From: Russ Combs Date: Sat, 22 Oct 2016 11:36:21 +0000 (-0400) Subject: convert stream splitters to detection engine buffer X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14efbf9a575e71929cbf167abf341b5f60f8f1b2;p=thirdparty%2Fsnort3.git convert stream splitters to detection engine buffer --- diff --git a/extra/src/inspectors/dpx/dpx.cc b/extra/src/inspectors/dpx/dpx.cc index c54feb380..9800baa8e 100644 --- a/extra/src/inspectors/dpx/dpx.cc +++ b/extra/src/inspectors/dpx/dpx.cc @@ -21,6 +21,7 @@ #include "config.h" #endif +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "framework/inspector.h" #include "framework/module.h" diff --git a/extra/src/inspectors/http_server/hi_stream_splitter.cc b/extra/src/inspectors/http_server/hi_stream_splitter.cc index 17038bba1..263394e26 100644 --- a/extra/src/inspectors/http_server/hi_stream_splitter.cc +++ b/extra/src/inspectors/http_server/hi_stream_splitter.cc @@ -49,14 +49,9 @@ #include "hi_stream_splitter.h" -<<<<<<< HEAD +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "main/snort_debug.h" -======= -#include "hi_events.h" -#include "main/snort_debug.h" -#include "detection/detection_engine.h" ->>>>>>> refactor event queue into DetectionEngine #include "protocols/packet.h" #include "stream/stream.h" #include "utils/util.h" diff --git a/src/detection/detect.cc b/src/detection/detect.cc index a56fcf751..786d237d8 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -47,6 +47,7 @@ #include "detection_engine.h" #include "fp_detect.h" #include "tag.h" +#include "treenodes.h" #define CHECK_SRC_IP 0x01 #define CHECK_DST_IP 0x02 diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index a66c69519..894aa3df4 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -94,6 +94,12 @@ void DetectionEngine::clear_packet() sw->complete(); } +uint8_t* DetectionEngine::get_buffer(unsigned& max) +{ + max = IpsContext::buf_size; + return Snort::get_switcher()->get_context()->buf; +} + DetectionEngine::ActiveRules DetectionEngine::get_detects() { return active_rules; } diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h index edcb74674..16c729715 100644 --- a/src/detection/detection_engine.h +++ b/src/detection/detection_engine.h @@ -43,6 +43,8 @@ public: static Packet* set_packet(); static void clear_packet(); + static uint8_t* get_buffer(unsigned& max); + static bool detect(Packet*); static void inspect(Packet*); diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc index 9a0fbf713..dbca66b2b 100644 --- a/src/detection/ips_context.cc +++ b/src/detection/ips_context.cc @@ -55,7 +55,7 @@ IpsContext::IpsContext(unsigned size) : data(size, nullptr) { packet = new Packet(false); pkth = new DAQ_PktHdr_t; - buf = new uint8_t[65536]; // FIXIT-H use codec max or let pkt do it + buf = new uint8_t[buf_size]; // FIXIT-H use codec max or let pkt do it? const EventQueueConfig* qc = snort_conf->event_queue_config; equeue = sfeventq_new(qc->max_events, qc->log_events, sizeof(EventNode)); diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index d97364162..b5468964b 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -68,6 +68,8 @@ public: uint8_t* buf; struct SF_EVENTQ* equeue; + static const unsigned buf_size = 65536; + private: std::vector data; unsigned slot; diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index c563fc006..fba3c91db 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -22,7 +22,7 @@ #include "flow_control.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "main/snort_config.h" #include "main/snort_debug.h" #include "managers/inspector_manager.h" diff --git a/src/main/snort.cc b/src/main/snort.cc index e4971c93d..4f0193d5c 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -31,6 +31,7 @@ #include "connectors/connectors.h" #include "decompress/file_decomp.h" #include "detection/context_switcher.h" +#include "detection/detect.h" #include "detection/detection_engine.h" #include "detection/detection_util.h" #include "detection/fp_config.h" diff --git a/src/network_inspectors/binder/test/binder_test.cc b/src/network_inspectors/binder/test/binder_test.cc index 33f56e3c0..6e91e7bb8 100644 --- a/src/network_inspectors/binder/test/binder_test.cc +++ b/src/network_inspectors/binder/test/binder_test.cc @@ -29,6 +29,7 @@ #include #include +#include "detection/detection_engine.h" #include "flow/flow.h" #include "framework/inspector.h" #include "managers/inspector_manager.h" @@ -87,6 +88,7 @@ bool sfvar_ip_in(sfip_var_t*, const SfIp*) { return false; } SO_PUBLIC Inspector* InspectorManager::get_inspector(const char*, bool) { return s_inspector; } InspectorType InspectorManager::get_type(const char*) { return InspectorType::IT_BINDER; } Inspector* InspectorManager::get_binder() { return nullptr; } +uint8_t* DetectionEngine::get_buffer(unsigned&) { return nullptr; } int16_t ProtocolReference::find(const char*) { return 0; } const char* ProtocolReference::get_name(uint16_t) { return ""; } diff --git a/src/piglet_plugins/pp_stream_splitter_iface.cc b/src/piglet_plugins/pp_stream_splitter_iface.cc index 6e4794adb..d528aa243 100644 --- a/src/piglet_plugins/pp_stream_splitter_iface.cc +++ b/src/piglet_plugins/pp_stream_splitter_iface.cc @@ -77,9 +77,9 @@ static const luaL_Reg methods[] = Lua::Stack::push(L, copied); - if ( sb ) + if ( sb.data ) RawBufferIface.create( - L, reinterpret_cast(sb->data), sb->length); + L, reinterpret_cast(sb.data), sb.length); else lua_pushnil(L); diff --git a/src/service_inspectors/http_inspect/http_stream_splitter.h b/src/service_inspectors/http_inspect/http_stream_splitter.h index db4b3f81b..c8b9e6269 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter.h +++ b/src/service_inspectors/http_inspect/http_stream_splitter.h @@ -38,7 +38,7 @@ public: my_inspector(my_inspector_) { } Status scan(Flow* flow, const uint8_t* data, uint32_t length, uint32_t not_used, uint32_t* flush_offset) override; - const StreamBuffer* reassemble(Flow* flow, unsigned total, unsigned, const + const StreamBuffer reassemble(Flow* flow, unsigned total, unsigned, const uint8_t* data, unsigned len, uint32_t flags, unsigned& copied) override; bool finish(Flow* flow) override; bool is_paf() override { return true; } diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc index 5ab4d75ce..4591d5bdc 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc @@ -197,10 +197,10 @@ void HttpStreamSplitter::decompress_copy(uint8_t* buffer, uint32_t& offset, cons offset += length; } -const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, unsigned, +const StreamBuffer HttpStreamSplitter::reassemble(Flow* flow, unsigned total, unsigned, const uint8_t* data, unsigned len, uint32_t flags, unsigned& copied) { - static THREAD_LOCAL StreamBuffer http_buf; + StreamBuffer http_buf { nullptr, 0 }; copied = len; @@ -214,7 +214,7 @@ const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, u { if (!(flags & PKT_PDU_TAIL)) { - return nullptr; + return http_buf; } bool tcp_close; uint8_t* test_buffer; @@ -228,7 +228,7 @@ const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, u { // Source ID does not match test data, no test data was flushed, or there is no // more test data - return nullptr; + return http_buf; } data = test_buffer; total = len; @@ -245,7 +245,7 @@ const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, u // FIXIT-H Workaround for TP Bug 149662 if (session_data->section_type[source_id] == SEC__NOT_COMPUTE) { - return nullptr; + return { nullptr, 0 }; } assert(session_data->section_type[source_id] != SEC__NOT_COMPUTE); @@ -290,7 +290,7 @@ const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, u } } } - return nullptr; + return http_buf; } HttpModule::increment_peg_counts(PEG_REASSEMBLE); @@ -377,10 +377,10 @@ const StreamBuffer* HttpStreamSplitter::reassemble(Flow* flow, unsigned total, u fflush(HttpTestManager::get_output_file()); } #endif - return &http_buf; + return http_buf; } my_inspector->clear(session_data, source_id); } - return nullptr; + return http_buf; } diff --git a/src/stream/stream_splitter.cc b/src/stream/stream_splitter.cc index 0a3450a5a..80e839d1d 100644 --- a/src/stream/stream_splitter.cc +++ b/src/stream/stream_splitter.cc @@ -23,32 +23,30 @@ #include "stream_splitter.h" +#include "detection/detection_engine.h" #include "main/snort_config.h" #include "protocols/packet.h" #include "flush_bucket.h" -static THREAD_LOCAL uint8_t pdu_buf[StreamSplitter::max_buf]; -static THREAD_LOCAL StreamBuffer str_buf; - unsigned StreamSplitter::max(Flow*) { return snort_conf->max_pdu; } -const StreamBuffer* StreamSplitter::reassemble( +const StreamBuffer StreamSplitter::reassemble( Flow*, unsigned, unsigned offset, const uint8_t* p, unsigned n, uint32_t flags, unsigned& copied) { - assert(offset + n < sizeof(pdu_buf)); + unsigned max; + uint8_t* pdu_buf = DetectionEngine::get_buffer(max); + + assert(offset + n < max); memcpy(pdu_buf+offset, p, n); copied = n; if ( flags & PKT_PDU_TAIL ) - { - str_buf.data = pdu_buf; - str_buf.length = offset + n; - return &str_buf; - } - return nullptr; + return { pdu_buf, offset + n }; + + return { nullptr, 0 }; } //-------------------------------------------------------------------------- diff --git a/src/stream/stream_splitter.h b/src/stream/stream_splitter.h index 1c5a7bb6f..d99b7a80e 100644 --- a/src/stream/stream_splitter.h +++ b/src/stream/stream_splitter.h @@ -65,7 +65,7 @@ public: // the last call to reassemble() will be made with len == 0 if // finish() returned true as an opportunity for a final flush - virtual const StreamBuffer* reassemble( + virtual const StreamBuffer reassemble( Flow*, unsigned total, // total amount to flush (sum of iterations) unsigned offset, // data offset from start of reassembly diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index 95c90e902..afba7476d 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -478,17 +478,17 @@ int TcpReassembler::flush_data_segments(Packet* p, uint32_t total) || SEQ_EQ(tsn->seq + bytes_to_copy, to_seq) ) flags |= PKT_PDU_TAIL; - const StreamBuffer* sb = tracker->splitter->reassemble( + const StreamBuffer sb = tracker->splitter->reassemble( session->flow, total, bytes_flushed, tsn->payload(), bytes_to_copy, flags, bytes_copied); flags = 0; - if ( sb ) + if ( sb.data ) { - s5_pkt->data = sb->data; - s5_pkt->dsize = sb->length; - assert(sb->length <= s5_pkt->max_dsize); + s5_pkt->data = sb.data; + s5_pkt->dsize = sb.length; + assert(sb.length <= s5_pkt->max_dsize); bytes_to_copy = bytes_copied; } @@ -527,7 +527,7 @@ int TcpReassembler::flush_data_segments(Packet* p, uint32_t total) break; } - if ( sb || !seglist.next ) + if ( sb.data || !seglist.next ) break; if ( bytes_flushed + seglist.next->payload_size >= StreamSplitter::max_buf ) @@ -596,8 +596,6 @@ void TcpReassembler::prep_s5_pkt(Flow* flow, Packet* p, uint32_t pkt_flags) int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) { Profile profile(s5TcpFlushPerfStats); - s5_pkt = Snort::set_detect_packet(); - s5_pkt = DetectionEngine::set_packet(); DAQ_PktHdr_t pkth; @@ -627,7 +625,7 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) if ( footprint == 0 ) { - Snort::clear_detect_packet(); + DetectionEngine::clear_packet(); return bytes_processed; } diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index cc2b03f66..14b09d324 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -49,6 +49,7 @@ #include "tcp_session.h" #include "detection/detection_engine.h" +#include "detection/rules.h" #include "log/log.h" #include "perf_monitor/flow_ip_tracker.h" #include "profiler/profiler.h" diff --git a/src/stream/user/user_session.cc b/src/stream/user/user_session.cc index df7513e82..6cb8ad703 100644 --- a/src/stream/user/user_session.cc +++ b/src/stream/user/user_session.cc @@ -131,15 +131,15 @@ void UserTracker::term() splitter = nullptr; } -void UserTracker::detect(const Packet* p, const StreamBuffer* sb, uint32_t flags) +void UserTracker::detect(const Packet* p, const StreamBuffer& sb, uint32_t flags) { Packet up(false); up.pkth = p->pkth; up.ptrs = p->ptrs; up.flow = p->flow; - up.data = sb->data; - up.dsize = sb->length; + up.data = sb.data; + up.dsize = sb.length; up.proto_bits = p->proto_bits; up.pseudo_type = PSEUDO_PKT_USER; @@ -193,7 +193,7 @@ int UserTracker::scan(Packet* p, uint32_t& flags) void UserTracker::flush(Packet* p, unsigned flush_amt, uint32_t flags) { unsigned bytes_flushed = 0; - const StreamBuffer* sb = nullptr; + StreamBuffer sb = { nullptr, 0 }; trace_logf(stream_user, "flush[%d]\n", flush_amt); uint32_t rflags = flags & ~PKT_PDU_TAIL; @@ -219,7 +219,7 @@ void UserTracker::flush(Packet* p, unsigned flush_amt, uint32_t flags) rflags &= ~PKT_PDU_HEAD; - if ( sb ) + if ( sb.data ) detect(p, sb, flags); if ( bytes_copied == us->get_len() ) diff --git a/src/stream/user/user_session.h b/src/stream/user/user_session.h index 1047da108..8d39a2dab 100644 --- a/src/stream/user/user_session.h +++ b/src/stream/user/user_session.h @@ -63,7 +63,7 @@ struct UserTracker void add_data(Packet*); int scan(Packet*, uint32_t&); void flush(struct Packet*, unsigned, uint32_t); - void detect(const struct Packet*, const struct StreamBuffer*, uint32_t); + void detect(const struct Packet*, const struct StreamBuffer&, uint32_t); std::list seg_list; StreamSplitter* splitter;