From: Russ Combs Date: Sun, 30 Oct 2016 12:51:13 +0000 (-0400) Subject: provide context to detection disable methods X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a4d51dac6f26297890e6c72f4a6f13a7459e9d8;p=thirdparty%2Fsnort3.git provide context to detection disable methods don't offload non-fast-pattern rules reinitialize rebuilt PDUs if offloaded --- diff --git a/extra/src/inspectors/http_server/hi_main.cc b/extra/src/inspectors/http_server/hi_main.cc index fa66eca5d..a88cf60c4 100644 --- a/extra/src/inspectors/http_server/hi_main.cc +++ b/extra/src/inspectors/http_server/hi_main.cc @@ -609,7 +609,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( p->alt_dsize == 0 ) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); return 0; } { @@ -898,7 +898,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( !GetHttpBufferMask() && (p->alt_dsize == 0) ) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); return 0; } } @@ -915,7 +915,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( !(session->server_conf->inspect_response) && IsLimitedDetect(p) && !p->alt_dsize ) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); return 0; } ClearHttpBuffers(); @@ -1089,7 +1089,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( IsLimitedDetect(p) && !GetHttpBufferMask() && (p->alt_dsize == 0) ) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); return 0; } } @@ -1107,7 +1107,8 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) */ { Profile exclude(hiPerfStats); - DetectionEngine::detect(p); + DetectionEngine de; + de.detect(p); } /* @@ -1121,7 +1122,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( iCallDetect == 0 ) { // DetectionEngine::detect called at least once from above pkt processing loop. - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); } return 0; diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 6218595f4..a7961aafc 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -47,8 +47,6 @@ Trace TRACE_NAME(detection); -THREAD_LOCAL DetectionEngine::ActiveRules active_rules = DetectionEngine::NONE; - static THREAD_LOCAL unsigned s_events = 0; static THREAD_LOCAL Ring* offload_ids = nullptr; @@ -63,10 +61,16 @@ DetectionEngine::DetectionEngine() DetectionEngine::~DetectionEngine() { - if ( context == get_context() ) - clear_packet(); + clear_packet(context->packet); + ContextSwitcher* sw = Snort::get_switcher(); + + if ( context == sw->get_context() ) + sw->complete(); } +Packet* DetectionEngine::get_packet() +{ return context->packet; } + IpsContext* DetectionEngine::get_context() { return Snort::get_switcher()->get_context(); } @@ -76,9 +80,6 @@ SF_EVENTQ* DetectionEngine::get_event_queue() Packet* DetectionEngine::get_current_packet() { return Snort::get_switcher()->get_context()->packet; } -Packet* DetectionEngine::get_packet() -{ return get_current_packet(); } - void DetectionEngine::set_encode_packet(Packet* p) { Snort::get_switcher()->get_context()->encode_packet = p; } @@ -103,26 +104,16 @@ Packet* DetectionEngine::set_packet() return p; } -void DetectionEngine::clear_packet() +void DetectionEngine::clear_packet(Packet* p) { - ContextSwitcher* sw = Snort::get_switcher(); - IpsContext* c = sw->get_context(); - - if ( c->offload ) - return; - - Packet* p = c->packet; - log_events(p); - reset(); + reset(p); if ( p->endianness ) { delete p->endianness; p->endianness = nullptr; } - - sw->complete(); } uint8_t* DetectionEngine::get_buffer(unsigned& max) @@ -158,26 +149,32 @@ void DetectionEngine::set_data(unsigned id, IpsContextData* p) IpsContextData* DetectionEngine::get_data(unsigned id) { return Snort::get_switcher()->get_context()->get_context_data(id); } -DetectionEngine::ActiveRules DetectionEngine::get_detects() -{ return active_rules; } +void DetectionEngine::disable_all(Packet* p) +{ p->context->active_rules = IpsContext::NONE; } -void DetectionEngine::set_detects(ActiveRules ar) -{ active_rules = ar; } +bool DetectionEngine::all_disabled(Packet* p) +{ return p->context->active_rules == IpsContext::NONE; } -void DetectionEngine::disable_content() +void DetectionEngine::disable_content(Packet* p) { - if ( active_rules == CONTENT ) - active_rules = NON_CONTENT; + if ( p->context->active_rules == IpsContext::CONTENT ) + p->context->active_rules = IpsContext::NON_CONTENT; } -void DetectionEngine::disable_all() -{ active_rules = NONE; } +void DetectionEngine::enable_content(Packet* p) +{ p->context->active_rules = IpsContext::CONTENT; } + +bool DetectionEngine::content_enabled(Packet* p) +{ return p->context->active_rules == IpsContext::CONTENT; } + +IpsContext::ActiveRules DetectionEngine::get_detects(Packet* p) +{ return p->context->active_rules; } -bool DetectionEngine::offloaded(Flow* flow) -{ return flow->test_session_flags(SSNFLAG_OFFLOAD); } +void DetectionEngine::set_detects(Packet* p, IpsContext::ActiveRules ar) +{ p->context->active_rules = ar; } bool DetectionEngine::offloaded(Packet* p) -{ return p->flow and offloaded(p->flow); } +{ return p->flow and p->flow->is_offloaded(); } void DetectionEngine::idle() { @@ -196,7 +193,7 @@ void DetectionEngine::idle() void DetectionEngine::onload(Flow* flow) { - while ( flow->test_session_flags(SSNFLAG_OFFLOAD) ) + while ( flow->is_offloaded() ) { const struct timespec blip = { 0, 1 }; trace_logf(detection, "%lu de::sleep\n", pc.total_from_daq); @@ -220,7 +217,7 @@ void DetectionEngine::onload() pc.total_from_daq, *id, offload_ids->count()); Packet* p = c->packet; - p->flow->clear_session_flags(SSNFLAG_OFFLOAD); + p->flow->clear_offloaded(); c->offload->join(); delete c->offload; @@ -232,8 +229,10 @@ void DetectionEngine::onload() fp_onload(p); InspectorManager::clear(p); log_events(p); - reset(); - clear_packet(); + reset(p); + clear_packet(p); + + sw->complete(); } bool DetectionEngine::offload(Packet* p) @@ -248,9 +247,11 @@ bool DetectionEngine::offload(Packet* p) assert(p == p->context->packet); onload(p->flow); // FIXIT-H ensures correct sequencing, suboptimal - p->flow->set_session_flags(SSNFLAG_OFFLOAD|SSNFLAG_WAS_OFF); + p->flow->set_offloaded(); pc.offloads++; + assert(p->context == sw->get_context()); + unsigned id = sw->suspend(); offload_ids->put(id); @@ -312,7 +313,7 @@ void DetectionEngine::inspect(Packet* p) } else { - active_rules = CONTENT; + enable_content(p); p->alt_dsize = 0; // FIXIT-H should be redundant InspectorManager::execute(p); @@ -320,7 +321,7 @@ void DetectionEngine::inspect(Packet* p) Active::apply_delayed_action(p); - if ( active_rules > NONE ) + if ( !all_disabled(p) ) { if ( detect(p) ) return; @@ -352,7 +353,7 @@ void DetectionEngine::inspect(Packet* p) Profile profile(eventqPerfStats); log_events(p); - reset(); + reset(p); Stream::check_flow_block_pending(p); } @@ -443,7 +444,7 @@ static int log_events(void* event, void* user) */ int DetectionEngine::log_events(Packet* p) { - SF_EVENTQ* pq = get_event_queue(); + SF_EVENTQ* pq = p->context->equeue; sfeventq_action(pq, ::log_events, (void*)p); return 0; } @@ -454,9 +455,9 @@ void DetectionEngine::reset_counts() s_events = 0; } -void DetectionEngine::reset() +void DetectionEngine::reset(Packet* p) { - SF_EVENTQ* pq = get_event_queue(); + SF_EVENTQ* pq = p->context->equeue; sfeventq_reset(pq); reset_counts(); } diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h index fe8da021b..03c8fad77 100644 --- a/src/detection/detection_engine.h +++ b/src/detection/detection_engine.h @@ -27,6 +27,7 @@ #include "actions/actions.h" #include "detection/detection_util.h" +#include "detection/ips_context.h" #include "main/snort_types.h" struct DataPointer; @@ -52,14 +53,11 @@ public: static Packet* get_current_packet(); static Packet* set_packet(); - static void clear_packet(); - static bool offloaded(Flow*); static bool offloaded(Packet*); static bool offload(Packet*); static void onload(Flow*); - static void onload(); static void idle(); static void set_encode_packet(Packet*); @@ -83,29 +81,28 @@ public: static int queue_event(const struct OptTreeNode*); static int queue_event(unsigned gid, unsigned sid, RuleType = RULE_TYPE__NONE); - static int log_events(struct Packet*); + static int log_events(Packet*); - static void reset(); + static void reset(Packet*); static void reset_counts(); - enum ActiveRules - { NONE, NON_CONTENT, CONTENT }; - - static ActiveRules get_detects(); - static void set_detects(ActiveRules); + static void disable_all(Packet*); + static bool all_disabled(Packet*); - static void disable_content(); - static void disable_all(); + static void disable_content(Packet*); + static void enable_content(Packet*); + static bool content_enabled(Packet*); - static void enable_content() - { set_detects(CONTENT); } + static IpsContext::ActiveRules get_detects(Packet*); + static void set_detects(Packet*, IpsContext::ActiveRules); - static bool content_enabled() - { return get_detects() == CONTENT; } +private: + static struct SF_EVENTQ* get_event_queue(); + static void onload(); + static void clear_packet(Packet*); private: IpsContext* context; - static struct SF_EVENTQ* get_event_queue(); }; static inline void set_next_file_data(const uint8_t* p, unsigned n) diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 60df556eb..c543f5981 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -978,13 +978,16 @@ static inline int fpEvalHeaderSW(PortGroup* port_group, Packet* p, p->packet_flags &= ~PKT_IP_RULE; } - if ( DetectionEngine::content_enabled() ) + if ( DetectionEngine::content_enabled(p) ) { if ( fp->get_stream_insert() || !(p->packet_flags & PKT_STREAM_INSERT) ) if ( fp_search(port_group, p, check_ports, type, omd) ) return 0; } + if ( DetectionEngine::offloaded(p) ) + return 0; // FIXIT-H can't eval nfp rules here - move to onload + do { // FIXIT-L restrict no-fast-pattern to non-data packets? (non-data includes @@ -1191,10 +1194,10 @@ static void fpEvalPacketUdp(Packet* p) if (tmp_api.pay_len() > udp::UDP_HEADER_LEN) p->dsize = tmp_api.pay_len() - udp::UDP_HEADER_LEN; - auto save_detect = DetectionEngine::get_detects(); + auto save_detect = DetectionEngine::get_detects(p); if ( p->dsize ) - DetectionEngine::enable_content(); + DetectionEngine::enable_content(p); fpEvalHeaderUdp(p, omd); @@ -1204,7 +1207,7 @@ static void fpEvalPacketUdp(Packet* p) p->data = tmp_data; p->dsize = tmp_dsize; - DetectionEngine::set_detects(save_detect); + DetectionEngine::set_detects(p, save_detect); } /* diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc index 078b8e9a8..9f20ed81f 100644 --- a/src/detection/ips_context.cc +++ b/src/detection/ips_context.cc @@ -70,6 +70,7 @@ IpsContext::IpsContext(unsigned size) : offload = nullptr; onload = false; + active_rules = CONTENT; } IpsContext::~IpsContext() diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index c55fd26fc..d8c786f58 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -67,6 +67,9 @@ public: unsigned get_slot() { return slot; } + enum ActiveRules + { NONE, NON_CONTENT, CONTENT }; + public: Packet* packet; Packet* encode_packet; @@ -78,10 +81,11 @@ public: class MpseStash* stash; struct OtnxMatchData* otnx; + struct SF_EVENTQ* equeue; + uint64_t pkt_count; bool onload; - - struct SF_EVENTQ* equeue; + ActiveRules active_rules; static const unsigned buf_size = Codec::PKT_MAX; diff --git a/src/flow/flow.cc b/src/flow/flow.cc index aa3d4b635..c1a3e6ee6 100644 --- a/src/flow/flow.cc +++ b/src/flow/flow.cc @@ -61,6 +61,7 @@ void Flow::init(PktType type) { pkt_type = type; bitop = nullptr; + flow_flags = 0; if ( HighAvailabilityManager::active() ) { diff --git a/src/flow/flow.h b/src/flow/flow.h index 353f67bce..574edaafc 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -62,8 +62,6 @@ #define SSNFLAG_CLIENT_SWAPPED 0x00400000 #define SSNFLAG_PROXIED 0x01000000 -#define SSNFLAG_OFFLOAD 0x02000000 -#define SSNFLAG_WAS_OFF 0x04000000 // FIXIT-L debug only #define SSNFLAG_NONE 0x00000000 /* nothing, an MT bag of chips */ @@ -85,6 +83,9 @@ #define STREAM_STATE_NO_PICKUP 0x2000 #define STREAM_STATE_BLOCK_PENDING 0x4000 +#define FLOW_IS_OFFLOADED 0x01 +#define FLOW_WAS_OFFLOADED 0x02 // FIXIT-L debug only + // FIXIT-L move to appid class if/when the application ids array // is moved typedef int32_t AppId; @@ -287,6 +288,15 @@ public: return disable_inspect; } + bool is_offloaded() const + { return flow_flags & FLOW_IS_OFFLOADED; } + + void set_offloaded() + { flow_flags |= (FLOW_IS_OFFLOADED|FLOW_WAS_OFFLOADED); } + + void clear_offloaded() + { flow_flags &= ~FLOW_IS_OFFLOADED; } + public: // FIXIT-M privatize if possible // fields are organized by initialization and size to minimize // void space and allow for memset of tail end of struct @@ -301,6 +311,7 @@ public: // FIXIT-M privatize if possible PktType pkt_type; // ^^ // these fields are always set; not zeroed + uint8_t flow_flags; Flow* prev, * next; Inspector* ssn_client; Inspector* ssn_server; diff --git a/src/flow/flow_cache.cc b/src/flow/flow_cache.cc index 18dcfa362..1d2782916 100644 --- a/src/flow/flow_cache.cc +++ b/src/flow/flow_cache.cc @@ -191,7 +191,7 @@ unsigned FlowCache::prune_stale(uint32_t thetime, const Flow* save_me) break; } #endif - if ( DetectionEngine::offloaded(flow) ) + if ( flow->is_offloaded() ) break; if ( flow->last_data_seen + config.pruning_timeout >= thetime ) @@ -250,7 +250,7 @@ unsigned FlowCache::prune_excess(const Flow* save_me) assert(flow); // holds true because hash_table->get_count() > 0 if ( (save_me and flow == save_me) or flow->was_blocked() or - DetectionEngine::offloaded(flow) ) + flow->is_offloaded() ) { // check for non-null save_me above to silence analyzer // "called C++ object pointer is null" here @@ -315,7 +315,7 @@ unsigned FlowCache::timeout(unsigned num_flows, time_t thetime) break; if ( HighAvailabilityManager::in_standby(flow) or - DetectionEngine::offloaded(flow) ) + flow->is_offloaded() ) { flow = static_cast(hash_table->next()); continue; diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index b19d07cd6..900a18429 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -453,7 +453,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) if ( news ) Stream::stop_inspection(flow, p, SSN_DIR_BOTH, -1, 0); else - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); p->ptrs.decode_flags |= DECODE_PKT_TRUST; break; @@ -464,7 +464,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) else Active::block_again(); - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); break; case Flow::FlowState::RESET: @@ -474,7 +474,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) Active::reset_again(); Stream::blocked_flow(flow, p); - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); break; } @@ -770,7 +770,7 @@ bool FlowControl::expected_flow(Flow* flow, Packet* p) (p->packet_flags & PKT_FROM_CLIENT) ? "sender" : "responder"); flow->ssn_state.ignore_direction = ignore; - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); } return ignore; diff --git a/src/main/snort.cc b/src/main/snort.cc index 16da1131f..975fa41a7 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -737,13 +737,13 @@ void Snort::inspect(Packet* p) Profile detect_profile(detectPerfStats); Profile rebuilt_profile(rebuiltPacketPerfStats); - auto save_detect = DetectionEngine::get_detects(); - DetectionEngine de; main_hook(p); - clear_file_data(); - DetectionEngine::set_detects(save_detect); + if ( DetectionEngine::offloaded(p) ) + return; + + clear_file_data(); // FIXIT-H get rid of this } DAQ_Verdict Snort::process_packet( diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 2c397a784..79ac52da0 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -183,7 +183,7 @@ public: int asn1_mem = 0; uint32_t run_flags = 0; - unsigned offload_limit = 99999; + unsigned offload_limit = 99999; // disabled //------------------------------------------------------ // process stuff diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 10019ec00..ee55ed813 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -782,7 +782,7 @@ bool InspectorManager::full_inspection(FrameworkPolicy* fp, Packet* p) return false; else if ( !p->dsize ) - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); else if ( flow->gadget && flow->gadget->likes(p) ) { diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index a96bdc17d..8909c0f7b 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -300,7 +300,7 @@ static void snort_reputation(ReputationConfig* config, Packet* p) DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST); Active::drop_packet(p, true); // disable all preproc analysis and detection for this packet - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); p->disable_inspect = true; if (p->flow) { @@ -319,7 +319,7 @@ static void snort_reputation(ReputationConfig* config, Packet* p) { DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_WHITELIST); p->packet_flags |= PKT_IGNORE; - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); p->disable_inspect = true; if (p->flow) { diff --git a/src/service_inspectors/ftp_telnet/ft_main.cc b/src/service_inspectors/ftp_telnet/ft_main.cc index 53cb597a3..1d473e6f8 100644 --- a/src/service_inspectors/ftp_telnet/ft_main.cc +++ b/src/service_inspectors/ftp_telnet/ft_main.cc @@ -194,6 +194,6 @@ int FTPCheckConfigs(SnortConfig* sc, void* pData) void do_detection(Packet* p) { get_data_bus().publish(PACKET_EVENT, p); - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); } diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index a0c967e80..88db09cdb 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -165,7 +165,7 @@ static inline bool SSLPP_is_encrypted(SSL_PROTO_CONF* config, uint32_t ssl_flags } static inline uint32_t SSLPP_process_alert( - SSL_PROTO_CONF*, uint32_t ssn_flags, uint32_t new_flags, const Packet* packet) + SSL_PROTO_CONF*, uint32_t ssn_flags, uint32_t new_flags, Packet* packet) { DebugMessage(DEBUG_SSL, "Process Alert\n"); @@ -179,7 +179,7 @@ static inline uint32_t SSLPP_process_alert( !(new_flags & SSL_HEARTBEAT_SEEN)) { DebugMessage(DEBUG_SSL, "Disabling detect\n"); - DetectionEngine::disable_content(); + DetectionEngine::disable_content(packet); } /* Need to negate the application flags from the opposing side. */ @@ -230,7 +230,7 @@ static inline uint32_t SSLPP_process_app(SSL_PROTO_CONF* config, uint32_t ssn_fl } else if (!(new_flags & SSL_HEARTBEAT_SEEN)) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(packet); } } @@ -257,7 +257,7 @@ static inline void SSLPP_process_other(SSL_PROTO_CONF* config, SSLData* sd, uint } else if (!(new_flags & SSL_HEARTBEAT_SEEN)) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(packet); } } else @@ -338,7 +338,7 @@ static void snort_ssl(SSL_PROTO_CONF* config, Packet* p) if (!(new_flags & SSL_HEARTBEAT_SEEN)) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); } sd->ssn_flags |= new_flags; diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index 5824eb253..b1eaaa968 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -922,7 +922,7 @@ void Defrag::process(Packet* p, FragTracker* ft) if ((frag_offset != 0)) /* || ((p->get_ip_proto_next() != IpProtocol::UDP) && (p->ptrs.decode_flags & DECODE_MF))) */ { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); } /* @@ -979,7 +979,7 @@ void Defrag::process(Packet* p, FragTracker* ft) //dont forward fragments to engine if some previous fragment was dropped if ( ft->frag_flags & FRAG_DROP_FRAGMENTS ) { - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); Active::daq_drop_packet(p); ip_stats.drops++; } @@ -1063,7 +1063,7 @@ void Defrag::process(Packet* p, FragTracker* ft) { // Need to reset some things here because the rebuilt packet // will have reset the do_detect flag when it hits Inspect. - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); } } diff --git a/src/stream/libtcp/tcp_stream_session.h b/src/stream/libtcp/tcp_stream_session.h index 48d5f79cc..a008d518c 100644 --- a/src/stream/libtcp/tcp_stream_session.h +++ b/src/stream/libtcp/tcp_stream_session.h @@ -76,10 +76,10 @@ public: // FIXIT-L these 2 function names convey no meaning afaict... figure out // why are they called and name appropriately... - virtual void retransmit_process() + virtual void retransmit_process(Packet* p) { // Data has already been analyzed so don't bother looking at it again. - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); } virtual void retransmit_handle(Packet* p) diff --git a/src/stream/stream.cc b/src/stream/stream.cc index db5f4a210..f4fda0b76 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -244,7 +244,7 @@ void Stream::stop_inspection( /* FIXIT-M handle bytes/response parameters */ - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); flow->set_state(Flow::FlowState::ALLOW); } @@ -630,7 +630,7 @@ bool Stream::blocked_flow(Flow* flow, Packet* p) "Blocking %s packet as session was blocked\n", p->is_from_server() ? "server" : "client"); - DetectionEngine::disable_content(); + DetectionEngine::disable_content(p); Active::drop_packet(p); active_response(p, flow); return true; @@ -649,7 +649,7 @@ bool Stream::ignored_flow(Flow* flow, Packet* p) "Stream Ignoring packet from %s. Session marked as ignore\n", p->is_from_client() ? "sender" : "responder"); - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); return true; } diff --git a/src/stream/tcp/ips_stream_reassemble.cc b/src/stream/tcp/ips_stream_reassemble.cc index 7b86e0737..13a575d4b 100644 --- a/src/stream/tcp/ips_stream_reassemble.cc +++ b/src/stream/tcp/ips_stream_reassemble.cc @@ -152,7 +152,7 @@ int ReassembleOption::eval(Cursor&, Packet* pkt) { /* Turn off inspection */ lwssn->ssn_state.ignore_direction |= srod.direction; - DetectionEngine::disable_all(); + DetectionEngine::disable_all(pkt); /* TBD: Set TF_FORCE_FLUSH ? */ } diff --git a/src/stream/tcp/segment_overlap_editor.cc b/src/stream/tcp/segment_overlap_editor.cc index 8c6e949f3..df4623916 100644 --- a/src/stream/tcp/segment_overlap_editor.cc +++ b/src/stream/tcp/segment_overlap_editor.cc @@ -54,7 +54,7 @@ bool SegmentOverlapEditor::is_segment_retransmit(bool* full_retransmit) if ( rsize == 0 ) { // All data was retransmitted - session->retransmit_process(); + session->retransmit_process(tsd->get_pkt()); keep_segment = false; } @@ -95,7 +95,7 @@ int SegmentOverlapEditor::eval_right() if ( right->is_retransmit(rdata, rsize, rseq, right->orig_dsize, nullptr) ) { // All data was retransmitted - session->retransmit_process(); + session->retransmit_process(tsd->get_pkt()); keep_segment = false; } else diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index cfb8190e1..d76a57033 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -596,6 +596,7 @@ void TcpReassembler::prep_s5_pkt(Flow* flow, Packet* p, uint32_t pkt_flags) int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) { Profile profile(s5TcpFlushPerfStats); + DetectionEngine::onload(session->flow); s5_pkt = DetectionEngine::set_packet(); @@ -625,15 +626,29 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) uint32_t footprint = stop_seq - seglist_base_seq; if ( footprint == 0 ) - { - DetectionEngine::clear_packet(); return bytes_processed; - } if ( footprint > s5_pkt->max_dsize ) /* this is as much as we can pack into a stream buffer */ footprint = s5_pkt->max_dsize; + DetectionEngine::onload(session->flow); + s5_pkt = DetectionEngine::set_packet(); + + DAQ_PktHdr_t pkth; + session->GetPacketHeaderFoo(&pkth, pkt_flags); + + if ( !p ) + { + // FIXIT-H we need to have user_policy_id in this case + // FIXIT-H this leads to format_tcp() copying from s5_pkt to s5_pkt + // (neither of these issues is created by passing null through to here) + p = s5_pkt; + } + + PacketManager::format_tcp(enc_flags, p, s5_pkt, PSEUDO_PKT_TCP, &pkth, pkth.opaque); + prep_s5_pkt(session->flow, p, pkt_flags); + ((DAQ_PktHdr_t*)s5_pkt->pkth)->ts = seglist.next->tv; /* setup the pseudopacket payload */ @@ -955,6 +970,7 @@ void TcpReassembler::fallback() int32_t TcpReassembler::flush_pdu_ackd(uint32_t* flags) { Profile profile(s5TcpPAFPerfStats); + DetectionEngine::onload(session->flow); uint32_t total = 0; TcpSegmentNode* tsn = SEQ_LT(seglist_base_seq, tracker->r_win_base) ? seglist.head : nullptr; diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index 80f65f4ec..21c53abe3 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -989,7 +989,7 @@ void TcpSession::do_packet_analysis_post_checks(Packet* p) if (pkt_action_mask & ACTION_DISABLE_INSPECTION) { - DetectionEngine::disable_all(); + DetectionEngine::disable_all(p); DebugFormat(DEBUG_STREAM_STATE, "Stream Ignoring packet from %s. Session marked as ignore\n", diff --git a/src/stream/user/user_session.cc b/src/stream/user/user_session.cc index 6cb8ad703..c1c1b67cc 100644 --- a/src/stream/user/user_session.cc +++ b/src/stream/user/user_session.cc @@ -23,6 +23,8 @@ #include "user_session.h" +#include "detection/detection_engine.h" +#include "detection/rules.h" #include "main/snort.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" @@ -236,6 +238,8 @@ void UserTracker::flush(Packet* p, unsigned flush_amt, uint32_t flags) void UserTracker::process(Packet* p) { + DetectionEngine::onload(p->flow); + uint32_t flags = 0; int flush_amt = scan(p, flags);