From: Russ Combs (rucombs) Date: Sun, 18 Dec 2022 12:02:27 +0000 (+0000) Subject: Pull request #3689: Pub ID X-Git-Tag: 3.1.50.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03d0b89c0329476cc24bf46c6da359e59d3ca2a9;p=thirdparty%2Fsnort3.git Pull request #3689: Pub ID Merge in SNORT/snort3 from ~RUCOMBS/snort3:pub_id to master Squashed commit of the following: commit 72426605b4c754c0690325e67335d89feec3c78b Author: Russ Combs Date: Mon Dec 12 19:57:46 2022 -0500 pub_sub: refactor includes commit 8f875bb0e45eba5399e4b749025db394daa0fa30 Author: Russ Combs Date: Sat Dec 10 16:57:28 2022 -0500 log_hext: convert to use PubKey commit 05b2273c2db182b1774d64f46f8e6f10829353f0 Author: Russ Combs Date: Sat Dec 10 16:57:11 2022 -0500 file_api: convert to use PubKeys commit 55e2cc8568f9f442b4ece4cf2e63e7ef955c68fb Author: Russ Combs Date: Sat Dec 10 16:56:41 2022 -0500 service_inspectors: convert to use Pubkeys commit b8647d99b13b7bb4a199761f99b7fbbd1ce3648e Author: Russ Combs Date: Sat Dec 10 16:56:22 2022 -0500 network_inspectors: convert to use Pubkeys commit 8a5650828de654a6d42c93d3683ffb15dffef87e Author: Russ Combs Date: Sat Dec 10 16:55:01 2022 -0500 http_inspect, http2_inspect: convert to use PubKeys commit 48f7e79bcab8b7d02a554d38de91e8174e990cd6 Author: Russ Combs Date: Sat Dec 10 16:53:22 2022 -0500 appid: convert to use PubKeys commit e2fa0a001c6cf9332f48e75c2e68a91e6e8a487c Author: Russ Combs Date: Sat Dec 10 16:50:29 2022 -0500 stream: publish events using PubKey commit d5984eba1201a7c36a20f1398a7c18f610ef86a2 Author: Russ Combs Date: Sat Dec 10 16:49:58 2022 -0500 framework: publish intrinsic events using PubKey commit 2ee586558b895b47eb4378b948bb477ea6620d5f Author: Russ Combs Date: Sat Dec 10 16:48:46 2022 -0500 flow: publish events using PubKeys commit 9f79c1a019eba488573c463263806efa0dc70f6b Author: Russ Combs Date: Sat Dec 10 16:46:59 2022 -0500 pub_sub: convert from string keys to PubKeys commit 736d237a71d611e0b7a4f06832e598835bc31b4c Author: Russ Combs Date: Sat Dec 10 16:43:58 2022 -0500 data_bus: require key registration for improved publish performance --- diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index 1056d1ece..0d964a4c1 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -41,6 +41,7 @@ #include "packet_tracer/packet_tracer.h" #include "profiler/profiler.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" #include "utils/util.h" #include "utils/util_utf.h" @@ -353,16 +354,16 @@ void FileContext::log_file_event(Flow* flow, FilePolicyBase* policy) { case FILE_VERDICT_LOG: // Log file event through data bus - DataBus::publish("file_event", (const uint8_t*)"LOG", 3, flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FILE_VERDICT, (const uint8_t*)"LOG", 3, flow); break; case FILE_VERDICT_BLOCK: // can't block session inside a session - DataBus::publish("file_event", (const uint8_t*)"BLOCK", 5, flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FILE_VERDICT, (const uint8_t*)"BLOCK", 5, flow); break; case FILE_VERDICT_REJECT: - DataBus::publish("file_event", (const uint8_t*)"RESET", 5, flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FILE_VERDICT, (const uint8_t*)"RESET", 5, flow); break; default: log_needed = false; diff --git a/src/file_api/file_log.cc b/src/file_api/file_log.cc index 47baf60fc..f34d6af84 100644 --- a/src/file_api/file_log.cc +++ b/src/file_api/file_log.cc @@ -25,6 +25,7 @@ #include "framework/module.h" #include "log/messages.h" #include "log/text_log.h" +#include "pub_sub/intrinsic_event_ids.h" #include "time/packet_time.h" #include "utils/util.h" @@ -208,7 +209,7 @@ public: bool configure(SnortConfig*) override { - DataBus::subscribe("file_event", new LogHandler(config)); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FILE_VERDICT, new LogHandler(config)); return true; } diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index 27f820535..f0f3fe3f6 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -91,7 +91,7 @@ void ExpectFlow::handle_expected_flows(const Packet* p) if (p->flow && packet_expect_flows && !packet_expect_flows->empty()) { ExpectedFlowsEvent event(*packet_expect_flows, *p); - DataBus::publish(EXPECT_EVENT_TYPE_HANDLE_FLOWS, event); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::EXPECT_HANDLE_FLOWS, event); } } @@ -448,7 +448,7 @@ int ExpectCache::add_flow(const Packet *ctrlPkt, PktType type, IpProtocol ip_pro packet_expect_flows->emplace_back(last); ExpectEvent event(ctrlPkt, last, fd); - DataBus::publish(EXPECT_EVENT_TYPE_EARLY_SESSION_CREATE_KEY, event, ctrlPkt->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::EXPECT_EARLY_SESSION, event, ctrlPkt->flow); } return 0; } diff --git a/src/flow/flow.cc b/src/flow/flow.cc index 202770d80..33871e18a 100644 --- a/src/flow/flow.cc +++ b/src/flow/flow.cc @@ -35,6 +35,7 @@ #include "memory/memory_cap.h" #include "protocols/packet.h" #include "protocols/tcp.h" +#include "pub_sub/intrinsic_event_ids.h" #include "sfip/sf_ip.h" #include "utils/stats.h" #include "utils/util.h" @@ -603,7 +604,7 @@ bool Flow::is_direction_aborted(bool from_client) const void Flow::set_service(Packet* pkt, const char* new_service) { service = new_service; - DataBus::publish(FLOW_SERVICE_CHANGE_EVENT, pkt); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_SERVICE_CHANGE, pkt); } void Flow::swap_roles() diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 38bc6c577..294545039 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -33,6 +33,7 @@ #include "protocols/tcp.h" #include "protocols/udp.h" #include "protocols/vlan.h" +#include "pub_sub/intrinsic_event_ids.h" #include "pub_sub/packet_events.h" #include "stream/stream.h" #include "utils/util.h" @@ -457,13 +458,13 @@ unsigned FlowControl::process(Flow* flow, Packet* p) if (p->is_retry()) { RetryPacketEvent retry_event(p); - DataBus::publish(PKT_RETRY_EVENT, retry_event); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::RETRY_PACKET, retry_event); flow->flags.retry_queued = false; } else if ( flow->flags.retry_queued and ( !p->is_cooked() or p->is_defrag() ) ) { RetryPacketEvent retry_event(p); - DataBus::publish(PKT_RETRY_EVENT, retry_event); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::RETRY_PACKET, retry_event); if ( !retry_event.is_still_pending() ) flow->flags.retry_queued = false; } @@ -482,7 +483,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) update_stats(flow, p); flow->set_client_initiate(p); - DataBus::publish(FLOW_STATE_SETUP_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_SETUP, p); if ( flow->flow_state == Flow::FlowState::SETUP || (flow->flow_state == Flow::FlowState::INSPECT && diff --git a/src/flow/flow_stash.cc b/src/flow/flow_stash.cc index bc98b7dc2..44c2c793e 100644 --- a/src/flow/flow_stash.cc +++ b/src/flow/flow_stash.cc @@ -61,32 +61,37 @@ bool FlowStash::get(const string& key, string& val) return get(key, val, STASH_ITEM_TYPE_STRING); } -bool FlowStash::get(const std::string& key, StashGenericObject* &val) +bool FlowStash::get(const string& key, StashGenericObject* &val) { return get(key, val, STASH_ITEM_TYPE_GENERIC_OBJECT); } -void FlowStash::store(const string& key, int32_t val) +void FlowStash::store(const string& key, int32_t val, unsigned pubid, unsigned evid) { - store(key, val, STASH_ITEM_TYPE_INT32); + store(key, val, STASH_ITEM_TYPE_INT32, pubid, evid); } -void FlowStash::store(const string& key, uint32_t val) +void FlowStash::store(const string& key, uint32_t val, unsigned pubid, unsigned evid) { - store(key, val, STASH_ITEM_TYPE_UINT32); + store(key, val, STASH_ITEM_TYPE_UINT32, pubid, evid); } -void FlowStash::store(const string& key, const string& val) +void FlowStash::store(const string& key, const string& val, unsigned pubid, unsigned evid) { - store(key, val, STASH_ITEM_TYPE_STRING); + store(key, val, STASH_ITEM_TYPE_STRING, pubid, evid); } -void FlowStash::store(const std::string& key, StashGenericObject* val, bool publish) +void FlowStash::store(const string& key, string* val, unsigned pubid, unsigned evid) { - store(key, val, STASH_ITEM_TYPE_GENERIC_OBJECT, publish); + store(key, val, STASH_ITEM_TYPE_STRING, pubid, evid); } -void FlowStash::store(const string& key, StashGenericObject* &val, StashItemType type, bool publish) +void FlowStash::store(const string& key, StashGenericObject* val, unsigned pubid, unsigned evid) +{ + store(key, val, STASH_ITEM_TYPE_GENERIC_OBJECT, pubid, evid); +} + +void FlowStash::store(const string& key, StashGenericObject* &val, StashItemType type, unsigned pubid, unsigned evid) { #ifdef NDEBUG UNUSED(type); @@ -104,18 +109,13 @@ void FlowStash::store(const string& key, StashGenericObject* &val, StashItemType it_and_status.first->second = item; } - if (publish) + if (DataBus::valid(pubid)) { StashEvent e(item); - DataBus::publish(key.c_str(), e); + DataBus::publish(pubid, evid, e); } } -void FlowStash::store(const std::string& key, std::string* val) -{ - store(key, val, STASH_ITEM_TYPE_STRING); -} - template bool FlowStash::get(const string& key, T& val, StashItemType type) { @@ -134,7 +134,7 @@ bool FlowStash::get(const string& key, T& val, StashItemType type) } template -void FlowStash::store(const string& key, T& val, StashItemType type) +void FlowStash::store(const string& key, T& val, StashItemType type, unsigned pubid, unsigned evid) { #ifdef NDEBUG UNUSED(type); @@ -150,7 +150,7 @@ void FlowStash::store(const string& key, T& val, StashItemType type) } StashEvent e(item); - DataBus::publish(key.c_str(), e); + DataBus::publish(pubid, evid, e); } bool FlowStash::store(const SfIp& ip, const SnortConfig* sc) @@ -174,6 +174,6 @@ bool FlowStash::store(const SfIp& ip, const SnortConfig* sc) } AuxiliaryIpEvent event(ip); - DataBus::publish(AUXILIARY_IP_EVENT, event); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::AUXILIARY_IP, event); return true; } diff --git a/src/flow/flow_stash.h b/src/flow/flow_stash.h index 6094c691b..791d70fed 100644 --- a/src/flow/flow_stash.h +++ b/src/flow/flow_stash.h @@ -40,15 +40,17 @@ class SO_PUBLIC FlowStash public: ~FlowStash(); void reset(); + bool get(const std::string& key, int32_t& val); bool get(const std::string& key, uint32_t& val); bool get(const std::string& key, std::string& val); bool get(const std::string& key, StashGenericObject* &val); - void store(const std::string& key, int32_t val); - void store(const std::string& key, uint32_t val); - void store(const std::string& key, const std::string& val); - void store(const std::string& key, std::string* val); - void store(const std::string& key, StashGenericObject* val, bool publish = true); + + void store(const std::string& key, int32_t val, unsigned pubid = 0, unsigned evid = 0); + void store(const std::string& key, uint32_t val, unsigned pubid = 0, unsigned evid = 0); + void store(const std::string& key, const std::string& val, unsigned pubid = 0, unsigned evid = 0); + void store(const std::string& key, std::string* val, unsigned pubid = 0, unsigned evid = 0); + void store(const std::string& key, StashGenericObject* val, unsigned pubid = 0, unsigned evid = 0); bool store(const snort::SfIp&, const SnortConfig* sc = nullptr); @@ -62,9 +64,8 @@ private: template bool get(const std::string& key, T& val, StashItemType type); template - void store(const std::string& key, T& val, StashItemType type); - void store(const std::string& key, StashGenericObject* &val, StashItemType type, - bool publish = true); + void store(const std::string& key, T& val, StashItemType type, unsigned = 0, unsigned = 0); + void store(const std::string& key, StashGenericObject* &val, StashItemType type, unsigned, unsigned); }; } diff --git a/src/flow/test/flow_cache_test.cc b/src/flow/test/flow_cache_test.cc index 27ac992fa..ed4443443 100644 --- a/src/flow/test/flow_cache_test.cc +++ b/src/flow/test/flow_cache_test.cc @@ -27,6 +27,10 @@ #include "flow/flow_control.h" #include "detection/detection_engine.h" +#include "flow/expect_cache.h" +#include "flow/flow_cache.h" +#include "flow/ha.h" +#include "flow/session.h" #include "main/policy.h" #include "main/snort_config.h" #include "managers/inspector_manager.h" @@ -39,10 +43,6 @@ #include "protocols/vlan.h" #include "stream/stream.h" #include "utils/util.h" -#include "flow/expect_cache.h" -#include "flow/flow_cache.h" -#include "flow/ha.h" -#include "flow/session.h" #include "trace/trace_api.h" #include @@ -83,9 +83,9 @@ void Flow::term() { } void Flow::flush(bool) { } void Flow::reset(bool) { } void Flow::free_flow_data() { } -void DataBus::publish(const char*, DataEvent&, Flow*) { } -void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { } -void DataBus::publish(const char*, Packet*, Flow*) { } +void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { } +void DataBus::publish(unsigned, unsigned, const uint8_t*, unsigned, Flow*) { } +void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { } const SnortConfig* SnortConfig::get_conf() { return nullptr; } void Flow::set_client_initiate(Packet*) { } void Flow::set_direction(Packet*) { } diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index d021bab34..05dcea2dd 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -85,9 +85,9 @@ size_t FlowCache::uni_flows_size() const { return 0; } size_t FlowCache::uni_ip_flows_size() const { return 0; } size_t FlowCache::flows_size() const { return 0; } void Flow::init(PktType) { } -void DataBus::publish(const char*, DataEvent&, Flow*) { } -void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { } -void DataBus::publish(const char*, Packet*, Flow*) { } +void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { } +void DataBus::publish(unsigned, unsigned, const uint8_t*, unsigned, Flow*) { } +void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { } const SnortConfig* SnortConfig::get_conf() { return nullptr; } void FlowCache::unlink_uni(Flow*) { } void Flow::set_client_initiate(Packet*) { } diff --git a/src/flow/test/flow_stash_test.cc b/src/flow/test/flow_stash_test.cc index 9b7c64a42..934d6ffe2 100644 --- a/src/flow/test/flow_stash_test.cc +++ b/src/flow/test/flow_stash_test.cc @@ -34,8 +34,6 @@ using namespace snort; using namespace std; -static DataBus* DB = nullptr; - template class DBConsumer : public DataHandler { @@ -43,9 +41,6 @@ public: static const char* STASH_EVENT; - // event we'll be listening to on the DataBus: - // static constexpr char STASH_EVENT[] = "foo.stash.event"; - DBConsumer(const char* mod_name) : DataHandler(mod_name) {} void handle(DataEvent& e, Flow*) override @@ -69,59 +64,16 @@ private: template const char* DBConsumer::STASH_EVENT = "foo.stash.event"; +static DataHandler* s_handler = nullptr; +void DataBus::subscribe(const PubKey&, unsigned, snort::DataHandler* h) +{ s_handler = h; } -// DataBus mock: most functions are stubs, but _subscribe() and _publish() -// are (close to) real. -DataBus::DataBus() = default; - -DataBus::~DataBus() -{ - for ( auto& p : map ) - for ( auto* h : p.second ) - delete h; -} - -void DataBus::clone(DataBus&, const char*) {} -void DataBus::subscribe(const char* key, DataHandler* h) -{ - DB->_subscribe(key, h); -} -void DataBus::subscribe_network(const char* key, DataHandler* h) -{ - DB->_subscribe(key, h); -} - -void DataBus::unsubscribe(const char*, DataHandler*) {} -void DataBus::unsubscribe_network(const char*, DataHandler*) {} - -void DataBus::publish(const char* key, DataEvent& e, Flow* f) -{ - DB->_publish(key, e, f); -} - -void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) {} -void DataBus::publish(const char*, Packet*, Flow*) {} - -void DataBus::_subscribe(const char* key, DataHandler* h) -{ - DataList& v = map[key]; - v.emplace_back(h); -} - -void DataBus::_unsubscribe(const char*, DataHandler*) {} - -void DataBus::_publish(const char* key, DataEvent& e, Flow* f) const +void DataBus::publish(unsigned, unsigned evid, snort::DataEvent& e, snort::Flow* f) { - auto v = map.find(key); - - if ( v != map.end() ) - { - for ( auto* h : v->second ) - h->handle(e, f); - } + if ( s_handler and evid ) + s_handler->handle(e, f); } -// end DataBus mock. static SnortConfig snort_conf; @@ -142,55 +94,44 @@ char* snort_strdup(const char* str) } TEST_GROUP(stash_tests) -{ - void setup() override - { - DB = new DataBus(); - } - - void teardown() override - { - delete DB; - } -}; +{ }; // DataBus tests TEST(stash_tests, data_bus_publish_test) { typedef int32_t value_t; - // DB deletes the subscribers so make c a pointer, not a local object. - DBConsumer* c = new DBConsumer("foo"); - DataBus::subscribe(DBConsumer::STASH_EVENT, c); + DBConsumer c("foo"); + PubKey pub_key { }; + + DataBus::subscribe(pub_key, 0, &c); FlowStash stash; value_t vin, vout; // stash/publish 10 vin = 10; - stash.store(DBConsumer::STASH_EVENT, vin); - vout = c->get_value(); + stash.store(DBConsumer::STASH_EVENT, vin, 1, 1); + vout = c.get_value(); CHECK_EQUAL(vin, vout); // stash/publish 20, with the same key as before vin = 20; - stash.store(DBConsumer::STASH_EVENT, vin); - vout = c->get_value(); + stash.store(DBConsumer::STASH_EVENT, vin, 1, 1); + vout = c.get_value(); CHECK_EQUAL(vin, vout); // do we get some event that we're not listening to? - value_t before = c->get_value(); + value_t before = c.get_value(); stash.store("bar.stash.event", 30); - value_t after = c->get_value(); + value_t after = c.get_value(); CHECK_EQUAL(before, after); // do we still get our own STASH_EVENT from the stash, at a later time? - vout = c->get_from_stash(stash); + vout = c.get_from_stash(stash); CHECK_EQUAL(vin, vout); - } - // Stash tests TEST(stash_tests, new_int32_item) { @@ -387,5 +328,7 @@ TEST(stash_tests, store_ip) int main(int argc, char** argv) { + MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); return CommandLineTestRunner::RunAllTests(argc, argv); } + diff --git a/src/flow/test/flow_test.cc b/src/flow/test/flow_test.cc index 72a84aab0..946f8f654 100644 --- a/src/flow/test/flow_test.cc +++ b/src/flow/test/flow_test.cc @@ -93,7 +93,7 @@ uint8_t ip::IpApi::ttl() const { return 0; } const Layer* layer::get_mpls_layer(const Packet* const) { return nullptr; } -void DataBus::publish(const char*, Packet*, Flow*) {} +void DataBus::publish(unsigned, unsigned, Packet*, Flow*) {} const SnortConfig* SnortConfig::get_conf() { return nullptr; } diff --git a/src/framework/data_bus.cc b/src/framework/data_bus.cc index 03bb9c749..f40096c42 100644 --- a/src/framework/data_bus.cc +++ b/src/framework/data_bus.cc @@ -21,18 +21,25 @@ #include "config.h" #endif -#include - #include "data_bus.h" +#include +#include + #include "main/policy.h" #include "main/snort_config.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" +#include "utils/stats.h" using namespace snort; +static std::unordered_map pub_ids; +static unsigned next_event = 1; + static DataBus& get_data_bus() { return get_inspection_policy()->dbus; } + static DataBus& get_network_data_bus() { return get_network_policy()->dbus; } @@ -65,14 +72,15 @@ private: //-------------------------------------------------------------------------- // public methods -//-------------------------------------------------------------------------- +//------------------------------------------------------------------------- DataBus::DataBus() = default; DataBus::~DataBus() { - for ( auto& p : map ) - for ( auto* h : p.second ) + for ( auto& p : pub_sub ) + { + for ( auto* h : p ) { // If the object is cloned, pass the ownership to the next config. // When the object is no further cloned (e.g., the last config), delete it. @@ -81,77 +89,101 @@ DataBus::~DataBus() else delete h; } + } +} + +unsigned DataBus::init() +{ + unsigned id = get_id(intrinsic_pub_key); + assert(id == 1); + return id; } void DataBus::clone(DataBus& from, const char* exclude_name) { - for ( auto& p : from.map ) - for ( auto* h : p.second ) - if ( nullptr == exclude_name || 0 != strcmp(exclude_name, h->module_name) ) + for ( unsigned i = 0; i < from.pub_sub.size(); ++i ) + { + for ( auto* h : from.pub_sub[i] ) + { + if ( !exclude_name || strcmp(exclude_name, h->module_name) ) { h->cloned = true; - _subscribe(p.first.c_str(), h); + _subscribe(i, 0, h); } + } + } +} + +unsigned DataBus::get_id(const PubKey& key) +{ + auto it = pub_ids.find(key.publisher); + + if ( it == pub_ids.end() ) + { + pub_ids[key.publisher] = next_event; + next_event += key.num_events; + } + return pub_ids[key.publisher]; } // add handler to list of handlers to be notified upon // publication of given event -void DataBus::subscribe(const char* key, DataHandler* h) +void DataBus::subscribe(const PubKey& key, unsigned eid, DataHandler* h) { - get_data_bus()._subscribe(key, h); + get_data_bus()._subscribe(key, eid, h); } // for subscribers that need to receive events regardless of active inspection policy -void DataBus::subscribe_network(const char* key, DataHandler* h) +void DataBus::subscribe_network(const PubKey& key, unsigned eid, DataHandler* h) { - get_network_data_bus()._subscribe(key, h); + get_network_data_bus()._subscribe(key, eid, h); } // for subscribers that need to receive events regardless of active inspection policy -void DataBus::subscribe_global(const char* key, DataHandler* h, SnortConfig& sc) +void DataBus::subscribe_global(const PubKey& key, unsigned eid, DataHandler* h, SnortConfig& sc) { - sc.global_dbus->_subscribe(key, h); + sc.global_dbus->_subscribe(key, eid, h); } -void DataBus::unsubscribe(const char* key, DataHandler* h) +void DataBus::unsubscribe(const PubKey& key, unsigned eid, DataHandler* h) { - get_data_bus()._unsubscribe(key, h); + get_data_bus()._unsubscribe(key, eid, h); } -void DataBus::unsubscribe_network(const char* key, DataHandler* h) +void DataBus::unsubscribe_network(const PubKey& key, unsigned eid, DataHandler* h) { - get_network_data_bus()._unsubscribe(key, h); + get_network_data_bus()._unsubscribe(key, eid, h); } -void DataBus::unsubscribe_global(const char* key, DataHandler* h, SnortConfig& sc) +void DataBus::unsubscribe_global(const PubKey& key, unsigned eid, DataHandler* h, SnortConfig& sc) { - sc.global_dbus->_unsubscribe(key, h); + sc.global_dbus->_unsubscribe(key, eid, h); } // notify subscribers of event -void DataBus::publish(const char* key, DataEvent& e, Flow* f) +void DataBus::publish(unsigned pid, unsigned eid, DataEvent& e, Flow* f) { - SnortConfig::get_conf()->global_dbus->_publish(key, e, f); + SnortConfig::get_conf()->global_dbus->_publish(pid, eid, e, f); NetworkPolicy* ni = get_network_policy(); - ni->dbus._publish(key, e, f); + ni->dbus._publish(pid, eid, e, f); InspectionPolicy* pi = get_inspection_policy(); - pi->dbus._publish(key, e, f); + pi->dbus._publish(pid, eid, e, f); } -void DataBus::publish(const char* key, const uint8_t* buf, unsigned len, Flow* f) +void DataBus::publish(unsigned pid, unsigned eid, const uint8_t* buf, unsigned len, Flow* f) { BufferEvent e(buf, len); - publish(key, e, f); + publish(pid, eid, e, f); } -void DataBus::publish(const char* key, Packet* p, Flow* f) +void DataBus::publish(unsigned pid, unsigned eid, Packet* p, Flow* f) { PacketEvent e(p); if ( p && !f ) f = p->flow; - publish(key, e, f); + publish(pid, eid, e, f); } //-------------------------------------------------------------------------- @@ -169,34 +201,55 @@ static bool compare(DataHandler* a, DataHandler* b) return false; } -void DataBus::_subscribe(const char* key, DataHandler* h) +void DataBus::_subscribe(unsigned pid, unsigned eid, DataHandler* h) { - DataList& v = map[key]; - v.emplace_back(h); - std::sort(v.begin(), v.end(), compare); -} + unsigned idx = pid + eid; + assert(idx < next_event); -void DataBus::_unsubscribe(const char* key, DataHandler* h) -{ - DataList& v = map[key]; + if ( next_event > pub_sub.size() ) + pub_sub.resize(next_event); - for ( unsigned i = 0; i < v.size(); i++ ) - if ( v[i] == h ) - v.erase(v.begin() + i--); + SubList& subs = pub_sub[idx]; + subs.emplace_back(h); - if ( v.empty() ) - map.erase(key); + std::sort(subs.begin(), subs.end(), compare); } -// notify subscribers of event -void DataBus::_publish(const char* key, DataEvent& e, Flow* f) const +void DataBus::_subscribe(const PubKey& key, unsigned eid, DataHandler* h) +{ + unsigned pid = get_id(key); + _subscribe(pid, eid, h); +} + +void DataBus::_unsubscribe(const PubKey& key, unsigned eid, DataHandler* h) { - auto v = map.find(key); + unsigned pid = get_id(key); + unsigned idx = pid + eid; + assert(idx < pub_sub.size()); - if ( v != map.end() ) + SubList& subs = pub_sub[idx]; + + for ( unsigned i = 0; i < subs.size(); i++ ) { - for ( auto* h : v->second ) - h->handle(e, f); + if ( subs[i] == h ) + { + subs.erase(subs.begin() + i--); + break; + } } } +void DataBus::_publish(unsigned pid, unsigned eid, DataEvent& e, Flow* f) const +{ + unsigned idx = pid + eid; + + // not all instances are full size + if ( idx >= pub_sub.size() ) + return; + + const SubList& subs = pub_sub[idx]; + + for ( auto* h : subs ) + h->handle(e, f); +} + diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h index b53a0d14a..2478a020f 100644 --- a/src/framework/data_bus.h +++ b/src/framework/data_bus.h @@ -40,6 +40,12 @@ class Flow; struct Packet; struct SnortConfig; +struct PubKey +{ + const char* publisher; + unsigned num_events; +}; + class DataEvent { public: @@ -86,10 +92,6 @@ protected: DataHandler(const char* mod_name) : module_name(mod_name), cloned(false) { } }; -// FIXIT-P evaluate perf; focus is on correctness -typedef std::vector DataList; -typedef std::unordered_map DataMap; - class SO_PUBLIC DataBus { public: @@ -97,80 +99,43 @@ public: ~DataBus(); // configure time methods - main thread only + static unsigned init(); void clone(DataBus& from, const char* exclude_name = nullptr); + // publishers must register their key and use given id to publish + static unsigned get_id(const PubKey&); + + static bool valid(unsigned pub_id) + { return pub_id != 0; } + // FIXIT-L ideally these would not be static or would take an inspection policy* - static void subscribe(const char* key, DataHandler*); - static void subscribe_network(const char* key, DataHandler*); - static void subscribe_global(const char* key, DataHandler*, SnortConfig&); + static void subscribe(const PubKey&, unsigned id, DataHandler*); + static void subscribe_network(const PubKey&, unsigned id, DataHandler*); + static void subscribe_global(const PubKey&, unsigned id, DataHandler*, SnortConfig&); // FIXIT-L these should be called during cleanup - static void unsubscribe(const char* key, DataHandler*); - static void unsubscribe_network(const char* key, DataHandler*); - static void unsubscribe_global(const char* key, DataHandler*, SnortConfig&); + static void unsubscribe(const PubKey&, unsigned id, DataHandler*); + static void unsubscribe_network(const PubKey&, unsigned id, DataHandler*); + static void unsubscribe_global(const PubKey&, unsigned id, DataHandler*, SnortConfig&); // runtime methods - static void publish(const char* key, DataEvent&, Flow* = nullptr); + static void publish(unsigned pub_id, unsigned evt_id, DataEvent&, Flow* = nullptr); // convenience methods - static void publish(const char* key, const uint8_t*, unsigned, Flow* = nullptr); - static void publish(const char* key, Packet*, Flow* = nullptr); + static void publish(unsigned pub_id, unsigned evt_id, const uint8_t*, unsigned, Flow* = nullptr); + static void publish(unsigned pub_id, unsigned evt_id, Packet*, Flow* = nullptr); private: - void _subscribe(const char* key, DataHandler*); - void _unsubscribe(const char* key, DataHandler*); - void _publish(const char* key, DataEvent&, Flow*) const; + void _subscribe(unsigned pub_id, unsigned evt_id, DataHandler*); + void _subscribe(const PubKey&, unsigned evt_id, DataHandler*); + void _unsubscribe(const PubKey&, unsigned evt_id, DataHandler*); + void _publish(unsigned pub_id, unsigned evt_id, DataEvent&, Flow*) const; private: - DataMap map; + typedef std::vector SubList; + std::vector pub_sub; }; } -// -// Common core functionality data events -// - -#define PACKET_EVENT "detection.packet" -#define FLOW_STATE_EVENT "flow.state_change" -#define THREAD_IDLE_EVENT "thread.idle" -#define THREAD_ROTATE_EVENT "thread.rotate" - -// A packet is being detained. -#define DETAINED_PACKET_EVENT "analyzer.detained.packet" - -// A flow changed its service -#define FLOW_SERVICE_CHANGE_EVENT "flow.service_change_event" -// A flow has found the service inspector -#define SERVICE_INSPECTOR_CHANGE_EVENT "flow.service_inspector.changed" -// No service has been found for the flow -#define FLOW_NO_SERVICE_EVENT "flow.no_service_event" -// search of SSL is abandoned on this flow -#define SSL_SEARCH_ABANDONED "flow.ssl_search_abandoned" - -// A flow has entered the setup state -#define FLOW_STATE_SETUP_EVENT "flow.state_setup" - -// The policy has changed for the flow -#define FLOW_STATE_RELOADED_EVENT "flow.reloaded" - -// A new flow is created on this packet -#define STREAM_ICMP_NEW_FLOW_EVENT "stream.icmp_new_flow" -#define STREAM_IP_NEW_FLOW_EVENT "stream.ip_new_flow" -#define STREAM_UDP_NEW_FLOW_EVENT "stream.udp_new_flow" - -// A flow has been determined to be bidirectional -#define STREAM_ICMP_BIDIRECTIONAL_EVENT "stream.icmp_bidirectional" -#define STREAM_IP_BIDIRECTIONAL_EVENT "stream.ip.bidirectional" -#define STREAM_UDP_BIDIRECTIONAL_EVENT "stream.udp.bidirectional" - -// A TCP flow has the flag; a midstream flow may not publish other events -#define STREAM_TCP_SYN_EVENT "stream.tcp_syn" -#define STREAM_TCP_SYN_ACK_EVENT "stream.tcp_syn_ack" -#define STREAM_TCP_MIDSTREAM_EVENT "stream.tcp_midstream" -#define STREAM_TCP_ESTABLISHED_EVENT "stream.tcp_established" - -// A new standby flow was generated by stream high availability -#define STREAM_HA_NEW_FLOW_EVENT "stream.ha.new_flow" - #endif diff --git a/src/framework/test/data_bus_test.cc b/src/framework/test/data_bus_test.cc index cd409cef3..78e7f3b55 100644 --- a/src/framework/test/data_bus_test.cc +++ b/src/framework/test/data_bus_test.cc @@ -23,7 +23,8 @@ #include "framework/data_bus.h" #include "main/snort_config.h" - +#include "main/thread.h" +#include "utils/stats.h" #include #include @@ -40,22 +41,16 @@ NetworkPolicy::NetworkPolicy(unsigned int, unsigned int) {} NetworkPolicy::~NetworkPolicy() = default; namespace snort { -SnortConfig::SnortConfig(snort::SnortConfig const*, const char*) -{ global_dbus = new DataBus(); } + +static SnortConfig s_conf; + +THREAD_LOCAL SnortConfig* snort_conf = &s_conf; const SnortConfig* SnortConfig::get_conf() -{ - const SnortConfig* snort_conf = - (const SnortConfig*)mock().getData("snort_conf").getObjectPointer(); - return snort_conf; -} +{ return snort_conf; } -SnortConfig* SnortConfig::get_main_conf() -{ - SnortConfig* snort_conf = - (SnortConfig*)mock().getData("snort_conf").getObjectPointer(); - return snort_conf; -} +SnortConfig::SnortConfig(const SnortConfig* const, const char*) +{ global_dbus = new DataBus(); } SnortConfig::~SnortConfig() { delete global_dbus; } @@ -74,6 +69,7 @@ InspectionPolicy* get_inspection_policy() return my_inspection_policy; } +THREAD_LOCAL PacketCount pc; } //-------------------------------------------------------------------------- @@ -110,23 +106,29 @@ void UTestHandler::handle(DataEvent& event, Flow*) seq = ++s_next; } -#define DB_UTEST_EVENT "unit.test.event" +struct DbUtIds { enum : unsigned { EVENT, num_ids }; }; + +const PubKey pub_key { "db_ut", DbUtIds::num_ids }; //-------------------------------------------------------------------------- // data bus unit tests //-------------------------------------------------------------------------- +static constexpr unsigned event_id = 1; + TEST_GROUP(data_bus) { - SnortConfig snort_conf; InspectionPolicy my_inspection_policy; NetworkPolicy my_network_policy; + unsigned pub_id = 0; // cppcheck-suppress variableScope void setup() override { - mock().setDataObject("snort_conf", "SnortConfig", &snort_conf); mock().setDataObject("my_network_policy", "NetworkPolicy", &my_network_policy); mock().setDataObject("my_inspection_policy", "InspectionPolicy", &my_inspection_policy); + + pub_id = DataBus::get_id(pub_key); + CHECK_TRUE(DataBus::valid(pub_id)); } void teardown() override @@ -138,40 +140,40 @@ TEST_GROUP(data_bus) TEST(data_bus, subscribe_global) { UTestHandler h; - DataBus::subscribe_global(DB_UTEST_EVENT, &h, snort_conf); + DataBus::subscribe_global(pub_key, DbUtIds::EVENT, &h, *snort_conf); UTestEvent event(100); - DataBus::publish(DB_UTEST_EVENT, event); + DataBus::publish(pub_id, DbUtIds::EVENT, event); CHECK(100 == h.evt_msg); UTestEvent event1(200); - DataBus::publish(DB_UTEST_EVENT, event1); + DataBus::publish(pub_id, DbUtIds::EVENT, event1); CHECK(200 == h.evt_msg); - DataBus::unsubscribe_global(DB_UTEST_EVENT, &h, snort_conf); + DataBus::unsubscribe_global(pub_key, DbUtIds::EVENT, &h, *snort_conf); UTestEvent event2(300); - DataBus::publish(DB_UTEST_EVENT, event2); + DataBus::publish(pub_id, DbUtIds::EVENT, event2); CHECK(200 == h.evt_msg); // unsubscribed! } TEST(data_bus, subscribe_network) { UTestHandler* h = new UTestHandler(); - DataBus::subscribe_network(DB_UTEST_EVENT, h); + DataBus::subscribe_network(pub_key, DbUtIds::EVENT, h); UTestEvent event(100); - DataBus::publish(DB_UTEST_EVENT, event); + DataBus::publish(pub_id, DbUtIds::EVENT, event); CHECK(100 == h->evt_msg); UTestEvent event1(200); - DataBus::publish(DB_UTEST_EVENT, event1); + DataBus::publish(pub_id, DbUtIds::EVENT, event1); CHECK(200 == h->evt_msg); - DataBus::unsubscribe_network(DB_UTEST_EVENT, h); + DataBus::unsubscribe_network(pub_key, DbUtIds::EVENT, h); UTestEvent event2(300); - DataBus::publish(DB_UTEST_EVENT, event2); + DataBus::publish(pub_id, DbUtIds::EVENT, event2); CHECK(200 == h->evt_msg); // unsubscribed! delete h; @@ -180,20 +182,20 @@ TEST(data_bus, subscribe_network) TEST(data_bus, subscribe) { UTestHandler* h = new UTestHandler(); - DataBus::subscribe(DB_UTEST_EVENT, h); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h); UTestEvent event(100); - DataBus::publish(DB_UTEST_EVENT, event); + DataBus::publish(pub_id, DbUtIds::EVENT, event); CHECK(100 == h->evt_msg); UTestEvent event1(200); - DataBus::publish(DB_UTEST_EVENT, event1); + DataBus::publish(pub_id, DbUtIds::EVENT, event1); CHECK(200 == h->evt_msg); - DataBus::unsubscribe(DB_UTEST_EVENT, h); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h); UTestEvent event2(300); - DataBus::publish(DB_UTEST_EVENT, event2); + DataBus::publish(pub_id, DbUtIds::EVENT, event2); CHECK(200 == h->evt_msg); // unsubscribed! delete h; @@ -202,25 +204,25 @@ TEST(data_bus, subscribe) TEST(data_bus, order1) { UTestHandler* h0 = new UTestHandler(); - DataBus::subscribe(DB_UTEST_EVENT, h0); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h0); UTestHandler* h1 = new UTestHandler(1); - DataBus::subscribe(DB_UTEST_EVENT, h1); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h1); UTestHandler* h9 = new UTestHandler(9); - DataBus::subscribe(DB_UTEST_EVENT, h9); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h9); s_next = 0; UTestEvent event(100); - DataBus::publish(DB_UTEST_EVENT, event); + DataBus::publish(pub_id, DbUtIds::EVENT, event); CHECK(1 == h1->seq); CHECK(2 == h9->seq); CHECK(3 == h0->seq); - DataBus::unsubscribe(DB_UTEST_EVENT, h0); - DataBus::unsubscribe(DB_UTEST_EVENT, h1); - DataBus::unsubscribe(DB_UTEST_EVENT, h9); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h0); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h1); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h9); delete h0; delete h1; @@ -230,25 +232,25 @@ TEST(data_bus, order1) TEST(data_bus, order2) { UTestHandler* h0 = new UTestHandler(0); - DataBus::subscribe(DB_UTEST_EVENT, h0); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h0); UTestHandler* h9 = new UTestHandler(9); - DataBus::subscribe(DB_UTEST_EVENT, h9); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h9); UTestHandler* h1 = new UTestHandler(1); - DataBus::subscribe(DB_UTEST_EVENT, h1); + DataBus::subscribe(pub_key, DbUtIds::EVENT, h1); s_next = 0; UTestEvent event(100); - DataBus::publish(DB_UTEST_EVENT, event); + DataBus::publish(pub_id, DbUtIds::EVENT, event); CHECK(1 == h1->seq); CHECK(2 == h9->seq); CHECK(3 == h0->seq); - DataBus::unsubscribe(DB_UTEST_EVENT, h0); - DataBus::unsubscribe(DB_UTEST_EVENT, h1); - DataBus::unsubscribe(DB_UTEST_EVENT, h9); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h0); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h1); + DataBus::unsubscribe(pub_key, DbUtIds::EVENT, h9); delete h0; delete h1; @@ -261,6 +263,8 @@ TEST(data_bus, order2) int main(int argc, char** argv) { + // event_map is not released until after cpputest gives up + MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); return CommandLineTestRunner::RunAllTests(argc, argv); } diff --git a/src/loggers/log_hext.cc b/src/loggers/log_hext.cc index 709a92ee6..8b1383c9e 100644 --- a/src/loggers/log_hext.cc +++ b/src/loggers/log_hext.cc @@ -281,8 +281,9 @@ HextLogger::HextLogger(HextModule* m) limit = m->limit; width = m->width; raw = m->raw; - DataBus::subscribe(DAQ_SOF_MSG_EVENT, new DaqMessageEventHandler()); - DataBus::subscribe(DAQ_EOF_MSG_EVENT, new DaqMessageEventHandler()); + + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::DAQ_SOF_MSG, new DaqMessageEventHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::DAQ_EOF_MSG, new DaqMessageEventHandler()); } void HextLogger::open() diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index 31e8ea62b..79fc52911 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -167,24 +167,24 @@ void Analyzer::set_main_hook(MainHook_f f) static void process_daq_sof_eof_msg(DAQ_Msg_h msg, DAQ_Verdict& verdict) { const DAQ_FlowStats_t *stats = (const DAQ_FlowStats_t*) daq_msg_get_hdr(msg); - const char* key; + unsigned key; select_default_policy(*stats, SnortConfig::get_conf()); if (daq_msg_get_type(msg) == DAQ_MSG_TYPE_EOF) { packet_time_update(&stats->eof_timestamp); daq_stats.eof_messages++; - key = DAQ_EOF_MSG_EVENT; + key = IntrinsicEventIds::DAQ_EOF_MSG; } else { packet_time_update(&stats->sof_timestamp); daq_stats.sof_messages++; - key = DAQ_SOF_MSG_EVENT; + key = IntrinsicEventIds::DAQ_SOF_MSG; } DaqMessageEvent event(msg, verdict); - DataBus::publish(key, event); + DataBus::publish(intrinsic_pub_id, key, event); } static bool process_packet(Packet* p) @@ -343,7 +343,7 @@ void Analyzer::post_process_daq_pkt_msg(Packet* p) { if (p->flow->flags.trigger_detained_packet_event) { - DataBus::publish(DETAINED_PACKET_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::DETAINED_PACKET, p); } } else @@ -359,7 +359,7 @@ void Analyzer::post_process_daq_pkt_msg(Packet* p) if (p->flow and p->flow->flags.trigger_finalize_event) { FinalizePacketEvent event(p, verdict); - DataBus::publish(FINALIZE_PACKET_EVENT, event); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FINALIZE_PACKET, event); } if (PacketTracer::is_active()) @@ -448,7 +448,7 @@ void Analyzer::process_daq_msg(DAQ_Msg_h msg, bool retry) { daq_stats.other_messages++; DaqMessageEvent event(msg, verdict); - DataBus::publish(DAQ_OTHER_MSG_EVENT, event); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::DAQ_OTHER_MSG, event); } break; } @@ -570,7 +570,7 @@ void Analyzer::idle() timeradd(&now, &increment, &now); packet_time_update(&now); - DataBus::publish(THREAD_IDLE_EVENT, nullptr); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::THREAD_IDLE, nullptr); // Service the retry queue with the new packet time. process_retry_queue(); @@ -1003,6 +1003,6 @@ void Analyzer::reload_daq() void Analyzer::rotate() { - DataBus::publish(THREAD_ROTATE_EVENT, nullptr); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::THREAD_ROTATE, nullptr); } diff --git a/src/main/policy.cc b/src/main/policy.cc index 284a54eae..42ddb2de9 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -36,6 +36,7 @@ #include "parser/parse_conf.h" #include "parser/vars.h" #include "ports/port_var_table.h" +#include "pub_sub/intrinsic_event_ids.h" #include "modules.h" #include "shell.h" @@ -174,7 +175,7 @@ InspectionPolicy::~InspectionPolicy() void InspectionPolicy::configure() { - dbus.subscribe(PACKET_EVENT, new AltPktHandler); + dbus.subscribe(intrinsic_pub_key, IntrinsicEventIds::ALT_PACKET, new AltPktHandler); } //------------------------------------------------------------------------- diff --git a/src/main/snort.cc b/src/main/snort.cc index 03dc39eb5..5e774bfbe 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -105,6 +105,7 @@ void Snort::init(int argc, char** argv) #endif InitProtoNames(); + DataBus::init(); load_actions(); load_codecs(); diff --git a/src/main/test/distill_verdict_stubs.h b/src/main/test/distill_verdict_stubs.h index 91a742380..cc0008a04 100644 --- a/src/main/test/distill_verdict_stubs.h +++ b/src/main/test/distill_verdict_stubs.h @@ -139,8 +139,8 @@ Packet::Packet(bool) } Packet::~Packet() = default; IpsPolicy* get_ips_policy() { return nullptr; } -void DataBus::publish(const char*, Packet*, Flow*) { } -void DataBus::publish(const char*, DataEvent&, Flow*) { } +void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { } +void DataBus::publish(unsigned, unsigned, DataEvent&, Flow*) { } SFDAQInstance::SFDAQInstance(const char*, unsigned, const SFDAQConfig*) { } SFDAQInstance::~SFDAQInstance() = default; void SFDAQInstance::reload() { } diff --git a/src/main/test/distill_verdict_test.cc b/src/main/test/distill_verdict_test.cc index 115b5efb7..ef018488c 100644 --- a/src/main/test/distill_verdict_test.cc +++ b/src/main/test/distill_verdict_test.cc @@ -25,6 +25,7 @@ #include "distill_verdict_stubs.h" +#include "framework/data_bus.h" #include "main/analyzer.h" #include "memory/memory_cap.h" #include "packet_io/sfdaq_instance.h" @@ -49,6 +50,9 @@ void DeferredTrust::set_deferred_trust(unsigned, bool on) void Flow::trust() { } SFDAQInstance* SFDAQ::get_local_instance() { return nullptr; } + +unsigned DataBus::get_id(const PubKey&) +{ return 0; } } using namespace snort; diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 1ed138068..12399cf02 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -41,6 +41,7 @@ #include "main/snort_module.h" #include "main/thread_config.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" #include "search_engines/search_tool.h" #include "target_based/snort_protocols.h" #include "time/clock_defs.h" @@ -1999,7 +2000,7 @@ void InspectorManager::bumble(Packet* p) { Flow* flow = p->flow; - DataBus::publish(FLOW_SERVICE_CHANGE_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_SERVICE_CHANGE, p); flow->clear_clouseau(); @@ -2007,7 +2008,7 @@ void InspectorManager::bumble(Packet* p) { if ( !flow->flags.svc_event_generated ) { - DataBus::publish(FLOW_NO_SERVICE_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, p); flow->flags.svc_event_generated = true; } @@ -2022,7 +2023,7 @@ void InspectorManager::bumble(Packet* p) } template -void InspectorManager::full_inspection(Packet* p) +void inline InspectorManager::full_inspection(Packet* p) { Flow* flow = p->flow; @@ -2056,21 +2057,8 @@ void InspectorManager::full_inspection(Packet* p) } } -// FIXIT-M leverage knowledge of flow creation so that reputation (possibly a -// new it_xxx) is run just once per flow (and all non-flow packets). -void InspectorManager::execute(Packet* p) -{ - if ( trace_enabled(snort_trace, TRACE_INSPECTOR_MANAGER, DEFAULT_TRACE_LOG_LEVEL, p) ) - internal_execute(p); - else - internal_execute(p); - - if ( p->flow && ( !p->is_cooked() or p->is_defrag() ) ) - ExpectFlow::handle_expected_flows(p); -} - template -void InspectorManager::internal_execute(Packet* p) +inline void InspectorManager::internal_execute(Packet* p) { Stopwatch timer; const char* packet_type = nullptr; @@ -2101,10 +2089,10 @@ void InspectorManager::internal_execute(Packet* p) if ( p->flow ) { if ( p->flow->reload_id && p->flow->reload_id != reload_id ) - DataBus::publish(FLOW_STATE_RELOADED_EVENT, p, p->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_RELOADED, p, p->flow); } else - DataBus::publish(PKT_WITHOUT_FLOW_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::PKT_WITHOUT_FLOW, p); FrameworkPolicy* fp = get_inspection_policy()->framework_policy; assert(fp); @@ -2180,6 +2168,19 @@ void InspectorManager::internal_execute(Packet* p) packet_type, p->context->packet_number, p->context->context_num, TO_USECS(timer.get())); } +// FIXIT-M leverage knowledge of flow creation so that reputation (possibly a +// new it_xxx) is run just once per flow (and all non-flow packets). +void InspectorManager::execute(Packet* p) +{ + if ( trace_enabled(snort_trace, TRACE_INSPECTOR_MANAGER, DEFAULT_TRACE_LOG_LEVEL, p) ) + internal_execute(p); + else + internal_execute(p); + + if ( p->flow && ( !p->is_cooked() or p->is_defrag() ) ) + ExpectFlow::handle_expected_flows(p); +} + void InspectorManager::probe(Packet* p) { GlobalInspectorPolicy* pp = p->context->conf->policy_map->get_global_inspector_policy(); diff --git a/src/managers/test/get_inspector_stubs.h b/src/managers/test/get_inspector_stubs.h index 3be184ba1..900c3551e 100644 --- a/src/managers/test/get_inspector_stubs.h +++ b/src/managers/test/get_inspector_stubs.h @@ -49,7 +49,10 @@ void LogMessage(const char*, ...) { } void LogLabel(const char*, FILE*) { } void ParseError(const char*, ...) { } void WarningMessage(const char*, ...) { } -void DataBus::publish(const char*, Packet*, Flow*) { } +DataBus::DataBus() { } +DataBus::~DataBus() { } +void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { } +unsigned DataBus::get_id(const PubKey&) { return 0; } void DetectionEngine::disable_content(Packet*) { } unsigned SnortConfig::get_thread_reload_id() { return 1; } void SnortConfig::update_thread_reload_id() { } @@ -75,8 +78,6 @@ void Module::sum_stats(bool) { } void Module::show_interval_stats(IndexVec&, FILE*) { } void Module::show_stats() { } void Module::reset_stats() { } -DataBus::DataBus() { } -DataBus::~DataBus() { } Module* ModuleManager::get_module(const char*) { return nullptr; } void ExpectFlow::handle_expected_flows(const Packet*) { } diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index df7703b43..ba24f89f9 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -33,6 +33,8 @@ #include "managers/module_manager.h" #include "packet_tracer/packet_tracer.h" #include "profiler/profiler.h" +#include "pub_sub/appid_event_ids.h" +#include "pub_sub/intrinsic_event_ids.h" #include "appid_data_decrypt_event_handler.h" #include "appid_dcerpc_event_handler.h" @@ -62,6 +64,8 @@ THREAD_LOCAL ThirdPartyAppIdContext* pkt_thread_tp_appid_ctxt = nullptr; THREAD_LOCAL OdpThreadContext* odp_thread_local_ctxt = nullptr; THREAD_LOCAL OdpContext* pkt_thread_odp_ctxt = nullptr; +unsigned AppIdInspector::pub_id = 0; + static THREAD_LOCAL PacketTracer::TracerMute appid_mute; static void add_appid_to_packet_trace(Flow& flow, const OdpContext& odp_context) @@ -112,31 +116,30 @@ bool AppIdInspector::configure(SnortConfig* sc) assert(!ctxt); ctxt = new AppIdContext(const_cast(*config)); - ctxt->init_appid(sc, *this); - DataBus::subscribe_global(SIP_EVENT_TYPE_SIP_DIALOG_KEY, new SipEventHandler(*this), *sc); - - DataBus::subscribe_global(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler( - HttpEventHandler::REQUEST_EVENT, *this), *sc); - - DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler( - HttpEventHandler::RESPONSE_EVENT, *this), *sc); - - DataBus::subscribe_global(HTTPX_REQUEST_BODY_EVENT_KEY, new AppIdHttpXReqBodyEventHandler(), *sc); - - DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), *sc); + DataBus::subscribe_global(http_pub_key, HttpEventIds::REQUEST_HEADER, + new HttpEventHandler(HttpEventHandler::REQUEST_EVENT, *this), *sc); - DataBus::subscribe_global(DCERPC_EXP_SESSION_EVENT_KEY, new DceExpSsnEventHandler(), *sc); + DataBus::subscribe_global(http_pub_key, HttpEventIds::RESPONSE_HEADER, + new HttpEventHandler(HttpEventHandler::RESPONSE_EVENT, *this), *sc); - DataBus::subscribe_global(OPPORTUNISTIC_TLS_EVENT, new AppIdOpportunisticTlsEventHandler(), *sc); + DataBus::subscribe_global(http_pub_key, HttpEventIds::REQUEST_BODY, new AppIdHttpXReqBodyEventHandler(), *sc); + DataBus::subscribe_global(sip_pub_key, SipEventIds::DIALOG, new SipEventHandler(*this), *sc); + DataBus::subscribe_global(dce_tcp_pub_key, DceTcpEventIds::EXP_SESSION, new DceExpSsnEventHandler(), *sc); + DataBus::subscribe_global(ssh_pub_key, SshEventIds::STATE_CHANGE, new SshEventHandler(), *sc); + DataBus::subscribe_global(external_pub_key, ExternalEventIds::DATA_DECRYPT, new DataDecryptEventHandler(), *sc); - DataBus::subscribe_global(EVE_PROCESS_EVENT, new AppIdEveProcessEventHandler(*this), *sc); + DataBus::subscribe_global(external_pub_key, ExternalEventIds::EVE_PROCESS, + new AppIdEveProcessEventHandler(*this), *sc); - DataBus::subscribe_global(SSH_EVENT, new SshEventHandler(), *sc); + DataBus::subscribe_global(intrinsic_pub_key, IntrinsicEventIds::OPPORTUNISTIC_TLS, + new AppIdOpportunisticTlsEventHandler(), *sc); - DataBus::subscribe_global(FLOW_NO_SERVICE_EVENT, new AppIdServiceEventHandler(*this), *sc); + DataBus::subscribe_global(intrinsic_pub_key, IntrinsicEventIds::FLOW_NO_SERVICE, + new AppIdServiceEventHandler(*this), *sc); + pub_id = DataBus::get_id(appid_pub_key); return true; } diff --git a/src/network_inspectors/appid/appid_inspector.h b/src/network_inspectors/appid/appid_inspector.h index d27b4a469..2bb64c97b 100644 --- a/src/network_inspectors/appid/appid_inspector.h +++ b/src/network_inspectors/appid/appid_inspector.h @@ -49,9 +49,12 @@ public: AppIdContext& get_ctxt() const; const AppIdConfig& get_config() const { return *config; } + static unsigned get_pub_id() { return pub_id; } + private: const AppIdConfig* config = nullptr; AppIdContext* ctxt = nullptr; + static unsigned pub_id; }; extern const snort::InspectApi appid_inspector_api; diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 171cc2173..87ba69a41 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -308,7 +308,7 @@ static int enable_debug(lua_State* L) constraints.dport = dport; AppIdDebugLogEvent event(&constraints, "AppIdDbg"); - DataBus::publish(APPID_DEBUG_LOG_EVENT, event); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DEBUG_LOG, event); main_broadcast_command(new AcAppIdDebug(&constraints), ControlConn::query_from_lua(L)); @@ -318,7 +318,7 @@ static int enable_debug(lua_State* L) static int disable_debug(lua_State* L) { AppIdDebugLogEvent event(nullptr, ""); - DataBus::publish(APPID_DEBUG_LOG_EVENT, event); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DEBUG_LOG, event); main_broadcast_command(new AcAppIdDebug(nullptr), ControlConn::query_from_lua(L)); return 0; } diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 4e52d897a..6243a43f4 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -34,6 +34,7 @@ #include "profiler/profiler.h" #include "protocols/packet.h" #include "protocols/tcp.h" +#include "pub_sub/appid_events.h" #include "stream/stream.h" #include "target_based/snort_protocols.h" #include "time/packet_time.h" @@ -1201,7 +1202,7 @@ void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packe return; AppidEvent app_event(change_bits, is_httpx, httpx_stream_index, api, p); - DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::ANY_CHANGE, app_event, p.flow); if (appidDebug->is_active()) { std::string str; diff --git a/src/network_inspectors/appid/service_plugins/service_bootp.cc b/src/network_inspectors/appid/service_plugins/service_bootp.cc index 060970d85..ec5d1923c 100644 --- a/src/network_inspectors/appid/service_plugins/service_bootp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bootp.cc @@ -25,14 +25,16 @@ #include "service_bootp.h" +#include "appid_utils/ip_funcs.h" #include "detection/detection_engine.h" #include "protocols/eth.h" #include "protocols/packet.h" +#include "pub_sub/appid_event_ids.h" #include "pub_sub/dhcp_events.h" + #include "app_info_table.h" #include "appid_config.h" #include "appid_inspector.h" -#include "appid_utils/ip_funcs.h" using namespace snort; @@ -318,7 +320,7 @@ void BootpServiceDetector::add_dhcp_info(AppIdSession& asd, unsigned op55_len, c unsigned op60_length = (op60_len > DHCP_OP60_MAX_SIZE) ? DHCP_OP60_MAX_SIZE : op60_len; Packet* p = DetectionEngine::get_current_packet(); DHCPDataEvent event(p, op55_length, op60_length, op55, op60, mac); - DataBus::publish(DHCP_DATA_EVENT, event, p->flow); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DHCP_DATA, event, p->flow); } } @@ -334,6 +336,6 @@ void BootpServiceDetector::add_new_dhcp_lease(AppIdSession& asd, const uint8_t* asd.set_session_flags(APPID_SESSION_HAS_DHCP_INFO); Packet* p = DetectionEngine::get_current_packet(); DHCPInfoEvent event(p, ip, mac, subnetmask, leaseSecs, router); - DataBus::publish(DHCP_INFO_EVENT, event, p->flow); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DHCP_INFO, event, p->flow); } diff --git a/src/network_inspectors/appid/service_plugins/service_netbios.cc b/src/network_inspectors/appid/service_plugins/service_netbios.cc index 842971478..d910c288c 100644 --- a/src/network_inspectors/appid/service_plugins/service_netbios.cc +++ b/src/network_inspectors/appid/service_plugins/service_netbios.cc @@ -26,11 +26,13 @@ #include "service_netbios.h" #include "detection/detection_engine.h" #include "protocols/packet.h" +#include "pub_sub/appid_event_ids.h" #include "pub_sub/smb_events.h" #include "utils/endian.h" #include "utils/util_cstring.h" #include "app_info_table.h" +#include "appid_inspector.h" #include "dcerpc.h" using namespace snort; @@ -661,5 +663,5 @@ void NbdgmServiceDetector::add_smb_info(AppIdSession& asd, unsigned major, unsig asd.set_session_flags(APPID_SESSION_HAS_SMB_INFO); Packet* p = DetectionEngine::get_current_packet(); FpSMBDataEvent event(p, major, minor, (flags & FINGERPRINT_UDP_FLAGS_MASK)); - DataBus::publish(FP_SMB_DATA_EVENT, event, p->flow); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::FP_SMB_DATA, event, p->flow); } diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index d7b9a80f8..635f95f0a 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -28,10 +28,12 @@ #include "framework/data_bus.h" #include "protocols/protocol_ids.h" +#include "pub_sub/appid_event_ids.h" #include "service_inspectors/http_inspect/http_msg_header.h" + +#include "appid_http_session.h" #include "tp_appid_module_api.h" #include "tp_appid_session_api.h" -#include "appid_http_session.h" #include "appid_mock_definitions.h" #include "appid_mock_http_session.h" @@ -75,7 +77,7 @@ public: void eval(Packet*) override {}; }; -void DataBus::publish(const char*, DataEvent& event, Flow*) +void DataBus::publish(unsigned, unsigned, DataEvent& event, Flow*) { AppidEvent* appid_event = (AppidEvent*)&event; char* test_log = (char*)mock().getData("test_log").getObjectPointer(); @@ -87,7 +89,7 @@ void DataBus::publish(const char*, DataEvent& event, Flow*) void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p, bool, uint32_t) { AppidEvent app_event(change_bits, false, 0, this->get_api(), p); - DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow); + DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow); } bool SslPatternMatchers::scan_hostname(const uint8_t* server_name, size_t, AppId& client_id, AppId& payload_id) diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index b4a12d9fc..d7edeea7e 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -23,12 +23,13 @@ #define APPID_MOCK_INSPECTOR_H // avoiding mocked inspector +#include "framework/data_bus.h" #include "helpers/discovery_filter.h" #include "host_tracker/host_cache.h" #include "network_inspectors/appid/appid_discovery.cc" #include "network_inspectors/appid/appid_peg_counts.h" #include "network_inspectors/packet_tracer/packet_tracer.h" - +#include "pub_sub/appid_event_ids.h" #include "search_engines/search_tool.h" #include "utils/sflsq.cc" @@ -107,7 +108,7 @@ void SearchTool::add(const char*, unsigned, void*, bool) {} void SearchTool::add(const uint8_t*, unsigned, int, bool) {} void SearchTool::add(const uint8_t*, unsigned, void*, bool) {} -// Stubs for ip +// Mocks for ip namespace ip { void IpApi::set(const SfIp& sip, const SfIp& dip) @@ -121,13 +122,13 @@ void IpApi::set(const SfIp& sip, const SfIp& dip) AppIdSessionApi::AppIdSessionApi(const AppIdSession*, const SfIp&) : StashGenericObject(STASH_GENERIC_OBJECT_APPID) {} -void AppIdSessionApi::get_first_stream_app_ids(AppId&, AppId&, - AppId&, AppId&) const { } -} // namespace snort -void AppIdModule::reset_stats() {} -DiscoveryFilter::~DiscoveryFilter() {} -// Stubs for publish -void DataBus::publish(const char*, DataEvent& event, Flow*) +void AppIdSessionApi::get_first_stream_app_ids(AppId&, AppId&, AppId&, AppId&) const { } + +// Mocks for publish +unsigned DataBus::get_id(const PubKey&) +{ return 0; } + +void DataBus::publish(unsigned, unsigned, DataEvent& event, Flow*) { AppidEvent* appid_event = (AppidEvent*)&event; char* test_log = (char*)mock().getData("test_log").getObjectPointer(); @@ -135,6 +136,9 @@ void DataBus::publish(const char*, DataEvent& event, Flow*) appid_event->get_change_bitset().to_string().c_str()); mock().actualCall("publish"); } +} // namespace snort +void AppIdModule::reset_stats() {} +DiscoveryFilter::~DiscoveryFilter() {} // Stubs for matchers static HttpPatternMatchers* http_matchers; @@ -229,7 +233,7 @@ AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p, bool, uint32_t) { AppidEvent app_event(change_bits, false, 0, this->get_api(), p); - DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, p.flow); + DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow); } void AppIdHttpSession::set_tun_dest(){} diff --git a/src/network_inspectors/appid/test/appid_mock_definitions.h b/src/network_inspectors/appid/test/appid_mock_definitions.h index 844bdab08..6f046045e 100644 --- a/src/network_inspectors/appid/test/appid_mock_definitions.h +++ b/src/network_inspectors/appid/test/appid_mock_definitions.h @@ -55,8 +55,10 @@ void LogMessage(const char*,...) { } void LogText(const char*, FILE*) {} void ParseWarning(WarningGroup, const char*, ...) { } - void LogLabel(const char*, FILE*) {} + +unsigned DataBus::get_id(const PubKey&) { return 0; } + SearchTool::SearchTool(bool) { } SearchTool::~SearchTool() = default; } diff --git a/src/network_inspectors/appid/test/service_state_test.cc b/src/network_inspectors/appid/test/service_state_test.cc index 031da2b59..b204bd2e6 100644 --- a/src/network_inspectors/appid/test/service_state_test.cc +++ b/src/network_inspectors/appid/test/service_state_test.cc @@ -43,6 +43,8 @@ void ErrorMessage(const char*,...) {} void LogLabel(const char*, FILE*) {} void LogText(const char* s, FILE*) { LogMessage("%s\n", s); } +unsigned DataBus::get_id(const PubKey&) +{ return 0; } // Stubs for utils char* snort_strdup(const char* str) diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc index f9e909010..0bd4e333f 100644 --- a/src/network_inspectors/binder/binder.cc +++ b/src/network_inspectors/binder/binder.cc @@ -29,6 +29,8 @@ #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/assistant_gadget_event.h" +#include "pub_sub/intrinsic_event_ids.h" +#include "pub_sub/stream_event_ids.h" #include "stream/stream.h" #include "stream/stream_splitter.h" #include "target_based/host_attributes.h" @@ -441,14 +443,16 @@ void Stuff::apply_service(Flow& flow) if (flow.ssn_state.snort_protocol_id == UNKNOWN_PROTOCOL_ID) flow.ssn_state.snort_protocol_id = gadget->get_service(); - DataBus::publish(SERVICE_INSPECTOR_CHANGE_EVENT, DetectionEngine::get_current_packet()); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SERVICE_INSPECTOR_CHANGE, + DetectionEngine::get_current_packet()); } } else if (wizard) flow.set_clouseau(wizard); + else if (!flow.flags.svc_event_generated) { - DataBus::publish(FLOW_NO_SERVICE_EVENT, DetectionEngine::get_current_packet()); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, DetectionEngine::get_current_packet()); flow.flags.svc_event_generated = true; } } @@ -628,12 +632,13 @@ bool Binder::configure(SnortConfig* sc) default_ssn_inspectors[proto] = InspectorManager::get_inspector(name); } - DataBus::subscribe(PKT_WITHOUT_FLOW_EVENT, new NonFlowPacketHandler()); - DataBus::subscribe(FLOW_STATE_SETUP_EVENT, new FlowStateSetupHandler()); - DataBus::subscribe(FLOW_SERVICE_CHANGE_EVENT, new FlowServiceChangeHandler()); - DataBus::subscribe(STREAM_HA_NEW_FLOW_EVENT, new StreamHANewFlowHandler()); - DataBus::subscribe(FLOW_ASSISTANT_GADGET_EVENT, new AssistantGadgetHandler()); - DataBus::subscribe(FLOW_STATE_RELOADED_EVENT, new RebindFlow()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::PKT_WITHOUT_FLOW, new NonFlowPacketHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_SETUP, new FlowStateSetupHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_SERVICE_CHANGE, new FlowServiceChangeHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_ASSISTANT_GADGET, new AssistantGadgetHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_RELOADED, new RebindFlow()); + + DataBus::subscribe(stream_pub_key, StreamEventIds::HA_NEW_FLOW, new StreamHANewFlowHandler()); return true; } @@ -782,7 +787,8 @@ void Binder::handle_flow_service_change(Flow& flow) flow.set_data(data); } - DataBus::publish(SERVICE_INSPECTOR_CHANGE_EVENT, DetectionEngine::get_current_packet()); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SERVICE_INSPECTOR_CHANGE, + DetectionEngine::get_current_packet()); } else flow.ssn_state.snort_protocol_id = UNKNOWN_PROTOCOL_ID; diff --git a/src/network_inspectors/perf_monitor/perf_monitor.cc b/src/network_inspectors/perf_monitor/perf_monitor.cc index 6e1f66385..4cf0fdefe 100644 --- a/src/network_inspectors/perf_monitor/perf_monitor.cc +++ b/src/network_inspectors/perf_monitor/perf_monitor.cc @@ -38,6 +38,7 @@ #include "main/thread.h" #include "profiler/profiler.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" #ifdef UNIT_TEST #include "catch/snort_catch.h" @@ -61,7 +62,7 @@ class PerfIdleHandler : public DataHandler { public: PerfIdleHandler(PerfMonitor& p) : DataHandler(PERF_NAME), perf_monitor(p) - { DataBus::subscribe_network(THREAD_IDLE_EVENT, this); } + { DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::THREAD_IDLE, this); } void handle(DataEvent&, Flow*) override { perf_monitor.eval(nullptr); } @@ -74,7 +75,7 @@ class PerfRotateHandler : public DataHandler { public: PerfRotateHandler(PerfMonitor& p) : DataHandler(PERF_NAME), perf_monitor(p) - { DataBus::subscribe_network(THREAD_ROTATE_EVENT, this); } + { DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::THREAD_ROTATE, this); } void handle(DataEvent&, Flow*) override { perf_monitor.rotate(); } @@ -87,7 +88,7 @@ class FlowIPDataHandler : public DataHandler { public: FlowIPDataHandler(PerfMonitor& p) : DataHandler(PERF_NAME), perf_monitor(p) - { DataBus::subscribe_network(FLOW_STATE_EVENT, this); } + { DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_CHANGE, this); } void handle(DataEvent&, Flow* flow) override { diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 2f1a38c92..6dcd98b18 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -47,6 +47,8 @@ using namespace snort; THREAD_LOCAL ProfileStats reputation_perf_stats; THREAD_LOCAL ReputationStats reputationstats; +static unsigned pub_id = 0; + const PegInfo reputation_peg_names[] = { { CountType::SUM, "packets", "total packets processed" }, @@ -263,7 +265,7 @@ static IPdecision snort_reputation_aux_ip(const ReputationConfig& config, Reputa DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLOCKLIST_DST); ReputationVerdictEvent event(p, REP_VERDICT_BLOCKED, iplist_id, false); - DataBus::publish(REPUTATION_MATCHED_EVENT, event); + DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event); p->active->drop_packet(p, true); // disable all preproc analysis and detection for this packet @@ -283,14 +285,14 @@ static IPdecision snort_reputation_aux_ip(const ReputationConfig& config, Reputa { DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR_DST); ReputationVerdictEvent event(p, REP_VERDICT_MONITORED, iplist_id, false); - DataBus::publish(REPUTATION_MATCHED_EVENT, event); + DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event); reputationstats.aux_ip_monitored++; } else if (decision == TRUSTED) { DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_ALLOWLIST_DST); ReputationVerdictEvent event(p, REP_VERDICT_TRUSTED, iplist_id, false); - DataBus::publish(REPUTATION_MATCHED_EVENT, event); + DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event); p->active->trust_session(p, true); reputationstats.aux_ip_trusted++; } @@ -369,7 +371,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat DetectionEngine::queue_event(GID_REPUTATION, blocklist_event); ReputationVerdictEvent event(p, REP_VERDICT_BLOCKED, iplist_id, BLOCKED_SRC == decision); - DataBus::publish(REPUTATION_MATCHED_EVENT, event); + DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event); act->drop_packet(p, true); // disable all preproc analysis and detection for this packet @@ -410,7 +412,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat DetectionEngine::queue_event(GID_REPUTATION, monitor_event); ReputationVerdictEvent event(p, REP_VERDICT_MONITORED, iplist_id, MONITORED_SRC == decision); - DataBus::publish(REPUTATION_MATCHED_EVENT, event); + DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event); reputationstats.monitored++; } @@ -421,7 +423,7 @@ static void snort_reputation(const ReputationConfig& config, ReputationData& dat DetectionEngine::queue_event(GID_REPUTATION, allowlist_event); ReputationVerdictEvent event(p, REP_VERDICT_TRUSTED, iplist_id, TRUSTED_SRC == decision); - DataBus::publish(REPUTATION_MATCHED_EVENT, event); + DataBus::publish(pub_id, ReputationEventIds::REP_MATCHED, event); act->trust_session(p, true); reputationstats.trusted++; } @@ -579,10 +581,12 @@ void Reputation::show(const SnortConfig*) const bool Reputation::configure(SnortConfig*) { - DataBus::subscribe_network( FLOW_STATE_SETUP_EVENT, new IpRepHandler(*this) ); - DataBus::subscribe_network( FLOW_STATE_RELOADED_EVENT, new IpRepHandler(*this) ); - DataBus::subscribe_network( AUXILIARY_IP_EVENT, new AuxiliaryIpRepHandler(*this) ); - DataBus::subscribe_network( PKT_WITHOUT_FLOW_EVENT, new IpRepHandler(*this) ); + DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_SETUP, new IpRepHandler(*this)); + DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::FLOW_STATE_RELOADED, new IpRepHandler(*this)); + DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::AUXILIARY_IP, new AuxiliaryIpRepHandler(*this)); + DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::PKT_WITHOUT_FLOW, new IpRepHandler(*this)); + + pub_id = DataBus::get_id(reputation_pub_key); return true; } diff --git a/src/network_inspectors/rna/rna_config.h b/src/network_inspectors/rna/rna_config.h index 1bb63036a..1425e9491 100644 --- a/src/network_inspectors/rna/rna_config.h +++ b/src/network_inspectors/rna/rna_config.h @@ -21,6 +21,8 @@ #ifndef RNA_CONFIG_H #define RNA_CONFIG_H +#include "framework/data_bus.h" + namespace snort { class TcpFpProcessor; @@ -50,6 +52,8 @@ struct RnaConfig uint16_t max_host_service_info = 16; bool enable_banner_grab = false; bool log_when_idle = false; + + static unsigned pub_id; }; #endif diff --git a/src/network_inspectors/rna/rna_cpe_os.h b/src/network_inspectors/rna/rna_cpe_os.h index 61debb7e1..935e7d920 100644 --- a/src/network_inspectors/rna/rna_cpe_os.h +++ b/src/network_inspectors/rna/rna_cpe_os.h @@ -21,7 +21,7 @@ #ifndef RNA_CPE_OS_H #define RNA_CPE_OS_H -#define CPE_OS_INFO_EVENT "cpe_os_info_event" +#include "pub_sub/external_event_ids.h" class SO_PUBLIC CpeOsInfoEvent : public snort::DataEvent { diff --git a/src/network_inspectors/rna/rna_inspector.cc b/src/network_inspectors/rna/rna_inspector.cc index 68ff5689e..a76a22f45 100644 --- a/src/network_inspectors/rna/rna_inspector.cc +++ b/src/network_inspectors/rna/rna_inspector.cc @@ -33,8 +33,13 @@ #include "main/snort.h" #include "managers/inspector_manager.h" #include "protocols/packet.h" +#include "pub_sub/appid_event_ids.h" #include "pub_sub/dhcp_events.h" +#include "pub_sub/intrinsic_event_ids.h" +#include "pub_sub/rna_events.h" #include "pub_sub/smb_events.h" +#include "pub_sub/stream_event_ids.h" + #include "rna_cpe_os.h" #include "rna_event_handler.h" #include "rna_fingerprint_smb.h" @@ -56,6 +61,8 @@ using namespace std; THREAD_LOCAL RnaStats rna_stats; THREAD_LOCAL ProfileStats rna_perf_stats; +unsigned RnaConfig::pub_id = 0; + //------------------------------------------------------------------------- // class stuff //------------------------------------------------------------------------- @@ -88,29 +95,31 @@ RnaInspector::~RnaInspector() bool RnaInspector::configure(SnortConfig*) { - DataBus::subscribe_network( APPID_EVENT_ANY_CHANGE, new RnaAppidEventHandler(*pnd) ); - DataBus::subscribe_network( DHCP_INFO_EVENT, new RnaDHCPInfoEventHandler(*pnd) ); - DataBus::subscribe_network( DHCP_DATA_EVENT, new RnaDHCPDataEventHandler(*pnd) ); - DataBus::subscribe_network( FP_SMB_DATA_EVENT, new RnaFpSMBEventHandler(*pnd) ); + RnaConfig::pub_id = DataBus::get_id(rna_pub_key); + + DataBus::subscribe_network( appid_pub_key, AppIdEventIds::ANY_CHANGE, new RnaAppidEventHandler(*pnd) ); + DataBus::subscribe_network( appid_pub_key, AppIdEventIds::DHCP_INFO, new RnaDHCPInfoEventHandler(*pnd) ); + DataBus::subscribe_network( appid_pub_key, AppIdEventIds::DHCP_DATA, new RnaDHCPDataEventHandler(*pnd) ); + DataBus::subscribe_network( appid_pub_key, AppIdEventIds::FP_SMB_DATA, new RnaFpSMBEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_ICMP_NEW_FLOW_EVENT, new RnaIcmpNewFlowEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_ICMP_BIDIRECTIONAL_EVENT, new RnaIcmpBidirectionalEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::ICMP_NEW_FLOW, new RnaIcmpNewFlowEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::ICMP_BIDIRECTIONAL, new RnaIcmpBidirectionalEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_IP_NEW_FLOW_EVENT, new RnaIpNewFlowEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_IP_BIDIRECTIONAL_EVENT, new RnaIpBidirectionalEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::IP_NEW_FLOW, new RnaIpNewFlowEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::IP_BIDIRECTIONAL, new RnaIpBidirectionalEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_UDP_NEW_FLOW_EVENT, new RnaUdpNewFlowEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_UDP_BIDIRECTIONAL_EVENT, new RnaUdpBidirectionalEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::UDP_NEW_FLOW, new RnaUdpNewFlowEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::UDP_BIDIRECTIONAL, new RnaUdpBidirectionalEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_TCP_SYN_EVENT, new RnaTcpSynEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_TCP_SYN_ACK_EVENT, new RnaTcpSynAckEventHandler(*pnd) ); - DataBus::subscribe_network( STREAM_TCP_MIDSTREAM_EVENT, new RnaTcpMidstreamEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::TCP_SYN, new RnaTcpSynEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::TCP_SYN_ACK, new RnaTcpSynAckEventHandler(*pnd) ); + DataBus::subscribe_network( stream_pub_key, StreamEventIds::TCP_MIDSTREAM, new RnaTcpMidstreamEventHandler(*pnd) ); - DataBus::subscribe_network( CPE_OS_INFO_EVENT, new RnaCPEOSInfoEventHandler(*pnd) ); - DataBus::subscribe_network( NETFLOW_EVENT, new RnaNetFlowEventHandler(*pnd) ); + DataBus::subscribe_network( external_pub_key, ExternalEventIds::CPE_OS_INFO, new RnaCPEOSInfoEventHandler(*pnd) ); + DataBus::subscribe_network( netflow_pub_key, NetFlowEventIds::DATA, new RnaNetFlowEventHandler(*pnd) ); if (rna_conf && rna_conf->log_when_idle) - DataBus::subscribe_network( THREAD_IDLE_EVENT, new RnaIdleEventHandler(*pnd) ); + DataBus::subscribe_network(intrinsic_pub_key, IntrinsicEventIds::THREAD_IDLE, new RnaIdleEventHandler(*pnd) ); if ( mod_conf->ua_processor ) mod_conf->ua_processor->make_mpse(); diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc index 31d622af6..c6610e491 100644 --- a/src/network_inspectors/rna/rna_pnd.cc +++ b/src/network_inspectors/rna/rna_pnd.cc @@ -210,7 +210,7 @@ void RnaPnd::analyze_netflow_host(NetFlowEvent* nfe) { uint32_t service = nfe->get_service_id(); RNAEvent new_flow_event(p, nfe->get_record(), service); - DataBus::publish(RNA_NEW_NETFLOW_CONN, new_flow_event); + DataBus::publish(RnaConfig::pub_id, NetFlowEventIds::DATA, new_flow_event); return; } diff --git a/src/protocols/packet.h b/src/protocols/packet.h index 530d18e9e..134ce4714 100644 --- a/src/protocols/packet.h +++ b/src/protocols/packet.h @@ -28,9 +28,6 @@ #include "main/snort_types.h" #include "target_based/snort_protocols.h" -// Event that is generated when a packet without a flow is processed -#define PKT_WITHOUT_FLOW_EVENT "non_flow_pkt" - namespace snort { class Active; diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt index 351bad756..1787c7fc9 100644 --- a/src/pub_sub/CMakeLists.txt +++ b/src/pub_sub/CMakeLists.txt @@ -1,5 +1,6 @@ set (PUB_SUB_INCLUDES appid_debug_log_event.h + appid_event_ids.h appid_events.h assistant_gadget_event.h cip_events.h @@ -9,15 +10,19 @@ set (PUB_SUB_INCLUDES dhcp_events.h eve_process_event.h expect_events.h + external_event_ids.h finalize_packet_event.h + http_event_ids.h http_events.h http_request_body_event.h + intrinsic_event_ids.h netflow_event.h opportunistic_tls_event.h packet_events.h reputation_events.h rna_events.h sip_events.h + stream_event_ids.h smb_events.h ssh_events.h ) diff --git a/src/pub_sub/appid_debug_log_event.h b/src/pub_sub/appid_debug_log_event.h index 96ab3b568..a1b3a2e23 100644 --- a/src/pub_sub/appid_debug_log_event.h +++ b/src/pub_sub/appid_debug_log_event.h @@ -22,10 +22,8 @@ #include -#include "framework/data_bus.h" #include "network_inspectors/appid/appid_debug.h" - -#define APPID_DEBUG_LOG_EVENT "appid_debug_log_event" +#include "pub_sub/appid_event_ids.h" class AppIdDebugLogEvent : public snort::DataEvent { diff --git a/src/pub_sub/appid_event_ids.h b/src/pub_sub/appid_event_ids.h new file mode 100644 index 000000000..59f2e75c2 --- /dev/null +++ b/src/pub_sub/appid_event_ids.h @@ -0,0 +1,45 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// appid_event_ids.h author Russ Combs + +#ifndef APPID_EVENT_IDS_H +#define APPID_EVENT_IDS_H + +#include "framework/data_bus.h" + +namespace snort +{ + +struct AppIdEventIds +{ enum : unsigned { + + ANY_CHANGE, + DEBUG_LOG, + DHCP_DATA, + DHCP_INFO, + FP_SMB_DATA, + + num_ids +}; }; + +const PubKey appid_pub_key { "appid", AppIdEventIds::num_ids }; + +} +#endif + diff --git a/src/pub_sub/appid_events.h b/src/pub_sub/appid_events.h index 5fe16dc2a..f581b7c13 100644 --- a/src/pub_sub/appid_events.h +++ b/src/pub_sub/appid_events.h @@ -24,9 +24,7 @@ #include -#include "framework/data_bus.h" - -#define APPID_EVENT_ANY_CHANGE "appid_event_any_change" +#include "pub_sub/appid_event_ids.h" namespace snort { diff --git a/src/pub_sub/assistant_gadget_event.h b/src/pub_sub/assistant_gadget_event.h index c777fe2e7..afbe7fd61 100644 --- a/src/pub_sub/assistant_gadget_event.h +++ b/src/pub_sub/assistant_gadget_event.h @@ -21,14 +21,13 @@ #define ASSISTANT_GADGET_EVENTS_H #include "framework/data_bus.h" +#include "pub_sub/intrinsic_event_ids.h" #include "target_based/snort_protocols.h" #include "utils/util.h" // A flow is setting up assistant inspector. // For example used by HTTP2 to set NHI as assistant inspector. -#define FLOW_ASSISTANT_GADGET_EVENT "flow.assistant_gadget" - namespace snort { struct Packet; diff --git a/src/pub_sub/auxiliary_ip_event.h b/src/pub_sub/auxiliary_ip_event.h index d06543d6b..e3e13f166 100644 --- a/src/pub_sub/auxiliary_ip_event.h +++ b/src/pub_sub/auxiliary_ip_event.h @@ -20,11 +20,9 @@ #ifndef AUXILIARY_IP_EVENT_H #define AUXILIARY_IP_EVENT_H -#include "framework/data_bus.h" +#include "pub_sub/intrinsic_event_ids.h" #include "sfip/sf_ip.h" -#define AUXILIARY_IP_EVENT "auxiliary_ip_event" - class AuxiliaryIpEvent : public snort::DataEvent { public: diff --git a/src/pub_sub/cip_events.h b/src/pub_sub/cip_events.h index c35ffde18..6e0fd852c 100644 --- a/src/pub_sub/cip_events.h +++ b/src/pub_sub/cip_events.h @@ -27,12 +27,9 @@ #include "framework/data_bus.h" -#define CIP_EVENT_TYPE_CIP_DATA_KEY "cip_event_type_cip_data" +struct CipEventIds { enum : unsigned { DATA, num_ids }; }; -enum CipEventType -{ - CIP_EVENT_TYPE_CIP_DATA -}; +const snort::PubKey cip_pub_key { "cip", CipEventIds::num_ids }; namespace snort { diff --git a/src/pub_sub/daq_message_event.h b/src/pub_sub/daq_message_event.h index 47cf801ec..5f6774dab 100644 --- a/src/pub_sub/daq_message_event.h +++ b/src/pub_sub/daq_message_event.h @@ -22,11 +22,7 @@ #include -#include "framework/data_bus.h" - -#define DAQ_SOF_MSG_EVENT "daq.message.sof" -#define DAQ_EOF_MSG_EVENT "daq.message.eof" -#define DAQ_OTHER_MSG_EVENT "daq.message.other" +#include "pub_sub/intrinsic_event_ids.h" namespace snort { diff --git a/src/pub_sub/data_decrypt_event.h b/src/pub_sub/data_decrypt_event.h index 4f57ca1d3..c7f7ef2c5 100644 --- a/src/pub_sub/data_decrypt_event.h +++ b/src/pub_sub/data_decrypt_event.h @@ -1,11 +1,26 @@ //-------------------------------------------------------------------------- // Copyright (C) 2020-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- +// data_decrypt_event.h author Sreeja Athirkandathil Narayanan #ifndef DATA_DECRYPT_EVENT_H #define DATA_DECRYPT_EVENT_H -#define DATA_DECRYPT_EVENT "Data Decrypt event" +#include "pub_sub/external_event_ids.h" class DataDecryptEvent : public snort::DataEvent { @@ -27,6 +42,5 @@ private: StateEventType m_type; }; - -#endif //DATA_DECRYPT_EVENT_H +#endif diff --git a/src/pub_sub/dcerpc_events.h b/src/pub_sub/dcerpc_events.h index ab1577483..14978a5b5 100644 --- a/src/pub_sub/dcerpc_events.h +++ b/src/pub_sub/dcerpc_events.h @@ -7,7 +7,9 @@ #include "framework/data_bus.h" -#define DCERPC_EXP_SESSION_EVENT_KEY "dcerpc_expected_session_event" +struct DceTcpEventIds { enum : unsigned { EXP_SESSION, num_ids }; }; + +const snort::PubKey dce_tcp_pub_key { "dce_tcp", DceTcpEventIds::num_ids }; namespace snort { diff --git a/src/pub_sub/dhcp_events.h b/src/pub_sub/dhcp_events.h index 3c26481b7..b005e748b 100644 --- a/src/pub_sub/dhcp_events.h +++ b/src/pub_sub/dhcp_events.h @@ -21,10 +21,8 @@ #define DHCP_EVENTS_H #include -#include "framework/data_bus.h" +#include "pub_sub/appid_event_ids.h" -#define DHCP_DATA_EVENT "dhcp_data_event" -#define DHCP_INFO_EVENT "dhcp_info_event" #define DHCP_OP55_MAX_SIZE 64 #define DHCP_OP60_MAX_SIZE 64 diff --git a/src/pub_sub/eve_process_event.h b/src/pub_sub/eve_process_event.h index 65fc66aa6..11dc2fdec 100644 --- a/src/pub_sub/eve_process_event.h +++ b/src/pub_sub/eve_process_event.h @@ -21,9 +21,7 @@ #define EVE_PROCESS_EVENT_H #include -#include "framework/data_bus.h" - -#define EVE_PROCESS_EVENT "eve_process_event" +#include "pub_sub/external_event_ids.h" class EveProcessEvent : public snort::DataEvent { diff --git a/src/pub_sub/expect_events.h b/src/pub_sub/expect_events.h index d24d4367e..ce85d5ea0 100644 --- a/src/pub_sub/expect_events.h +++ b/src/pub_sub/expect_events.h @@ -26,7 +26,7 @@ #include #include -#include "framework/data_bus.h" +#include "pub_sub/intrinsic_event_ids.h" #define EXPECT_EVENT_TYPE_EARLY_SESSION_CREATE_KEY "expect_event_type_early_session_create" diff --git a/src/pub_sub/external_event_ids.h b/src/pub_sub/external_event_ids.h new file mode 100644 index 000000000..409774f06 --- /dev/null +++ b/src/pub_sub/external_event_ids.h @@ -0,0 +1,38 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// external_event_ids.h author Russ Combs + +#ifndef EXTERNAL_EVENT_IDS_H +#define EXTERNAL_EVENT_IDS_H + +#include "framework/data_bus.h" + +struct ExternalEventIds +{ enum : unsigned { + + CPE_OS_INFO, + DATA_DECRYPT, + EVE_PROCESS, + + num_ids +}; }; + +const snort::PubKey external_pub_key { "external", ExternalEventIds::num_ids }; + +#endif + diff --git a/src/pub_sub/finalize_packet_event.h b/src/pub_sub/finalize_packet_event.h index 6c56021ef..46eab325c 100644 --- a/src/pub_sub/finalize_packet_event.h +++ b/src/pub_sub/finalize_packet_event.h @@ -25,9 +25,7 @@ #include -#include "framework/data_bus.h" - -#define FINALIZE_PACKET_EVENT "analyzer.finalize.packet" +#include "pub_sub/intrinsic_event_ids.h" namespace snort { diff --git a/src/pub_sub/http_event_ids.h b/src/pub_sub/http_event_ids.h new file mode 100644 index 000000000..9e0e02337 --- /dev/null +++ b/src/pub_sub/http_event_ids.h @@ -0,0 +1,46 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// http_event_ids.h author Russ Combs + +// Inspection events published by the Http Inspector. Modules can subscribe +// to receive the events. + +#ifndef HTTP_EVENT_IDS_H +#define HTTP_EVENT_IDS_H + +#include "framework/data_bus.h" + +namespace snort +{ +// These are common values between the HTTP inspector and the subscribers. +struct HttpEventIds +{ enum : unsigned { + + REQUEST_HEADER, + RESPONSE_HEADER, + REQUEST_BODY, + + num_ids +}; }; + +const PubKey http_pub_key { "http_inspect", HttpEventIds::num_ids }; + +} +#endif + diff --git a/src/pub_sub/http_events.h b/src/pub_sub/http_events.h index 94ccc5917..c7dd50837 100644 --- a/src/pub_sub/http_events.h +++ b/src/pub_sub/http_events.h @@ -24,22 +24,19 @@ #define HTTP_EVENTS_H #include "framework/data_bus.h" - -// These are common values between the HTTP inspector and the subscribers. -#define HTTP_REQUEST_HEADER_EVENT_KEY "http_request_header_event" -#define HTTP_RESPONSE_HEADER_EVENT_KEY "http_response_header_event" +#include "pub_sub/http_event_ids.h" class HttpMsgHeader; namespace snort { + class SO_PUBLIC HttpEvent : public snort::DataEvent { public: HttpEvent(HttpMsgHeader* http_msg_header_, bool httpx, int64_t stream_id) : http_msg_header(http_msg_header_), is_httpx(httpx), httpx_stream_id(stream_id) { } - const uint8_t* get_content_type(int32_t &length); const uint8_t* get_cookie(int32_t &length); const uint8_t* get_authority(int32_t &length); diff --git a/src/pub_sub/http_request_body_event.h b/src/pub_sub/http_request_body_event.h index 3e0a88983..0b0afd60b 100644 --- a/src/pub_sub/http_request_body_event.h +++ b/src/pub_sub/http_request_body_event.h @@ -25,8 +25,7 @@ #include "service_inspectors/http_inspect/http_field.h" #include "service_inspectors/http_inspect/http_msg_body.h" -// These are common values between the HTTP inspector and the subscribers. -#define HTTPX_REQUEST_BODY_EVENT_KEY "httpx_request_body_event" +#include "http_event_ids.h" class HttpFlowData; diff --git a/src/pub_sub/intrinsic_event_ids.h b/src/pub_sub/intrinsic_event_ids.h new file mode 100644 index 000000000..56e7c6a7f --- /dev/null +++ b/src/pub_sub/intrinsic_event_ids.h @@ -0,0 +1,71 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// intrinsic_event_ids.h author Russ Combs + +#ifndef INTRINSIC_EVENT_IDS_H +#define INTRINSIC_EVENT_IDS_H + +// Common core functionality data events + +#include "framework/data_bus.h" + +namespace snort +{ + +struct IntrinsicEventIds +{ enum : unsigned { + + DAQ_SOF_MSG, + DAQ_EOF_MSG, + DAQ_OTHER_MSG, + + ALT_PACKET, + PKT_WITHOUT_FLOW, + DETAINED_PACKET, + FINALIZE_PACKET, + RETRY_PACKET, + + THREAD_IDLE, + THREAD_ROTATE, + + SSL_SEARCH_ABANDONED, + OPPORTUNISTIC_TLS, + + FLOW_STATE_CHANGE, + FLOW_SERVICE_CHANGE, + SERVICE_INSPECTOR_CHANGE, + + FLOW_NO_SERVICE, + FLOW_STATE_SETUP, + FLOW_STATE_RELOADED, + FLOW_ASSISTANT_GADGET, + + EXPECT_HANDLE_FLOWS, + EXPECT_EARLY_SESSION, + AUXILIARY_IP, + FILE_VERDICT, + + num_ids +}; }; + +const PubKey intrinsic_pub_key { "snort", IntrinsicEventIds::num_ids }; + +const unsigned intrinsic_pub_id = 1; +} +#endif + diff --git a/src/pub_sub/netflow_event.h b/src/pub_sub/netflow_event.h index b7e1cabd1..43f7af396 100644 --- a/src/pub_sub/netflow_event.h +++ b/src/pub_sub/netflow_event.h @@ -23,11 +23,13 @@ #include "framework/data_bus.h" #include "service_inspectors/netflow/netflow_record.h" -#define NETFLOW_EVENT "service_inspector.netflow" - namespace snort { +struct NetFlowEventIds { enum : unsigned { DATA, num_ids }; }; + +const PubKey netflow_pub_key { "netflow", NetFlowEventIds::num_ids }; + class NetFlowEvent : public DataEvent { public: diff --git a/src/pub_sub/opportunistic_tls_event.h b/src/pub_sub/opportunistic_tls_event.h index 51a31c091..d79efc1af 100644 --- a/src/pub_sub/opportunistic_tls_event.h +++ b/src/pub_sub/opportunistic_tls_event.h @@ -23,10 +23,9 @@ #include #include -#include "framework/data_bus.h" +#include "pub_sub/intrinsic_event_ids.h" // An opportunistic SSL/TLS session will start from next packet -#define OPPORTUNISTIC_TLS_EVENT "service_inspector.opportunistic.tls" namespace snort { diff --git a/src/pub_sub/packet_events.h b/src/pub_sub/packet_events.h index 98ffce11f..aa847a331 100644 --- a/src/pub_sub/packet_events.h +++ b/src/pub_sub/packet_events.h @@ -20,10 +20,9 @@ #ifndef PACKET_EVENTS_H #define PACKET_EVENTS_H -#include "framework/data_bus.h" +#include "pub_sub/intrinsic_event_ids.h" // A retry packet is being processed -#define PKT_RETRY_EVENT "retry_packet" namespace snort { diff --git a/src/pub_sub/reputation_events.h b/src/pub_sub/reputation_events.h index 52bac8a54..619f2d02b 100644 --- a/src/pub_sub/reputation_events.h +++ b/src/pub_sub/reputation_events.h @@ -22,11 +22,13 @@ #include "framework/data_bus.h" -#define REPUTATION_MATCHED_EVENT "rep.matched" - namespace snort { +struct ReputationEventIds { enum : unsigned { REP_MATCHED, num_ids }; }; + +const PubKey reputation_pub_key { "reputation", ReputationEventIds::num_ids }; + enum ReputationVerdict { REP_VERDICT_BLOCKED, diff --git a/src/pub_sub/rna_events.h b/src/pub_sub/rna_events.h index 4c706c41a..e45932e9d 100644 --- a/src/pub_sub/rna_events.h +++ b/src/pub_sub/rna_events.h @@ -23,11 +23,13 @@ #include "framework/data_bus.h" #include "service_inspectors/netflow/netflow_record.h" -#define RNA_NEW_NETFLOW_CONN "network_inspector.rna.new_netflow_host" - namespace snort { +struct RnaEventIds { enum : unsigned { NEW_NETFLOW_CONN, num_ids }; }; + +const PubKey rna_pub_key { "rna", RnaEventIds::num_ids }; + class RNAEvent : public DataEvent { public: diff --git a/src/pub_sub/sip_events.h b/src/pub_sub/sip_events.h index f49cb9c2f..53f2c3d13 100644 --- a/src/pub_sub/sip_events.h +++ b/src/pub_sub/sip_events.h @@ -27,12 +27,9 @@ #include "framework/data_bus.h" -#define SIP_EVENT_TYPE_SIP_DIALOG_KEY "sip_event_type_sip_dialog" +struct SipEventIds { enum : unsigned { DIALOG, num_ids }; }; -enum SipEventType -{ - SIP_EVENT_TYPE_SIP_DIALOG -}; +const snort::PubKey sip_pub_key { "sip", SipEventIds::num_ids }; namespace snort { diff --git a/src/pub_sub/smb_events.h b/src/pub_sub/smb_events.h index abbc5b891..7c013e90d 100644 --- a/src/pub_sub/smb_events.h +++ b/src/pub_sub/smb_events.h @@ -20,9 +20,7 @@ #ifndef SMB_EVENTS_H #define SMB_EVENTS_H -#include "framework/data_bus.h" - -#define FP_SMB_DATA_EVENT "fp_smb_data_event" +#include "pub_sub/appid_event_ids.h" namespace snort { @@ -54,4 +52,5 @@ private: } -#endif // SMB_EVENTS_H +#endif + diff --git a/src/pub_sub/ssh_events.h b/src/pub_sub/ssh_events.h index da8fcecd5..4616c39c4 100644 --- a/src/pub_sub/ssh_events.h +++ b/src/pub_sub/ssh_events.h @@ -23,16 +23,21 @@ // This event allows the SSH service inspector to publish extracted metadata // for use by data bus subscribers +#include "framework/data_bus.h" #include "service_inspectors/ssh/ssh.h" -#define SSH_EVENT "ssh_event" +struct SshEventIds { enum : unsigned { STATE_CHANGE, num_ids }; }; -enum SshEventType { +const snort::PubKey ssh_pub_key { "ssh", SshEventIds::num_ids }; + +enum SshEventType +{ SSH_VERSION_STRING, SSH_VALIDATION }; -enum SshValidationResult { +enum SshValidationResult +{ SSH_NOT_FINISHED, SSH_VALID_KEXINIT, SSH_INVALID_VERSION, diff --git a/src/pub_sub/stream_event_ids.h b/src/pub_sub/stream_event_ids.h new file mode 100644 index 000000000..6120d3dc2 --- /dev/null +++ b/src/pub_sub/stream_event_ids.h @@ -0,0 +1,49 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// stream_event_ids.h author Russ Combs + +#ifndef STREAM_EVENT_IDS_H +#define STREAM_EVENT_IDS_H + +#include "framework/data_bus.h" + +struct StreamEventIds +{ enum : unsigned { + + IP_NEW_FLOW, + IP_BIDIRECTIONAL, + + ICMP_NEW_FLOW, + ICMP_BIDIRECTIONAL, + + TCP_SYN, + TCP_SYN_ACK, + TCP_MIDSTREAM, + TCP_ESTABLISHED, + + UDP_NEW_FLOW, + UDP_BIDIRECTIONAL, + + HA_NEW_FLOW, + + num_ids +}; }; + +const snort::PubKey stream_pub_key { "stream", StreamEventIds::num_ids }; + +#endif diff --git a/src/pub_sub/test/pub_sub_http_request_body_event_test.cc b/src/pub_sub/test/pub_sub_http_request_body_event_test.cc index 098e0b40b..0138e17b2 100644 --- a/src/pub_sub/test/pub_sub_http_request_body_event_test.cc +++ b/src/pub_sub/test/pub_sub_http_request_body_event_test.cc @@ -51,7 +51,7 @@ HttpMsgBody::HttpMsgBody(const uint8_t* buffer, const uint16_t buf_size, publish_length = buf_size; } void HttpMsgBody::analyze() {} -void HttpMsgBody::publish() {} +void HttpMsgBody::publish(unsigned) {} void HttpMsgBody::do_file_processing(const Field&) {} void HttpMsgBody::do_utf_decoding(const Field&, Field&) {} void HttpMsgBody::do_file_decompression(const Field&, Field&) {} diff --git a/src/service_inspectors/cip/cip.cc b/src/service_inspectors/cip/cip.cc index 29c35ff50..2a351237f 100644 --- a/src/service_inspectors/cip/cip.cc +++ b/src/service_inspectors/cip/cip.cc @@ -45,6 +45,7 @@ using namespace snort; THREAD_LOCAL ProfileStats cip_perf_stats; unsigned CipFlowData::inspector_id = 0; +unsigned CipEventData::pub_id = 0; static void free_cip_data(void* data); @@ -166,7 +167,7 @@ static void publish_data_to_appId(Packet* packet, CipCurrentData& current_data) if (publish_appid) { - DataBus::publish(CIP_EVENT_TYPE_CIP_DATA_KEY, cip_event, packet->flow); + DataBus::publish(CipEventData::pub_id, CipEventIds::DATA, cip_event, packet->flow); } } @@ -252,6 +253,7 @@ public: Cip(CipProtoConf*); ~Cip() override; + bool configure(SnortConfig*) override; void show(const SnortConfig*) const override; void eval(Packet*) override; @@ -278,6 +280,12 @@ Cip::~Cip() } } +bool Cip::configure(SnortConfig*) +{ + CipEventData::pub_id = DataBus::get_id(cip_pub_key); + return true; +} + void Cip::show(const SnortConfig*) const { if (!config) diff --git a/src/service_inspectors/cip/cip.h b/src/service_inspectors/cip/cip.h index 39c69822a..6c0c840f9 100644 --- a/src/service_inspectors/cip/cip.h +++ b/src/service_inspectors/cip/cip.h @@ -24,6 +24,7 @@ #include "flow/flow.h" #include "framework/counts.h" +#include "framework/data_bus.h" #include "main/thread.h" #include "protocols/packet.h" @@ -79,6 +80,8 @@ struct CipEventData // Pointer to snort::Packet const snort::Packet* snort_packet; + + static unsigned pub_id; }; class CipFlowData : public snort::FlowData diff --git a/src/service_inspectors/cip/cip_parsing.cc b/src/service_inspectors/cip/cip_parsing.cc index 24ec0157a..0fe150658 100644 --- a/src/service_inspectors/cip/cip_parsing.cc +++ b/src/service_inspectors/cip/cip_parsing.cc @@ -1538,7 +1538,7 @@ static bool parse_multiple_service_packet(const uint8_t* data, pack_cip_request_event(&embedded_request, &cip_event_data); - DataBus::publish(CIP_EVENT_TYPE_CIP_DATA_KEY, cip_event, global_data->snort_packet->flow); + DataBus::publish(CipEventData::pub_id, CipEventIds::DATA, cip_event, global_data->snort_packet->flow); } return valid; diff --git a/src/service_inspectors/dce_rpc/dce_expected_session.cc b/src/service_inspectors/dce_rpc/dce_expected_session.cc index 7b67239ca..22404cf11 100644 --- a/src/service_inspectors/dce_rpc/dce_expected_session.cc +++ b/src/service_inspectors/dce_rpc/dce_expected_session.cc @@ -52,7 +52,7 @@ void DceExpSsnManager::create_expected_session(const SfIp* ept_ip, DceExpectedSessionEvent map_resp_event(pkt, src_ip, 0, ept_ip, ept_port, proto, protocol_id); - DataBus::publish(DCERPC_EXP_SESSION_EVENT_KEY, map_resp_event, pkt->flow); + DataBus::publish(Dce2Tcp::pub_id, DceTcpEventIds::EXP_SESSION, map_resp_event, pkt->flow); } DceTcpExpSsnManager::DceTcpExpSsnManager(const dce2TcpProtoConf& config) : diff --git a/src/service_inspectors/dce_rpc/dce_tcp.cc b/src/service_inspectors/dce_rpc/dce_tcp.cc index c04be5ef5..5ab1e345e 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp.cc @@ -26,6 +26,7 @@ #include "dce_tcp.h" #include "detection/detection_engine.h" +#include "pub_sub/dcerpc_events.h" #include "utils/util.h" #include "dce_context_data.h" @@ -51,6 +52,7 @@ THREAD_LOCAL dce2TcpStats dce2_tcp_stats; THREAD_LOCAL ProfileStats dce2_tcp_pstat_main; unsigned Dce2TcpFlowData::inspector_id = 0; +unsigned Dce2Tcp::pub_id = 0; DCE2_TcpSsnData* get_dce2_tcp_session_data(Flow* flow) { @@ -116,6 +118,7 @@ Dce2Tcp::Dce2Tcp(const dce2TcpProtoConf& pc) : bool Dce2Tcp::configure(snort::SnortConfig* sc) { esm.set_proto_id(sc->proto_ref->add(DCE_RPC_SERVICE_NAME)); + pub_id = DataBus::get_id(dce_tcp_pub_key); return true; } diff --git a/src/service_inspectors/dce_rpc/dce_tcp.h b/src/service_inspectors/dce_rpc/dce_tcp.h index cd845169c..8309f0483 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.h +++ b/src/service_inspectors/dce_rpc/dce_tcp.h @@ -22,6 +22,7 @@ #ifndef DCE_TCP_H #define DCE_TCP_H +#include "framework/data_bus.h" #include "framework/inspector.h" #include "profiler/profiler_defs.h" @@ -150,6 +151,8 @@ public: snort::StreamSplitter* get_splitter(bool c2s) override { return new Dce2TcpSplitter(c2s); } + static unsigned pub_id; + private: dce2TcpProtoConf config; DceTcpExpSsnManager esm; diff --git a/src/service_inspectors/ftp_telnet/ft_main.cc b/src/service_inspectors/ftp_telnet/ft_main.cc index 106c951fe..970030bae 100644 --- a/src/service_inspectors/ftp_telnet/ft_main.cc +++ b/src/service_inspectors/ftp_telnet/ft_main.cc @@ -48,6 +48,7 @@ #include "framework/data_bus.h" #include "log/messages.h" #include "managers/inspector_manager.h" +#include "pub_sub/intrinsic_event_ids.h" #include "utils/util.h" #include "ftp_cmd_lookup.h" @@ -192,7 +193,7 @@ int FTPCheckConfigs(SnortConfig* sc, void* pData) void do_detection(Packet* p) { - DataBus::publish(PACKET_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::ALT_PACKET, p); DetectionEngine::disable_all(p); } diff --git a/src/service_inspectors/ftp_telnet/ftp_data.cc b/src/service_inspectors/ftp_telnet/ftp_data.cc index 68d02254e..96263d987 100644 --- a/src/service_inspectors/ftp_telnet/ftp_data.cc +++ b/src/service_inspectors/ftp_telnet/ftp_data.cc @@ -235,10 +235,10 @@ void FtpDataFlowData::handle_expected(Packet* p) if (fd and fd->in_tls) { OpportunisticTlsEvent evt(p, fd_svc_name); - DataBus::publish(OPPORTUNISTIC_TLS_EVENT, evt, p->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, evt, p->flow); } else - DataBus::publish(SSL_SEARCH_ABANDONED, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p); } } diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc index 9c8856f35..25e5d0c91 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.cc +++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc @@ -1278,7 +1278,7 @@ static int do_stateful_checks(FTP_SESSION* session, Packet* p, and rsp_code == 234) { OpportunisticTlsEvent event(p, p->flow->service); - DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow); ++ftstats.starttls; if (session->flags & FTP_FLG_SEARCH_ABANDONED) ++ftstats.ssl_search_abandoned_too_soon; @@ -1843,7 +1843,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) !(ftpssn->flags & FTP_FLG_SEARCH_ABANDONED)) { ftpssn->flags |= FTP_FLG_SEARCH_ABANDONED; - DataBus::publish(SSL_SEARCH_ABANDONED, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p); ++ftstats.ssl_search_abandoned; } diff --git a/src/service_inspectors/http2_inspect/http2_flow_data.cc b/src/service_inspectors/http2_inspect/http2_flow_data.cc index 76bcdeba7..d7aca7c4b 100644 --- a/src/service_inspectors/http2_inspect/http2_flow_data.cc +++ b/src/service_inspectors/http2_inspect/http2_flow_data.cc @@ -23,6 +23,7 @@ #include "http2_flow_data.h" +#include "main/snort_types.h" #include "service_inspectors/http_inspect/http_inspect.h" #include "service_inspectors/http_inspect/http_test_manager.h" @@ -253,9 +254,7 @@ bool Http2FlowData::is_mid_frame() const FlowData* Http2FlowStreamIntf::get_stream_flow_data(const Flow* flow) { - Http2FlowData* h2i_flow_data = nullptr; - - h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); + Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); assert(h2i_flow_data); return h2i_flow_data->get_hi_flow_data(); @@ -263,27 +262,28 @@ FlowData* Http2FlowStreamIntf::get_stream_flow_data(const Flow* flow) void Http2FlowStreamIntf::set_stream_flow_data(Flow* flow, FlowData* flow_data) { - Http2FlowData* h2i_flow_data = - (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); + Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); assert(h2i_flow_data); + h2i_flow_data->set_hi_flow_data((HttpFlowData*)flow_data); } void Http2FlowStreamIntf::get_stream_id(const Flow* flow, int64_t& stream_id) { - Http2FlowData* h2i_flow_data = nullptr; - - h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); + Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); assert(h2i_flow_data); + stream_id = h2i_flow_data->get_processing_stream_id(); } AppId Http2FlowStreamIntf::get_appid_from_stream(const Flow* flow) { - Http2FlowData* h2i_flow_data = nullptr; - - h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); +#ifdef NDEBUG + UNUSED(flow); +#else + Http2FlowData* h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); assert(h2i_flow_data); +#endif return APP_ID_HTTP2; } diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc index 0092992f5..0b1a5ddd1 100644 --- a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc +++ b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc @@ -56,7 +56,7 @@ StreamSplitter::Status Http2StreamSplitter::scan(Packet* pkt, const uint8_t* dat if (session_data == nullptr) { AssistantGadgetEvent event(pkt, "http"); - DataBus::publish(FLOW_ASSISTANT_GADGET_EVENT, event, flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_ASSISTANT_GADGET, event, flow); if (flow->assistant_gadget == nullptr) { // http_inspect is not configured diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index 1ca5d1864..dcd299a07 100755 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -32,6 +32,7 @@ #include "service_inspectors/http2_inspect/http2_flow_data.h" #include "log/unified2.h" #include "protocols/packet.h" +#include "pub_sub/http_event_ids.h" #include "stream/stream.h" #include "http_common.h" @@ -138,10 +139,11 @@ HttpInspect::~HttpInspect() delete script_finder; } -bool HttpInspect::configure(SnortConfig* ) +bool HttpInspect::configure(SnortConfig*) { params->js_norm_param.configure(); params->mime_decode_conf->sync_all_depths(); + pub_id = DataBus::get_id(http_pub_key); return true; } @@ -609,7 +611,7 @@ void HttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const } #endif - current_section->publish(); + current_section->publish(pub_id); if (p != nullptr) { const PduSection pdu_section = current_section->get_inspection_section(); diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h index 1542d0d2b..6c0a31903 100644 --- a/src/service_inspectors/http_inspect/http_inspect.h +++ b/src/service_inspectors/http_inspect/http_inspect.h @@ -88,6 +88,9 @@ public: static int get_xtra_host(snort::Flow*, uint8_t** buf, uint32_t* len, uint32_t* type); static int get_xtra_jsnorm(snort::Flow*, uint8_t**, uint32_t*, uint32_t*); + unsigned get_pub_id() + { return pub_id; } + private: friend HttpApi; friend HttpStreamSplitter; @@ -108,6 +111,8 @@ private: const uint32_t xtra_uri_id; const uint32_t xtra_host_id; const uint32_t xtra_jsnorm_id; + + unsigned pub_id; // for inspection events }; #endif diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index 7c7446134..35770cc01 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -71,7 +71,7 @@ HttpMsgBody::HttpMsgBody(const uint8_t* buffer, const uint16_t buf_size, get_related_sections(); } -void HttpMsgBody::publish() +void HttpMsgBody::publish(unsigned pub_id) { if (publish_length <= 0) return; @@ -83,7 +83,7 @@ void HttpMsgBody::publish() HttpRequestBodyEvent http_request_body_event(this, publish_octets, last_piece, session_data); - DataBus::publish(HTTPX_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow); + DataBus::publish(pub_id, HttpEventIds::REQUEST_BODY, http_request_body_event, flow); publish_octets += publish_length; #ifdef REG_TEST if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP)) diff --git a/src/service_inspectors/http_inspect/http_msg_body.h b/src/service_inspectors/http_inspect/http_msg_body.h index 48ef219cb..944c4ae0f 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.h +++ b/src/service_inspectors/http_inspect/http_msg_body.h @@ -52,7 +52,7 @@ public: const Field& get_msg_text_new() const { return msg_text_new; } static void fd_event_callback(void* context, int event); bool is_first() { return first_body; } - void publish() override; + void publish(unsigned pub_id) override; int32_t get_publish_length() const; protected: diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index f36688abc..64b7865af 100755 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -56,16 +56,16 @@ HttpMsgHeader::HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, get_related_sections(); } -void HttpMsgHeader::publish() +void HttpMsgHeader::publish(unsigned pub_id) { const int64_t stream_id = session_data->get_hx_stream_id(); HttpEvent http_header_event(this, session_data->for_httpx, stream_id); - const char* key = (source_id == SRC_CLIENT) ? - HTTP_REQUEST_HEADER_EVENT_KEY : HTTP_RESPONSE_HEADER_EVENT_KEY; + unsigned evid = (source_id == SRC_CLIENT) ? + HttpEventIds::REQUEST_HEADER : HttpEventIds::RESPONSE_HEADER; - DataBus::publish(key, http_header_event, flow); + DataBus::publish(pub_id, evid, http_header_event, flow); } const Field& HttpMsgHeader::get_true_ip() diff --git a/src/service_inspectors/http_inspect/http_msg_header.h b/src/service_inspectors/http_inspect/http_msg_header.h index 67642db94..3069dec0f 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.h +++ b/src/service_inspectors/http_inspect/http_msg_header.h @@ -43,7 +43,7 @@ public: bool detection_required() const override { return true; } void update_flow() override; void gen_events() override; - void publish() override; + void publish(unsigned pub_id) override; const Field& get_true_ip(); const Field& get_true_ip_addr(); int32_t get_num_cookies(); diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc index aa9a80fae..4132a7765 100644 --- a/src/service_inspectors/http_inspect/http_msg_request.cc +++ b/src/service_inspectors/http_inspect/http_msg_request.cc @@ -23,6 +23,8 @@ #include "http_msg_request.h" +#include "pub_sub/intrinsic_event_ids.h" + #include "http_api.h" #include "http_common.h" #include "http_enum.h" @@ -340,13 +342,13 @@ void HttpMsgRequest::update_flow() session_data->method_id = method_id; } -void HttpMsgRequest::publish() +void HttpMsgRequest::publish(unsigned) { if (!session_data->ssl_search_abandoned && trans_num > 1 && !flow->flags.data_decrypted && get_method_id() != METH_CONNECT) { session_data->ssl_search_abandoned = true; - DataBus::publish(SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet()); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet()); } if (SnortConfig::get_conf()->aux_ip_is_enabled()) diff --git a/src/service_inspectors/http_inspect/http_msg_request.h b/src/service_inspectors/http_inspect/http_msg_request.h index c3a3c54d6..8e657097d 100644 --- a/src/service_inspectors/http_inspect/http_msg_request.h +++ b/src/service_inspectors/http_inspect/http_msg_request.h @@ -45,7 +45,7 @@ public: { return snort::PS_HEADER; } void gen_events() override; void update_flow() override; - void publish() override; + void publish(unsigned pub_id) override; const Field& get_method() { return method; } const Field& get_uri(); diff --git a/src/service_inspectors/http_inspect/http_msg_section.h b/src/service_inspectors/http_inspect/http_msg_section.h index 905d4586d..a3378b113 100644 --- a/src/service_inspectors/http_inspect/http_msg_section.h +++ b/src/service_inspectors/http_inspect/http_msg_section.h @@ -70,7 +70,7 @@ public: virtual void update_flow() = 0; // Publish an inspection event for other modules to consume - virtual void publish() {} + virtual void publish(unsigned /*pub_id*/) {} // Call the detection engine to inspect the current packet virtual bool run_detection(snort::Packet* p); diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc index 18c491df4..edf9fa55f 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc @@ -198,7 +198,7 @@ bool HttpStreamSplitter::finish(Flow* flow) { HttpRequestBodyEvent http_request_body_event(nullptr, session_data->publish_octets[source_id], true, session_data); - DataBus::publish(HTTPX_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow); + DataBus::publish(my_inspector->get_pub_id(), HttpEventIds::REQUEST_BODY, http_request_body_event, flow); #ifdef REG_TEST if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP)) { diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index b1160ca7f..5192652f5 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -514,7 +514,7 @@ static void IMAP_ProcessServerPacket(Packet* p, IMAPData* imap_ssn) and !p->flow->flags.data_decrypted) { imap_ssn->session_flags |= IMAP_FLAG_ABANDON_EVT; - DataBus::publish(SSL_SEARCH_ABANDONED, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p); imapstats.ssl_search_abandoned++; } imap_ssn->state = STATE_DATA; @@ -540,7 +540,7 @@ static void IMAP_ProcessServerPacket(Packet* p, IMAPData* imap_ssn) } OpportunisticTlsEvent event(p, p->flow->service); - DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow); imapstats.start_tls++; imap_ssn->state = STATE_DECRYPTION_REQ; } diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index 6722e40f1..ddfacdf47 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -44,6 +44,8 @@ using namespace snort; +static unsigned pub_id = 0; + // ----------------------------------------------------------------------------- // static functions // ----------------------------------------------------------------------------- @@ -128,7 +130,7 @@ static void publish_netflow_event(const Packet* p, const NetFlowRule* match, Net } NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID); - DataBus::publish(NETFLOW_EVENT, event); + DataBus::publish(pub_id, NetFlowEventIds::DATA, event); } static bool version_9_record_update(const unsigned char* data, uint32_t unix_secs, @@ -767,6 +769,7 @@ public: void tterm() override; void eval(snort::Packet*) override; + bool configure(SnortConfig*) override; void show(const snort::SnortConfig*) const override; void install_reload_handler(snort::SnortConfig*) override; @@ -836,6 +839,12 @@ static std::string to_string(const std::vector & zones) return zs; } +bool NetFlowInspector::configure(SnortConfig*) +{ + pub_id = DataBus::get_id(netflow_pub_key); + return true; +} + static void show_device(const NetFlowRule& d, bool is_exclude) { ConfigLogger::log_flag("exclude", is_exclude, true); diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index 26863f6b4..bfd252194 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -473,7 +473,7 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) and !p->flow->flags.data_decrypted) { pop_ssn->session_flags |= POP_FLAG_ABANDON_EVT; - DataBus::publish(SSL_SEARCH_ABANDONED, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p); popstats.ssl_search_abandoned++; } @@ -488,7 +488,7 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) } OpportunisticTlsEvent event(p, p->flow->service); - DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow); popstats.start_tls++; pop_ssn->state = STATE_DECRYPTION_REQ; } diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index 5b5d530c4..aa1ca6c0b 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -44,6 +44,7 @@ #include "log/messages.h" #include "profiler/profiler.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" #include "stream/stream.h" #include "stream/stream_splitter.h" #include "utils/safec.h" @@ -235,7 +236,7 @@ static RpcStatus RpcStatefulInspection(RpcSsnData* rsdata, Packet* p) if (RpcPrepRaw(data, rsdata->frag_len, p) != RPC_STATUS__SUCCESS) return RPC_STATUS__ERROR; - DataBus::publish(PACKET_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::ALT_PACKET, p); } if ( (dsize > 0) ) @@ -306,7 +307,7 @@ static RpcStatus RpcStatefulInspection(RpcSsnData* rsdata, Packet* p) if ( (dsize > 0) ) RpcPreprocEvent(rsdata, RPC_MULTIPLE_RECORD); - DataBus::publish(PACKET_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::ALT_PACKET, p); RpcBufClean(&rsdata->frag); } diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc index e66902118..47f0f0c9a 100644 --- a/src/service_inspectors/sip/sip.cc +++ b/src/service_inspectors/sip/sip.cc @@ -30,6 +30,7 @@ #include "memory/memory_cap.h" #include "profiler/profiler.h" #include "protocols/packet.h" +#include "pub_sub/sip_events.h" #include "stream/stream_splitter.h" #include "sip_module.h" @@ -44,6 +45,7 @@ static void snort_sip(SIP_PROTO_CONF* GlobalConf, Packet* p); static void FreeSipData(void*); unsigned SipFlowData::inspector_id = 0; +unsigned SIPData::pub_id = 0; SipFlowData::SipFlowData() : FlowData(inspector_id) { @@ -185,6 +187,7 @@ public: Sip(SIP_PROTO_CONF*); ~Sip() override; + bool configure(SnortConfig*) override; void show(const SnortConfig*) const override; void eval(Packet*) override; @@ -212,6 +215,12 @@ Sip::~Sip() } } +bool Sip::configure(SnortConfig*) +{ + SIPData::pub_id = DataBus::get_id(sip_pub_key); + return true; +} + void Sip::show(const SnortConfig*) const { if ( !config ) diff --git a/src/service_inspectors/sip/sip.h b/src/service_inspectors/sip/sip.h index eb6d6d914..3ba78e749 100644 --- a/src/service_inspectors/sip/sip.h +++ b/src/service_inspectors/sip/sip.h @@ -15,13 +15,15 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// #ifndef SIP_H #define SIP_H + // Implementation header with definitions, datatypes and flowdata class for SIP service inspector. #include "flow/flow.h" +#include "framework/data_bus.h" + #include "sip_dialog.h" #include "sip_parser.h" #include "sip_roptions.h" @@ -34,6 +36,8 @@ struct SIPData SIP_DialogList dialogs; SIP_Roptions ropts; SIP_PROTO_CONF *sip_config; + + static unsigned pub_id; }; class SipFlowData : public snort::FlowData diff --git a/src/service_inspectors/sip/sip_dialog.cc b/src/service_inspectors/sip/sip_dialog.cc index b30ad5bf5..9b1fd6383 100644 --- a/src/service_inspectors/sip/sip_dialog.cc +++ b/src/service_inspectors/sip/sip_dialog.cc @@ -598,7 +598,7 @@ static void sip_publish_data_bus( const Packet* p, const SIPMsg* sip_msg, const SIP_DialogData* dialog) { SipEvent event(p, sip_msg, dialog); - DataBus::publish(SIP_EVENT_TYPE_SIP_DIALOG_KEY, event, p->flow); + DataBus::publish(SIPData::pub_id, SipEventIds::DIALOG, event, p->flow); } /******************************************************************** diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index c2f879ac1..19737a31c 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -1151,7 +1151,7 @@ static void SMTP_ProcessServerPacket( and !(smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT)) { smtp_ssn->state_flags |= SMTP_FLAG_ABANDON_EVT; - DataBus::publish(SSL_SEARCH_ABANDONED, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::SSL_SEARCH_ABANDONED, p); ++smtpstats.ssl_search_abandoned; } break; @@ -1181,7 +1181,7 @@ static void SMTP_ProcessServerPacket( smtp_ssn->server_accepted_starttls = true; OpportunisticTlsEvent event(p, p->flow->service); - DataBus::publish(OPPORTUNISTIC_TLS_EVENT, event, p->flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::OPPORTUNISTIC_TLS, event, p->flow); ++smtpstats.starttls; if (smtp_ssn->state_flags & SMTP_FLAG_ABANDON_EVT) ++smtpstats.ssl_search_abandoned_too_soon; diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index 69ab71671..66fdfb2dd 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -45,6 +45,8 @@ using namespace snort; THREAD_LOCAL ProfileStats sshPerfStats; THREAD_LOCAL SshStats sshstats; +static unsigned pub_id = 0; + /* * Function prototype(s) */ @@ -144,12 +146,12 @@ static void snort_ssh(SSH_PROTO_CONF* config, Packet* p) { std::string proto_string((const char *)(p->data), p->dsize); SshEvent event(SSH_VERSION_STRING, SSH_NOT_FINISHED, proto_string, pkt_direction, p); - DataBus::publish(SSH_EVENT, event, p->flow); + DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow); } else { SshEvent event(SSH_VALIDATION, SSH_INVALID_VERSION, "", pkt_direction, p); - DataBus::publish(SSH_EVENT, event, p->flow); + DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow); } } else if (!(sessp->state_flags & search_dir_keyinit)) @@ -171,12 +173,12 @@ static void snort_ssh(SSH_PROTO_CONF* config, Packet* p) if (keyx_valid) { SshEvent event(SSH_VALIDATION, SSH_VALID_KEXINIT, "", pkt_direction, p); - DataBus::publish(SSH_EVENT, event, p->flow); + DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow); } else { SshEvent event(SSH_VALIDATION, SSH_INVALID_KEXINIT, "", pkt_direction, p); - DataBus::publish(SSH_EVENT, event, p->flow); + DataBus::publish(pub_id, SshEventIds::STATE_CHANGE, event, p->flow); sessp->state_flags |= SSH_FLG_SESS_ENCRYPTED; } } @@ -546,6 +548,7 @@ public: Ssh(SSH_PROTO_CONF*); ~Ssh() override; + bool configure(SnortConfig*) override; void show(const SnortConfig*) const override; void eval(Packet*) override; class StreamSplitter* get_splitter(bool to_server) override @@ -566,6 +569,12 @@ Ssh::~Ssh() delete config; } +bool Ssh::configure(SnortConfig*) +{ + pub_id = DataBus::get_id(ssh_pub_key); + return true; +} + void Ssh::show(const SnortConfig*) const { if ( !config ) diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index f958edac9..22b71fd6b 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -488,8 +488,8 @@ void Ssl::eval(Packet* p) bool Ssl::configure(SnortConfig*) { - DataBus::subscribe(FINALIZE_PACKET_EVENT, new SslFinalizePacketHandler()); - DataBus::subscribe(OPPORTUNISTIC_TLS_EVENT, new SslStartTlsEventtHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::FINALIZE_PACKET, new SslFinalizePacketHandler()); + DataBus::subscribe(intrinsic_pub_key, IntrinsicEventIds::OPPORTUNISTIC_TLS, new SslStartTlsEventtHandler()); return true; } diff --git a/src/service_inspectors/wizard/wizard.cc b/src/service_inspectors/wizard/wizard.cc index 81d32945d..c9202d2ec 100644 --- a/src/service_inspectors/wizard/wizard.cc +++ b/src/service_inspectors/wizard/wizard.cc @@ -25,6 +25,7 @@ #include "log/messages.h" #include "profiler/profiler.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" #include "stream/stream_splitter.h" #include "trace/trace_api.h" @@ -206,7 +207,7 @@ StreamSplitter::Status MagicSplitter::scan( if ( !pkt->flow->flags.svc_event_generated ) { - DataBus::publish(FLOW_NO_SERVICE_EVENT, pkt); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, pkt); pkt->flow->flags.svc_event_generated = true; } @@ -222,7 +223,7 @@ StreamSplitter::Status MagicSplitter::scan( // enhanced to abort sooner if it can't detect service. if ( !pkt->flow->service and !pkt->flow->flags.svc_event_generated ) { - DataBus::publish(FLOW_NO_SERVICE_EVENT, pkt); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_NO_SERVICE, pkt); pkt->flow->flags.svc_event_generated = true; } diff --git a/src/stream/base/stream_base.cc b/src/stream/base/stream_base.cc index b88468b30..c4b391620 100644 --- a/src/stream/base/stream_base.cc +++ b/src/stream/base/stream_base.cc @@ -34,7 +34,9 @@ #include "profiler/profiler_defs.h" #include "protocols/packet.h" #include "protocols/tcp.h" +#include "pub_sub/stream_event_ids.h" #include "stream/flush_bucket.h" +#include "stream/stream.h" #include "stream/tcp/tcp_stream_tracker.h" #include "stream_ha.h" @@ -184,6 +186,7 @@ class StreamBase : public Inspector { public: StreamBase(const StreamModuleConfig*); + bool configure(SnortConfig*) override; void show(const SnortConfig*) const override; void tear_down(SnortConfig*) override; @@ -200,6 +203,12 @@ public: StreamBase::StreamBase(const StreamModuleConfig* c) { config = *c; } +bool StreamBase::configure(SnortConfig*) +{ + Stream::set_pub_id(); + return true; +} + void StreamBase::tear_down(SnortConfig* sc) { sc->register_reload_handler(new StreamUnloadReloadResourceManager); } @@ -278,7 +287,7 @@ void StreamBase::eval(Packet* p) bool new_flow = false; flow_con->process(PktType::IP, p, &new_flow); if ( new_flow ) - DataBus::publish(STREAM_IP_NEW_FLOW_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::IP_NEW_FLOW, p); } break; @@ -296,7 +305,7 @@ void StreamBase::eval(Packet* p) bool new_flow = false; flow_con->process(PktType::UDP, p, &new_flow); if ( new_flow ) - DataBus::publish(STREAM_UDP_NEW_FLOW_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::UDP_NEW_FLOW, p); } break; @@ -307,7 +316,7 @@ void StreamBase::eval(Packet* p) if ( !flow_con->process(PktType::ICMP, p, &new_flow) ) flow_con->process(PktType::IP, p, &new_flow); if ( new_flow ) - DataBus::publish(STREAM_ICMP_NEW_FLOW_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::ICMP_NEW_FLOW, p); } break; diff --git a/src/stream/base/stream_ha.cc b/src/stream/base/stream_ha.cc index 2abb3dc11..c40788055 100644 --- a/src/stream/base/stream_ha.cc +++ b/src/stream/base/stream_ha.cc @@ -27,6 +27,7 @@ #include "flow/flow_key.h" #include "managers/inspector_manager.h" +#include "pub_sub/stream_event_ids.h" #include "stream/stream.h" using namespace snort; @@ -104,7 +105,7 @@ bool StreamHAClient::consume(Flow*& flow, const FlowKey* key, HAMessage& msg, ui return false; BareDataEvent event; - DataBus::publish(STREAM_HA_NEW_FLOW_EVENT, event, flow); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::HA_NEW_FLOW, event, flow); flow->ha_state->clear(FlowHAState::NEW); flow->ha_state->add(FlowHAState::STANDBY); @@ -288,3 +289,4 @@ void StreamHAManager::tterm() ha_client = nullptr; } } + diff --git a/src/stream/icmp/icmp_session.cc b/src/stream/icmp/icmp_session.cc index 5ac0f6e8f..ca53a6628 100644 --- a/src/stream/icmp/icmp_session.cc +++ b/src/stream/icmp/icmp_session.cc @@ -32,6 +32,8 @@ #include "protocols/tcp.h" #include "protocols/udp.h" #include "protocols/vlan.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" #include "utils/util.h" #include "icmp_ha.h" @@ -218,7 +220,7 @@ int IcmpSession::process(Packet* p) if (!(flow->ssn_state.session_flags & SSNFLAG_ESTABLISHED) and !(p->is_from_client())) { - DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::ICMP_BIDIRECTIONAL, p); flow->ssn_state.session_flags |= SSNFLAG_ESTABLISHED; } diff --git a/src/stream/ip/ip_session.cc b/src/stream/ip/ip_session.cc index 8a5193310..e51534491 100644 --- a/src/stream/ip/ip_session.cc +++ b/src/stream/ip/ip_session.cc @@ -27,6 +27,8 @@ #include "memory/memory_cap.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" #include "ip_defrag.h" #include "ip_ha.h" @@ -109,11 +111,11 @@ static inline void update_session(Packet* p, Flow* lws) if ( p->type() == PktType::ICMP and p->ptrs.icmph) { - DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::ICMP_BIDIRECTIONAL, p); } else { - DataBus::publish(STREAM_IP_BIDIRECTIONAL_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::IP_BIDIRECTIONAL, p); } } } @@ -245,7 +247,6 @@ public: StreamIp(StreamIpConfig*); ~StreamIp() override; - bool configure(SnortConfig*) override; void show(const SnortConfig*) const override; NORETURN_ASSERT void eval(Packet*) override; StreamIpConfig* config; diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 68db50a01..bc8195d76 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -32,11 +32,13 @@ #include "flow/flow_key.h" #include "flow/ha.h" #include "flow/prune_stats.h" +#include "framework/data_bus.h" #include "main/snort.h" #include "main/snort_config.h" #include "network_inspectors/packet_tracer/packet_tracer.h" #include "packet_io/active.h" #include "protocols/vlan.h" +#include "pub_sub/stream_event_ids.h" #include "stream/base/stream_module.h" #include "target_based/host_attributes.h" #include "target_based/snort_protocols.h" @@ -868,7 +870,21 @@ bool Stream::get_held_pkt_seq(Flow* flow, uint32_t& seq) return false; } +//------------------------------------------------------------------------- +// pub sub foo +//------------------------------------------------------------------------- + +static unsigned stream_pub_id = 0; + +void Stream::set_pub_id() +{ stream_pub_id = DataBus::get_id(stream_pub_key); } + +unsigned Stream::get_pub_id() +{ return stream_pub_id; } + +//------------------------------------------------------------------------- #ifdef UNIT_TEST +//------------------------------------------------------------------------- #include "catch/snort_catch.h" #include "tcp/test/stream_tcp_test_utils.h" diff --git a/src/stream/stream.h b/src/stream/stream.h index b9dc615a1..23d134b26 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -247,6 +247,9 @@ public: static bool get_held_pkt_seq(Flow*, uint32_t&); + static void set_pub_id(); + static unsigned get_pub_id(); + private: static void set_ip_protocol(Flow*); }; diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index a88229e94..2fb4f2699 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -54,6 +54,7 @@ #include "memory/memory_cap.h" #include "profiler/profiler.h" #include "protocols/eth.h" +#include "pub_sub/intrinsic_event_ids.h" #include "stream_tcp.h" #include "tcp_ha.h" @@ -293,7 +294,7 @@ void TcpSession::update_perf_base_state(char newState) flow->update_session_flags(session_flags); if ( fire_event ) - DataBus::publish(FLOW_STATE_EVENT, nullptr, flow); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_CHANGE, nullptr, flow); } bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd) diff --git a/src/stream/tcp/tcp_state_listen.cc b/src/stream/tcp/tcp_state_listen.cc index 26d31700f..49b047c80 100644 --- a/src/stream/tcp/tcp_state_listen.cc +++ b/src/stream/tcp/tcp_state_listen.cc @@ -25,6 +25,9 @@ #include "tcp_state_listen.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" + #include "tcp_normalizers.h" #include "tcp_session.h" @@ -141,7 +144,7 @@ bool TcpStateListen::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& if ( !Stream::is_midstream(flow) ) { flow->set_session_flags(SSNFLAG_MIDSTREAM); - DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt()); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt()); } trk.init_on_data_seg_sent(tsd); @@ -168,7 +171,7 @@ bool TcpStateListen::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& if ( !Stream::is_midstream(flow) ) { flow->set_session_flags(SSNFLAG_MIDSTREAM); - DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt()); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt()); } trk.init_on_data_seg_recv(tsd); trk.normalizer.ecn_tracker(tsd.get_tcph(), trk.session->tcp_config->require_3whs()); diff --git a/src/stream/tcp/tcp_state_none.cc b/src/stream/tcp/tcp_state_none.cc index cdcc7e077..4cc945f15 100644 --- a/src/stream/tcp/tcp_state_none.cc +++ b/src/stream/tcp/tcp_state_none.cc @@ -25,6 +25,9 @@ #include "tcp_state_none.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" + #include "tcp_normalizers.h" #include "tcp_session.h" @@ -137,7 +140,7 @@ bool TcpStateNone::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& tr if ( !Stream::is_midstream(flow) ) { flow->set_session_flags(SSNFLAG_MIDSTREAM); - DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt()); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt()); } trk.init_on_data_seg_sent(tsd); @@ -164,7 +167,7 @@ bool TcpStateNone::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& tr if ( !Stream::is_midstream(flow) ) { flow->set_session_flags(SSNFLAG_MIDSTREAM); - DataBus::publish(STREAM_TCP_MIDSTREAM_EVENT, tsd.get_pkt()); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt()); } trk.init_on_data_seg_recv(tsd); diff --git a/src/stream/tcp/tcp_stream_session.cc b/src/stream/tcp/tcp_stream_session.cc index 7824bbf78..b00dbd747 100644 --- a/src/stream/tcp/tcp_stream_session.cc +++ b/src/stream/tcp/tcp_stream_session.cc @@ -27,6 +27,8 @@ #include "framework/data_bus.h" #include "log/messages.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" #include "stream/tcp/tcp_ha.h" using namespace snort; @@ -396,7 +398,7 @@ void TcpStreamSession::set_established(Packet* p, uint32_t flags) if (SSNFLAG_ESTABLISHED != (SSNFLAG_ESTABLISHED & flow->get_session_flags())) { flow->set_session_flags(SSNFLAG_ESTABLISHED); - DataBus::publish(STREAM_TCP_ESTABLISHED_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_ESTABLISHED, p); } } @@ -429,7 +431,7 @@ void TcpStreamSession::check_for_one_sided_session(Packet* p) else if ( initiator_watermark != watermark ) { flow.ssn_state.session_flags |= SSNFLAG_TCP_ONE_SIDED; - DataBus::publish(STREAM_TCP_ESTABLISHED_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_ESTABLISHED, p); } } } diff --git a/src/stream/tcp/tcp_stream_tracker.cc b/src/stream/tcp/tcp_stream_tracker.cc index 0b6d314bc..e37435b13 100644 --- a/src/stream/tcp/tcp_stream_tracker.cc +++ b/src/stream/tcp/tcp_stream_tracker.cc @@ -34,6 +34,8 @@ #include "packet_io/active.h" #include "profiler/profiler_defs.h" #include "protocols/eth.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" #include "held_packet_queue.h" #include "segment_overlap_editor.h" @@ -117,7 +119,7 @@ TcpStreamTracker::TcpEvent TcpStreamTracker::set_tcp_event(const TcpSegmentDescr tcp_event = TCP_SYN_RECV_EVENT; tcpStats.syns++; if ( tcp_state == TcpStreamTracker::TCP_LISTEN ) - DataBus::publish(STREAM_TCP_SYN_EVENT, tsd.get_pkt()); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_SYN, tsd.get_pkt()); } else if ( tcph->is_syn_ack() ) { @@ -127,7 +129,7 @@ TcpStreamTracker::TcpEvent TcpStreamTracker::set_tcp_event(const TcpSegmentDescr (!Stream::is_midstream(tsd.get_flow()) and (tcp_state == TcpStreamTracker::TCP_LISTEN or tcp_state == TcpStreamTracker::TCP_STATE_NONE)) ) - DataBus::publish(STREAM_TCP_SYN_ACK_EVENT, tsd.get_pkt()); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_SYN_ACK, tsd.get_pkt()); } else if ( tcph->is_rst() ) { diff --git a/src/stream/udp/udp_session.cc b/src/stream/udp/udp_session.cc index 1f4d388de..c42af4c77 100644 --- a/src/stream/udp/udp_session.cc +++ b/src/stream/udp/udp_session.cc @@ -29,6 +29,9 @@ #include "memory/memory_cap.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" +#include "pub_sub/intrinsic_event_ids.h" +#include "pub_sub/stream_event_ids.h" +#include "stream/stream.h" #include "udp_ha.h" #include "udp_module.h" @@ -89,7 +92,7 @@ static int ProcessUdp(Flow* lwssn, Packet* p, StreamUdpConfig*) (lwssn->ssn_state.session_flags & SSNFLAG_SEEN_RESPONDER)) { lwssn->ssn_state.session_flags |= SSNFLAG_ESTABLISHED; - DataBus::publish(STREAM_UDP_BIDIRECTIONAL_EVENT, p); + DataBus::publish(Stream::get_pub_id(), StreamEventIds::UDP_BIDIRECTIONAL, p); } } @@ -124,7 +127,7 @@ bool UdpSession::setup(Packet* p) SESSION_STATS_ADD(udpStats) - DataBus::publish(FLOW_STATE_EVENT, p); + DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_CHANGE, p); if ( flow->ssn_state.ignore_direction != SSN_DIR_NONE ) {