From: Bhargava Jandhyala (bjandhya) Date: Fri, 1 Jul 2022 15:35:08 +0000 (+0000) Subject: Pull request #3489: dce_rpc: set presistent flag for dcerpc pinhole session X-Git-Tag: 3.1.34.0~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a626bd5c7428e2d0a0dfb70966c6f3e506a3d53;p=thirdparty%2Fsnort3.git Pull request #3489: dce_rpc: set presistent flag for dcerpc pinhole session Merge in SNORT/snort3 from ~PRERAMA2/snort3:pinhole_flag to master Squashed commit of the following: commit eddf849fc2839626dec59918da7f8e42351502e8 Author: Preethi Ramachandra Date: Wed Jun 29 12:04:01 2022 +0530 dce_rpc: set presistent flag for dcerpc pinhole session --- diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index b0271ba0b..831e1b56d 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -318,7 +318,7 @@ ExpectCache::~ExpectCache() int ExpectCache::add_flow(const Packet *ctrlPkt, PktType type, IpProtocol ip_proto, const SfIp* cliIP, uint16_t cliPort, const SfIp* srvIP, uint16_t srvPort, char direction, FlowData* fd, SnortProtocolId snort_protocol_id, bool swap_app_direction, bool expect_multi, - bool bidirectional) + bool bidirectional, bool expect_persist) { /* Just pull the VLAN ID, MPLS ID, and Address Space ID from the control packet until we have a use case for not doing so. */ @@ -400,6 +400,9 @@ int ExpectCache::add_flow(const Packet *ctrlPkt, PktType type, IpProtocol ip_pro if (bidirectional) flag |= DAQ_EFLOW_BIDIRECTIONAL; + if (expect_persist) + flag |= DAQ_EFLOW_PERSIST; + ctrlPkt->daq_instance->add_expected(ctrlPkt, cliIP, cliPort, srvIP, srvPort, ip_proto, 1000, flag); } diff --git a/src/flow/expect_cache.h b/src/flow/expect_cache.h index d7e486600..5a5fadee8 100644 --- a/src/flow/expect_cache.h +++ b/src/flow/expect_cache.h @@ -98,7 +98,8 @@ public: int add_flow(const snort::Packet *ctrlPkt, PktType, IpProtocol, const snort::SfIp* cliIP, uint16_t cliPort, const snort::SfIp* srvIP, uint16_t srvPort, char direction, snort::FlowData*, SnortProtocolId snort_protocol_id = UNKNOWN_PROTOCOL_ID, - bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false); + bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false, + bool expect_persist = false); bool is_expected(snort::Packet*); bool check(snort::Packet*, snort::Flow*); diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 4cb31f4ab..b336c15d8 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -579,10 +579,10 @@ int FlowControl::add_expected_ignore( const Packet* ctrlPkt, PktType type, IpPro int FlowControl::add_expected( const Packet* ctrlPkt, PktType type, IpProtocol ip_proto, const SfIp *srcIP, uint16_t srcPort, const SfIp *dstIP, uint16_t dstPort, SnortProtocolId snort_protocol_id, FlowData* fd, bool swap_app_direction, bool expect_multi, - bool bidirectional) + bool bidirectional, bool expect_persist) { return exp_cache->add_flow( ctrlPkt, type, ip_proto, srcIP, srcPort, dstIP, dstPort, - SSN_DIR_BOTH, fd, snort_protocol_id, swap_app_direction, expect_multi, bidirectional); + SSN_DIR_BOTH, fd, snort_protocol_id, swap_app_direction, expect_multi, bidirectional, expect_persist); } bool FlowControl::is_expected(Packet* p) diff --git a/src/flow/flow_control.h b/src/flow/flow_control.h index d955239f4..338e60be5 100644 --- a/src/flow/flow_control.h +++ b/src/flow/flow_control.h @@ -80,7 +80,7 @@ public: int add_expected(const snort::Packet* ctrlPkt, PktType, IpProtocol, const snort::SfIp *srcIP, uint16_t srcPort, const snort::SfIp *dstIP, uint16_t dstPort, SnortProtocolId snort_protocol_id, snort::FlowData*, bool swap_app_direction = false, bool expect_multi = false, - bool bidirectional = false); + bool bidirectional = false, bool expect_persist = false); class ExpectCache* get_exp_cache() { return exp_cache; } diff --git a/src/flow/test/flow_cache_test.cc b/src/flow/test/flow_cache_test.cc index 1e0e40cfe..99db6eacf 100644 --- a/src/flow/test/flow_cache_test.cc +++ b/src/flow/test/flow_cache_test.cc @@ -131,7 +131,7 @@ void Stream::stop_inspection(Flow*, Packet*, char, int32_t, int) { } int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t, - const SfIp*, uint16_t, char, FlowData*, SnortProtocolId, bool, bool, bool) + const SfIp*, uint16_t, char, FlowData*, SnortProtocolId, bool, bool, bool, bool) { return 1; } diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index f2116c769..c941b78bd 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -172,7 +172,7 @@ int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t, const SfIp*, uint16_t, - char, FlowData*, SnortProtocolId, bool, bool, bool) + char, FlowData*, SnortProtocolId, bool, bool, bool, bool) { return 1; } diff --git a/src/packet_io/sfdaq_instance.cc b/src/packet_io/sfdaq_instance.cc index faace17c0..49531c6cd 100644 --- a/src/packet_io/sfdaq_instance.cc +++ b/src/packet_io/sfdaq_instance.cc @@ -392,13 +392,14 @@ int SFDAQInstance::add_expected(const Packet* ctrlPkt, const SfIp* cliIP, uint16 if (flags & DAQ_EFLOW_BIDIRECTIONAL) d_cef.flags |= DAQ_EFLOW_BIDIRECTIONAL; + + if (flags & DAQ_EFLOW_PERSIST) + d_cef.flags |= DAQ_EFLOW_PERSIST; /* if (flags & DAQ_DC_FLOAT) d_cef.flags |= DAQ_EFLOW_FLOAT; if (flags & DAQ_DC_ALLOW_MULTIPLE) d_cef.flags |= DAQ_EFLOW_ALLOW_MULTIPLE; - if (flags & DAQ_DC_PERSIST) - d_cef.flags |= DAQ_EFLOW_PERSIST; */ d_cef.timeout_ms = timeout_ms; // Opaque data blob for expected flows is currently unused/unimplemented diff --git a/src/service_inspectors/dce_rpc/dce_expected_session.cc b/src/service_inspectors/dce_rpc/dce_expected_session.cc index c9aed1476..7b67239ca 100644 --- a/src/service_inspectors/dce_rpc/dce_expected_session.cc +++ b/src/service_inspectors/dce_rpc/dce_expected_session.cc @@ -76,7 +76,7 @@ int DceTcpExpSsnManager::create_expected_session_impl(Packet* pkt, fd->dce2_tcp_session.sd.config = (void*)&pc; if (Stream::set_snort_protocol_id_expected(pkt, type, - proto, src_ip, src_port, dst_ip, dst_port, protocol_id, fd)) + proto, src_ip, src_port, dst_ip, dst_port, protocol_id, fd, false, false, false, true)) { delete fd; return -1; diff --git a/src/stream/stream.cc b/src/stream/stream.cc index d62febd46..023321cb4 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -397,13 +397,13 @@ int Stream::set_snort_protocol_id_expected( const SfIp* srcIP, uint16_t srcPort, const SfIp* dstIP, uint16_t dstPort, SnortProtocolId snort_protocol_id, FlowData* fd, bool swap_app_direction, bool expect_multi, - bool bidirectional) + bool bidirectional, bool expect_persist) { assert(flow_con); return flow_con->add_expected( ctrlPkt, type, ip_proto, srcIP, srcPort, dstIP, dstPort, snort_protocol_id, fd, - swap_app_direction, expect_multi, bidirectional); + swap_app_direction, expect_multi, bidirectional, expect_persist); } void Stream::set_snort_protocol_id_from_ha( diff --git a/src/stream/stream.h b/src/stream/stream.h index 09e1d3417..6c5c82572 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -173,7 +173,8 @@ public: static int set_snort_protocol_id_expected( const Packet* ctrlPkt, PktType, IpProtocol, const snort::SfIp* srcIP, uint16_t srcPort, const snort::SfIp* dstIP, uint16_t dstPort, SnortProtocolId, FlowData*, - bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false); + bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false, + bool expect_persist = false); // Get pointer to application data for a flow based on the lookup tuples for cases where // Snort does not have an active packet that is relevant.