p->alt_dsize == 0 )
{
- DisableDetect();
+ DetectionEngine::disable_content();
return 0;
}
{
if ( !GetHttpBufferMask() && (p->alt_dsize == 0) )
{
- DisableDetect();
+ DetectionEngine::disable_content();
return 0;
}
}
if ( !(session->server_conf->inspect_response) &&
IsLimitedDetect(p) && !p->alt_dsize )
{
- DisableDetect();
+ DetectionEngine::disable_content();
return 0;
}
ClearHttpBuffers();
if ( IsLimitedDetect(p) &&
!GetHttpBufferMask() && (p->alt_dsize == 0) )
{
- DisableDetect();
+ DetectionEngine::disable_content();
return 0;
}
}
*/
{
Profile exclude(hiPerfStats);
- DetectionEngine::process(p);
+ DetectionEngine::detect(p);
}
/*
if ( iCallDetect == 0 )
{
- // DetectionEngine::process called at least once from above pkt processing loop.
- // FIXIT-M this throws off nfp rules like this:
- // alert tcp any any -> any any ( sid:1; msg:"1"; flags:S; )
- // (check shutdown counts)
- DisableInspection();
+ // DetectionEngine::detect called at least once from above pkt processing loop.
+ DetectionEngine::disable_content();
}
return 0;
THREAD_LOCAL ProfileStats eventqPerfStats;
THREAD_LOCAL ProfileStats rebuiltPacketPerfStats;
-THREAD_LOCAL bool do_detect;
-THREAD_LOCAL bool do_detect_content;
+static THREAD_LOCAL bool check_tags_flag = false;
-SO_PUBLIC void DisableDetect()
-{ do_detect_content = false; }
-
-SO_PUBLIC void DisableInspection()
-{ do_detect = do_detect_content = false; }
-
-static THREAD_LOCAL char check_tags_flag;
-
-static int CheckTagging(Packet*);
+void enable_tags()
+{ check_tags_flag = true; }
void snort_ignore(Packet*) { }
-void snort_inspect(Packet* p)
-{
- bool inspected = false;
- {
- PacketLatency::Context pkt_latency_ctx { p };
-
- // If the packet has errors, we won't analyze it.
- if ( p->ptrs.decode_flags & DECODE_ERR_FLAGS )
- {
- DebugFormat(DEBUG_DETECT,
- "Packet errors = 0x%x, ignoring traffic!\n",
- (p->ptrs.decode_flags & DECODE_ERR_FLAGS));
-
- if ( SnortConfig::inline_mode() and
- SnortConfig::checksum_drop(p->ptrs.decode_flags & DECODE_ERR_CKSUM_ALL) )
- {
- DebugMessage(DEBUG_DECODE, "Dropping bad packet\n");
- Active::drop_packet(p);
- }
- }
- else
- {
- do_detect = do_detect_content = true;
-
- /*
- ** Reset the appropriate application-layer protocol fields
- */
- p->alt_dsize = 0;
-
- InspectorManager::execute(p);
- inspected = true;
-
- Active::apply_delayed_action(p);
-
- if ( do_detect )
- DetectionEngine::process(p);
- }
-
- check_tags_flag = 1;
-
- /*
- ** By checking tagging here, we make sure that we log the
- ** tagged packet whether it generates an alert or not.
- */
- if ( p->has_ip() )
- CheckTagging(p);
-
- // clear closed sessions here after inspection since non-stream
- // inspectors may depend on flow information
- // FIXIT-H but this result in double clearing? should normal
- // clear_session() calls be deleted from stream? this is a
- // performance hit on short-lived flows
- Stream::check_flow_closed(p);
- }
-
- Profile profile(eventqPerfStats);
- SnortEventqLog(p);
- SnortEventqReset();
-
- if ( inspected )
- InspectorManager::clear(p);
-
- // Handle block pending state
- Stream::check_flow_block_pending(p);
-}
-
void snort_log(Packet* p)
{
pc.log_pkts++;
{
event->event_id = event_id | SnortConfig::get_event_log_id();
- check_tags_flag = 0;
+ check_tags_flag = false;
pc.log_pkts++;
OutputSet* idx = head ? head->LogList : NULL;
event.event_id = event_id | SnortConfig::get_event_log_id();
event.event_reference = event.event_id;
- check_tags_flag = 0;
+ check_tags_flag = false;
pc.log_pkts++;
OutputSet* idx = head ? head->LogList : NULL;
}
/*
-** NAME
-** CheckTagging::
-*/
-/**
** This is where we check to see if we tag the packet. We only do
** this if we've alerted on a non-pass rule and the packet is not
** rebuilt.
** We don't log rebuilt packets because the output plugins log the
** individual packets of a rebuilt stream, so we don't want to dup
** tagged packets for rebuilt streams.
-**
-** @return integer
*/
-int CheckTagging(Packet* p)
+void check_tags(Packet* p)
{
Event event;
- if (check_tags_flag == 1 && !(p->packet_flags & PKT_REBUILT_STREAM))
+ if ( check_tags_flag and !(p->packet_flags & PKT_REBUILT_STREAM) )
{
void* listhead = NULL;
DebugMessage(DEBUG_FLOW, "calling CheckTagList\n");
CallLogFuncs(p, (ListHead*)listhead, &event, "Tagged Packet");
}
}
-
- return 0;
}
static int CheckAddrPort(
struct RuleFpList;
struct RuleTreeNode;
-extern THREAD_LOCAL bool do_detect;
-extern THREAD_LOCAL bool do_detect_content;
-
extern THREAD_LOCAL ProfileStats eventqPerfStats;
extern THREAD_LOCAL ProfileStats detectPerfStats;
extern THREAD_LOCAL ProfileStats rebuiltPacketPerfStats;
// main loop hooks
void snort_ignore(Packet*);
-void snort_inspect(Packet*);
void snort_log(Packet*);
// parsing
void CallLogFuncs(Packet*, const OptTreeNode*, ListHead*);
void CallAlertFuncs(Packet*, const OptTreeNode*, ListHead*);
-// don't eval content rules
-// non-content rules are still evaluated
-SO_PUBLIC void DisableDetect();
-
-// don't want to do any detection with rules
-// (no content and no non-content)
-SO_PUBLIC void DisableInspection();
+void enable_tags();
+void check_tags(Packet*);
#endif
p->packet_flags &= ~PKT_IP_RULE;
}
- if ( do_detect_content )
+ if ( DetectionEngine::content_enabled() )
{
if ( fp->get_stream_insert() || !(p->packet_flags & PKT_STREAM_INSERT) )
if ( fp_search(port_group, p, check_ports, type, omd) )
if (tmp_api.pay_len() > udp::UDP_HEADER_LEN)
p->dsize = tmp_api.pay_len() - udp::UDP_HEADER_LEN;
- auto save_do_detect_content = do_detect_content;
+ auto save_detect = DetectionEngine::get_detects();
+
if ( p->dsize )
- do_detect_content = true;
+ DetectionEngine::enable_content();
fpEvalHeaderUdp(p, omd);
p->ptrs.udph = tmp_udph;
p->data = tmp_data;
p->dsize = tmp_dsize;
-
- do_detect_content = save_do_detect_content;
+
+ DetectionEngine::set_detects(save_detect);
}
/*
if ( news )
Stream::stop_inspection(flow, p, SSN_DIR_BOTH, -1, 0);
else
- DisableInspection();
+ DetectionEngine::disable_all();
p->ptrs.decode_flags |= DECODE_PKT_TRUST;
break;
else
Active::block_again();
- DisableInspection();
+ DetectionEngine::disable_all();
break;
case Flow::FlowState::RESET:
Active::reset_again();
Stream::blocked_flow(flow, p);
- DisableInspection();
+ DetectionEngine::disable_all();
break;
}
(p->packet_flags & PKT_FROM_CLIENT) ? "sender" : "responder");
flow->ssn_state.ignore_direction = ignore;
- DisableInspection();
+ DetectionEngine::disable_all();
}
return ignore;
AltPktHandler() { }
void handle(DataEvent& e, Flow*)
- { DetectionEngine::process((Packet*)e.get_packet()); } // FIXIT-L not const!
+ { DetectionEngine::detect((Packet*)e.get_packet()); } // FIXIT-L not const!
};
InspectionPolicy::InspectionPolicy()
Profile detect_profile(detectPerfStats);
Profile rebuilt_profile(rebuiltPacketPerfStats);
- auto save_do_detect = do_detect;
- auto save_do_detect_content = do_detect_content;
+ auto save_detect = DetectionEngine::get_detects();
DetectionEngine de;
main_hook(p);
DetectReset(); // FIXIT-H context
- do_detect = save_do_detect;
- do_detect_content = save_do_detect_content;
+ DetectionEngine::set_detects(save_detect);
}
DAQ_Verdict Snort::process_packet(
#include "binder/bind_module.h"
#include "binder/binder.h"
#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "flow/flow.h"
#include "flow/session.h"
#include "log/messages.h"
return false;
else if ( !p->dsize )
- DisableDetect();
+ DetectionEngine::disable_content();
else if ( flow->gadget && flow->gadget->likes(p) )
{
#include "reputation_inspect.h"
#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "log/messages.h"
#include "packet_io/active.h"
SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST);
Active::drop_packet(p, true);
// disable all preproc analysis and detection for this packet
- DisableInspection();
+ DetectionEngine::disable_all();
p->disable_inspect = true;
if (p->flow)
{
{
SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_WHITELIST);
p->packet_flags |= PKT_IGNORE;
- DisableInspection();
+ DetectionEngine::disable_all();
p->disable_inspect = true;
if (p->flow)
{
#include <syslog.h>
#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/snort.h"
#include "main/snort_config.h"
sc->output = val;
sc->output_flags |= OUTPUT_FLAG__ALERTS;
- Snort::set_main_hook(snort_inspect);
+ Snort::set_main_hook(DetectionEngine::inspect);
}
void config_log_mode(SnortConfig* sc, const char* val)
{
lua_conf = val;
SetSnortConfDir(lua_conf.c_str());
- Snort::set_main_hook(snort_inspect);
+ Snort::set_main_hook(DetectionEngine::inspect);
}
void SetSnortConfDir(const char* file)
// FIXIT-M add HTTP case when these are ported
// Same for all other instances of profiling
- DetectionEngine::process(pkt);
+ DetectionEngine::detect(pkt);
dce2_detected = 1;
}
#include "dce_smb.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "file_api/file_service.h"
#include "protocols/packet.h"
#include "utils/util.h"
Profile profile(dce2_smb_pstat_smb_file_detect);
- DetectionEngine::process(top_pkt);
+ DetectionEngine::detect(top_pkt);
// Reset file data pointer after detecting
set_file_data(nullptr, 0);
#include "dce_tcp.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "utils/util.h"
#include "dce_tcp_module.h"
#include "dce_udp.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "utils/util.h"
#include "dce_udp_module.h"
{
{
ProfileExclude profile_exclude(dnp3_perf_stats);
- DetectionEngine::process(packet);
+ DetectionEngine::detect(packet);
}
/* Since detection was done, reset reassembly state to avoid double alerts
#include "ft_main.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "framework/data_bus.h"
#include "log/messages.h"
#include "utils/util.h"
void do_detection(Packet* p)
{
- // If we get here we either had a client or server request/response.
- // We do the detection here, because we're starting a new paradigm
- // about protocol decoders.
- //
- // Protocol decoders are now their own detection engine, since we are
- // going to be moving protocol field detection from the generic
- // detection engine into the protocol module. This idea scales much
- // better than having all these Packet struct field checks in the
- // main detection engine for each protocol field.
get_data_bus().publish(PACKET_EVENT, p);
-
- DisableInspection();
+ DetectionEngine::disable_all();
}
#include "ssl_inspector.h"
#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "log/messages.h"
#include "main/snort_debug.h"
!(new_flags & SSL_HEARTBEAT_SEEN))
{
DebugMessage(DEBUG_SSL, "Disabling detect\n");
- DisableDetect();
+ DetectionEngine::disable_content();
}
/* Need to negate the application flags from the opposing side. */
}
else if (!(new_flags & SSL_HEARTBEAT_SEEN))
{
- DisableDetect();
+ DetectionEngine::disable_content();
}
}
}
else if (!(new_flags & SSL_HEARTBEAT_SEEN))
{
- DisableDetect();
+ DetectionEngine::disable_content();
}
}
else
if (!(new_flags & SSL_HEARTBEAT_SEEN))
{
- DisableDetect();
+ DetectionEngine::disable_content();
}
sd->ssn_flags |= new_flags;
#include "ip_defrag.h"
#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/snort.h"
#include "main/snort_config.h"
#include "protocols/ipv4_options.h"
#include "time/timersub.h"
#include "utils/safec.h"
+#include "utils/stats.h"
#include "utils/util.h"
#include "ip_session.h"
if ((frag_offset != 0)) /* ||
((p->get_ip_proto_next() != IpProtocol::UDP) && (p->ptrs.decode_flags & DECODE_MF))) */
{
- DisableDetect();
+ DetectionEngine::disable_content();
}
/*
//dont forward fragments to engine if some previous fragment was dropped
if ( ft->frag_flags & FRAG_DROP_FRAGMENTS )
{
- DisableDetect();
+ DetectionEngine::disable_content();
Active::daq_drop_packet(p);
ip_stats.drops++;
}
{
// Need to reset some things here because the rebuilt packet
// will have reset the do_detect flag when it hits Inspect.
- do_detect_content = do_detect = false;
+ DetectionEngine::disable_all();
}
}
#ifndef TCP_STREAM_SESSION_H_
#define TCP_STREAM_SESSION_H_
-#include "detection/detect.h"
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "detection/detection_engine.h"
#include "flow/session.h"
#include "stream/libtcp/tcp_stream_tracker.h"
#include "stream/tcp/tcp_stream_config.h"
virtual void retransmit_process()
{
// Data has already been analyzed so don't bother looking at it again.
- DisableDetect();
+ DetectionEngine::disable_content();
}
virtual void retransmit_handle(Packet* p)
/* FIXIT-M handle bytes/response parameters */
- DisableInspection();
+ DetectionEngine::disable_all();
flow->set_state(Flow::FlowState::ALLOW);
}
"Blocking %s packet as session was blocked\n",
p->is_from_server() ? "server" : "client");
- DisableDetect();
+ DetectionEngine::disable_content();
Active::drop_packet(p);
active_response(p, flow);
return true;
"Stream Ignoring packet from %s. Session marked as ignore\n",
p->is_from_client() ? "sender" : "responder");
- DisableInspection();
+ DetectionEngine::disable_all();
return true;
}
#endif
#include "detection/detection_defines.h"
+#include "detection/detection_engine.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/sfhashfcn.h"
{
/* Turn off inspection */
lwssn->ssn_state.ignore_direction |= srod.direction;
- DisableInspection();
+ DetectionEngine::disable_all();
/* TBD: Set TF_FORCE_FLUSH ? */
}
#include "tcp_reassembler.h"
+#include "detection/detection_engine.h"
#include "log/log.h"
#include "main/snort.h"
#include "profiler/profiler.h"
#include "tcp_session.h"
+#include "detection/detection_engine.h"
#include "log/log.h"
#include "perf_monitor/flow_ip_tracker.h"
#include "profiler/profiler.h"
if (pkt_action_mask & ACTION_DISABLE_INSPECTION)
{
- DisableInspection();
+ DetectionEngine::disable_all();
DebugFormat(DEBUG_STREAM_STATE,
"Stream Ignoring packet from %s. Session marked as ignore\n",
projects / thirdparty / snort3.git / commitdiff
