From: Ron Dempster (rdempste) Date: Fri, 5 Aug 2022 14:37:00 +0000 (-0400) Subject: reputation: make reputation handle flow setup, reloaded, and packet without flow... X-Git-Tag: 3.1.40.0~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=032c9786b53a578bfda871887160fc83c0180e2e;p=thirdparty%2Fsnort3.git reputation: make reputation handle flow setup, reloaded, and packet without flow events --- diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index d41f28b6e..840ec5f60 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -37,6 +37,7 @@ #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/auxiliary_ip_event.h" +#include "pub_sub/reputation_events.h" #include "utils/util.h" #include "reputation_parse.h" @@ -263,6 +264,7 @@ static IPdecision snort_reputation_aux_ip(const ReputationConfig& config, Reputa set_ips_policy(get_default_ips_policy(SnortConfig::get_conf())); DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLOCKLIST_DST); + DataBus::publish(REPUTATION_MATCHED_EVENT, p); p->active->drop_packet(p, true); // disable all preproc analysis and detection for this packet @@ -287,6 +289,7 @@ static IPdecision snort_reputation_aux_ip(const ReputationConfig& config, Reputa } DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR_DST); + DataBus::publish(REPUTATION_MATCHED_EVENT, p); reputationstats.aux_ip_monitored++; } else if (decision == TRUSTED) @@ -295,6 +298,7 @@ static IPdecision snort_reputation_aux_ip(const ReputationConfig& config, Reputa p->flow->flags.reputation_allowlist = true; DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_ALLOWLIST_DST); + DataBus::publish(REPUTATION_MATCHED_EVENT, p); p->active->trust_session(p, true); reputationstats.aux_ip_trusted++; } @@ -377,6 +381,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat } DetectionEngine::queue_event(GID_REPUTATION, blocklist_event); + DataBus::publish(REPUTATION_MATCHED_EVENT, p); act->drop_packet(p, true); // disable all preproc analysis and detection for this packet @@ -393,7 +398,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat return; } - else if ( p->flow and p->flow->reload_id > 0 ) + if ( p->flow and p->flow->reload_id > 0 ) { const auto& aux_ip_list = p->flow->stash->get_aux_ip_list(); for ( const auto& ip : aux_ip_list ) @@ -408,7 +413,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat return; } - else if (MONITORED_SRC == decision or MONITORED_DST == decision) + if (MONITORED_SRC == decision or MONITORED_DST == decision) { unsigned monitor_event = (MONITORED_SRC == decision) ? REPUTATION_EVENT_MONITOR_SRC : REPUTATION_EVENT_MONITOR_DST; @@ -420,6 +425,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat } DetectionEngine::queue_event(GID_REPUTATION, monitor_event); + DataBus::publish(REPUTATION_MATCHED_EVENT, p); reputationstats.monitored++; } @@ -435,6 +441,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat } DetectionEngine::queue_event(GID_REPUTATION, allowlist_event); + DataBus::publish(REPUTATION_MATCHED_EVENT, p); act->trust_session(p, true); reputationstats.trusted++; } @@ -471,6 +478,36 @@ static const char* to_string(AllowAction aa) return ""; } +class IpRepHandler : public DataHandler +{ +public: + explicit IpRepHandler(Reputation& inspector) + : DataHandler(REPUTATION_NAME), inspector(inspector) + { } + void handle(DataEvent&, Flow*) override; + +private: + Reputation& inspector; +}; + +void IpRepHandler::handle(DataEvent& event, Flow*) +{ + Packet* p = const_cast(event.get_packet()); + assert(p); + if (!p->has_ip()) + return; + + Profile profile(reputation_perf_stats); + + if (PacketTracer::is_daq_activated()) + PacketTracer::pt_timer_start(); + + ReputationData* data = static_cast(inspector.get_thread_specific_data()); + assert(data); + snort_reputation(inspector.get_config(), *data, p); + ++reputationstats.packets; +} + class AuxiliaryIpRepHandler : public DataHandler { public: @@ -559,28 +596,12 @@ void Reputation::show(const SnortConfig*) const ConfigLogger::log_value("allowlist", config.allowlist_path.c_str()); } -void Reputation::eval(Packet* p) -{ - Profile profile(reputation_perf_stats); - - // precondition - what we registered for - assert(p->has_ip()); - - if (p->is_rebuilt()) - return; - - if (PacketTracer::is_daq_activated()) - PacketTracer::pt_timer_start(); - - ReputationData* data = static_cast(get_thread_specific_data()); - assert(data); - snort_reputation(config, *data, p); - ++reputationstats.packets; -} - bool Reputation::configure(SnortConfig*) { + DataBus::subscribe_network( FLOW_STATE_SETUP_EVENT, new IpRepHandler(*this) ); + DataBus::subscribe_network( FLOW_STATE_RELOADED_EVENT, new IpRepHandler(*this) ); DataBus::subscribe_network( AUXILIARY_IP_EVENT, new AuxiliaryIpRepHandler(*this) ); + DataBus::subscribe_network( PKT_WITHOUT_FLOW_EVENT, new IpRepHandler(*this) ); return true; } @@ -624,7 +645,7 @@ const InspectApi reputation_api = mod_ctor, mod_dtor }, - IT_FIRST, + IT_PASSIVE, PROTO_BIT__ANY_IP, nullptr, // buffers nullptr, // service diff --git a/src/network_inspectors/reputation/reputation_inspect.h b/src/network_inspectors/reputation/reputation_inspect.h index 9ba573abc..e8fe8908d 100644 --- a/src/network_inspectors/reputation/reputation_inspect.h +++ b/src/network_inspectors/reputation/reputation_inspect.h @@ -46,7 +46,8 @@ public: void tterm() override; void show(const snort::SnortConfig*) const override; - void eval(snort::Packet*) override; + void eval(snort::Packet*) override + { } bool configure(snort::SnortConfig*) override; void install_reload_handler(snort::SnortConfig*) override; diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt index 829d3187f..0d83a7123 100644 --- a/src/pub_sub/CMakeLists.txt +++ b/src/pub_sub/CMakeLists.txt @@ -14,6 +14,7 @@ set (PUB_SUB_INCLUDES http_request_body_event.h netflow_event.h opportunistic_tls_event.h + reputation_events.h rna_events.h sip_events.h smb_events.h diff --git a/src/pub_sub/reputation_events.h b/src/pub_sub/reputation_events.h new file mode 100644 index 000000000..8f2ab9ef5 --- /dev/null +++ b/src/pub_sub/reputation_events.h @@ -0,0 +1,25 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// reputation_events.h author Ron Dempster + +#ifndef REPUTATION_EVENTS_H +#define REPUTATION_EVENTS_H + +#define REPUTATION_MATCHED_EVENT "rep.matched" + +#endif