{
p->packet_flags |= PKT_STREAM_UNEST_UNI;
}
+ if ( (ssn_state.session_flags & SSNFLAG_TCP_ONE_SIDED) == SSNFLAG_TCP_ONE_SIDED )
+ {
+ p->packet_flags |= PKT_TCP_ONE_SIDED;
+ }
}
else
{
#define SSNFLAG_PRUNED 0x00002000
#define SSNFLAG_RESET 0x00004000
+#define SSNFLAG_TCP_ONE_SIDED 0x00008000
+
#define SSNFLAG_DROP_CLIENT 0x00010000
#define SSNFLAG_DROP_SERVER 0x00020000
#define STREAM_TCP_SYN_EVENT "stream.tcp_syn"
#define STREAM_TCP_SYN_ACK_EVENT "stream.tcp_syn_ack"
#define STREAM_TCP_MIDSTREAM_EVENT "stream.tcp_midstream"
+#define STREAM_TCP_ESTABLISHED_EVENT "stream.tcp_established"
// A new standby flow was generated by stream high availability
#define STREAM_HA_NEW_FLOW_EVENT "stream.ha.new_flow"
else
{
if ( !p->has_paf_payload() and p->flow->flow_state == Flow::FlowState::INSPECT )
- p->flow->session->process(p);
+ {
+ Flow& flow = *p->flow;
+ flow.session->process(p);
+ }
if ( p->flow->reload_id != reload_id )
{
#define PKT_MORE_TO_FLUSH 0x20000000 // when more data is available to StreamSplitter::scan
#define PKT_FAST_PAT_EVAL 0x40000000 // temporary until IpsOption api updated
-#define PKT_UNUSED_FLAGS 0x80000000
+#define PKT_TCP_ONE_SIDED 0x80000000 // A one-sided TCP session was detected
#define TS_PKT_OFFLOADED 0x01
cleaning = false;
splitter_init = false;
+ initiator_watermark = 0;
pkt_action_mask = ACTION_NOTHING;
ecn = 0;
ingress_index = egress_index = 0;
return true;
}
+bool TcpStateListen::do_post_sm_packet_actions(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
+{
+ trk.session->check_for_one_sided_session(tsd.get_pkt());
+ return true;
+}
+
bool fin_sent(TcpSegmentDescriptor&, TcpStreamTracker&) override;
bool fin_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
bool rst_recv(TcpSegmentDescriptor&, TcpStreamTracker&) override;
+
+ bool do_post_sm_packet_actions(TcpSegmentDescriptor&, TcpStreamTracker&) override;
};
#endif
{
if ( trk.is_ack_valid(tsd.get_ack()) )
{
- Flow* flow = tsd.get_flow();
-
trk.update_tracker_ack_recv(tsd);
trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs());
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
- flow->session_state |= ( STREAM_STATE_ACK | STREAM_STATE_ESTABLISHED );
+ trk.session->set_established(tsd.get_pkt(), STREAM_STATE_ACK);
trk.session->update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
if ( tsd.is_data_segment() )
{
if ( !tsd.is_meta_ack_packet() && trk.is_ack_valid(tsd.get_ack()) )
{
- Flow* flow = tsd.get_flow();
-
trk.update_tracker_ack_recv(tsd);
trk.session->set_pkt_action_flag(trk.normalizer.handle_paws(tsd));
tsd.set_packet_flags(PKT_STREAM_TWH);
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
- flow->session_state |= ( STREAM_STATE_ACK | STREAM_STATE_ESTABLISHED );
+ trk.session->set_established(tsd.get_pkt(), STREAM_STATE_ACK);
trk.session->update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
trk.session->check_for_window_slam(tsd);
bool TcpStateSynSent::ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
{
- Flow* flow = tsd.get_flow();
-
trk.update_tracker_ack_sent(tsd);
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
- flow->session_state |= ( STREAM_STATE_ACK | STREAM_STATE_ESTABLISHED );
+ trk.session->set_established(tsd.get_pkt(), STREAM_STATE_ACK);
trk.session->update_timestamp_tracking(tsd);
trk.session->update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
bool TcpStateSynSent::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
{
- Flow* flow = tsd.get_flow();
-
trk.update_tracker_ack_sent(tsd);
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
- flow->session_state |= ( STREAM_STATE_ACK | STREAM_STATE_ESTABLISHED );
+ trk.session->set_established(tsd.get_pkt(), STREAM_STATE_ACK);
trk.session->update_timestamp_tracking(tsd);
trk.session->update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
#include "tcp_stream_session.h"
+#include "framework/data_bus.h"
#include "log/messages.h"
#include "stream/tcp/tcp_ha.h"
if ( flow->get_session_flags() & SSNFLAG_SEEN_CLIENT )
{
// should TCP state go to established too?
- flow->session_state |= STREAM_STATE_ESTABLISHED;
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
+ set_established(tsd.get_pkt());
update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
}
}
{
/* Midstream and seen server. */
if ( flow->get_session_flags() & SSNFLAG_SEEN_SERVER )
- {
- flow->session_state |= STREAM_STATE_ESTABLISHED;
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
- }
+ set_established(tsd.get_pkt());
}
if ( !flow->inner_client_ttl && !tsd.is_meta_ack_packet() )
void TcpStreamSession::start_proxy()
{ tcp_config->policy = StreamPolicy::OS_PROXY; }
+void TcpStreamSession::set_established(Packet* p, uint32_t flags)
+{
+ flow->session_state |= STREAM_STATE_ESTABLISHED | flags;
+ if (SSNFLAG_ESTABLISHED != (SSNFLAG_ESTABLISHED & flow->get_session_flags()))
+ {
+ flow->set_session_flags(SSNFLAG_ESTABLISHED);
+ DataBus::publish(STREAM_TCP_ESTABLISHED_EVENT, p);
+ }
+}
+
+void TcpStreamSession::check_for_one_sided_session(Packet* p)
+{
+ Flow& flow = *p->flow;
+ if ( !( (SSNFLAG_ESTABLISHED | SSNFLAG_TCP_ONE_SIDED) & flow.ssn_state.session_flags )
+ && p->is_from_client_originally() )
+ {
+ uint64_t initiator_packets;
+ uint64_t responder_packets;
+ if (flow.flags.client_initiated)
+ {
+ initiator_packets = flow.flowstats.client_pkts;
+ responder_packets = flow.flowstats.server_pkts;
+ }
+ else
+ {
+ initiator_packets = flow.flowstats.server_pkts;
+ responder_packets = flow.flowstats.client_pkts;
+ }
+
+ if ( !responder_packets )
+ {
+ // handle case where traffic is only in one direction, but the sequence numbers
+ // are changing indicating an asynchronous session
+ uint32_t watermark = p->ptrs.tcph->seq() + p->ptrs.tcph->ack();
+ if ( 1 == initiator_packets )
+ initiator_watermark = watermark;
+ else if ( initiator_watermark != watermark )
+ {
+ flow.ssn_state.session_flags |= SSNFLAG_TCP_ONE_SIDED;
+ DataBus::publish(STREAM_TCP_ESTABLISHED_EVENT, p);
+ }
+ }
+ }
+}
+
void set_pkt_action_flag(uint32_t flag)
{ pkt_action_mask |= flag; }
+ void set_established(snort::Packet*, uint32_t flags = 0);
+ void check_for_one_sided_session(snort::Packet*);
+
virtual void update_paws_timestamps(TcpSegmentDescriptor&) = 0;
virtual void check_for_repeated_syn(TcpSegmentDescriptor&) = 0;
virtual void check_for_session_hijack(TcpSegmentDescriptor&) = 0;
bool lws_init = false;
bool tcp_init = false;
uint32_t pkt_action_mask = ACTION_NOTHING;
- uint8_t ecn = 0;
+ uint32_t initiator_watermark = 0;
int32_t ingress_index = DAQ_PKTHDR_UNKNOWN;
- int16_t ingress_group = DAQ_PKTHDR_UNKNOWN;
int32_t egress_index = DAQ_PKTHDR_UNKNOWN;
+ int16_t ingress_group = DAQ_PKTHDR_UNKNOWN;
int16_t egress_group = DAQ_PKTHDR_UNKNOWN;
uint32_t daq_flags = 0;
uint32_t address_space_id = 0;
TcpEventLogger tel;
bool cleaning = false;
uint8_t held_packet_dir = SSN_DIR_NONE;
+ uint8_t ecn = 0;
private:
bool no_ack = false;
if ( good_ack )
{
- Flow* flow = tsd.get_flow();
-
irs = tsd.get_seq();
finish_client_init(tsd);
update_tracker_ack_recv(tsd);
- flow->set_session_flags(SSNFLAG_ESTABLISHED);
- flow->session_state |= ( STREAM_STATE_ACK | STREAM_STATE_ESTABLISHED );
+ session->set_established(tsd.get_pkt(), STREAM_STATE_ACK);
tcp_state = TcpStreamTracker::TCP_ESTABLISHED;
}
projects / thirdparty / snort3.git / commitdiff
