From: Bhargava Jandhyala (bjandhya) Date: Wed, 2 Jun 2021 19:25:56 +0000 (+0000) Subject: Merge pull request #2916 in SNORT/snort3 from ~DIPANDIT/snort3:flow_from_file_context... X-Git-Tag: 3.1.6.0~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c499b3816b3f1435d2b56f5ee0912bd0586cc68;p=thirdparty%2Fsnort3.git Merge pull request #2916 in SNORT/snort3 from ~DIPANDIT/snort3:flow_from_file_context to master Squashed commit of the following: commit 5272707f8728164a2996e8e128bf6fa34ba05741 Author: Dipto Pandit (dipandit) Date: Sun May 30 15:30:49 2021 -0400 file_api: store processing flow in context --- diff --git a/src/file_api/file_cache.cc b/src/file_api/file_cache.cc index 7a1f13116..ed62773f0 100644 --- a/src/file_api/file_cache.cc +++ b/src/file_api/file_cache.cc @@ -207,7 +207,11 @@ FileContext* FileCache::get_file(Flow* flow, uint64_t file_id, bool to_create, hashKey.padding[0] = hashKey.padding[1] = hashKey.padding[2] = 0; FileContext* file = find(hashKey, timeout); if (to_create and !file) + { file = add(hashKey, timeout); + if (file) + file->set_processing_flow(flow); + } return file; } @@ -256,6 +260,7 @@ bool FileCache::apply_verdict(Packet* p, FileContext* file_ctx, FileVerdict verd bool resume, FilePolicyBase* policy) { Flow* flow = p->flow; + Flow* processing_flow = file_ctx->get_processing_flow(); Active* act = p->active; struct timeval now = {0, 0}; struct timeval add_time; @@ -271,7 +276,7 @@ bool FileCache::apply_verdict(Packet* p, FileContext* file_ctx, FileVerdict verd return false; case FILE_VERDICT_LOG: if (resume) - policy->log_file_action(flow, file_ctx, FILE_RESUME_LOG); + policy->log_file_action(processing_flow, file_ctx, FILE_RESUME_LOG); return false; case FILE_VERDICT_BLOCK: // can't block session inside a session @@ -302,7 +307,7 @@ bool FileCache::apply_verdict(Packet* p, FileContext* file_ctx, FileVerdict verd act->set_delayed_action(Active::ACT_RESET, true); if (resume) - policy->log_file_action(flow, file_ctx, FILE_RESUME_BLOCK); + policy->log_file_action(processing_flow, file_ctx, FILE_RESUME_BLOCK); else file_ctx->verdict = FILE_VERDICT_LOG; @@ -337,7 +342,7 @@ bool FileCache::apply_verdict(Packet* p, FileContext* file_ctx, FileVerdict verd act->set_delayed_action(Active::ACT_RETRY, true); if (resume) - policy->log_file_action(flow, file_ctx, FILE_RESUME_BLOCK); + policy->log_file_action(processing_flow, file_ctx, FILE_RESUME_BLOCK); else if (store_verdict(flow, file_ctx, lookup_timeout) != 0) act->set_delayed_action(Active::ACT_DROP, true); else @@ -355,7 +360,7 @@ bool FileCache::apply_verdict(Packet* p, FileContext* file_ctx, FileVerdict verd if (resume) { file_ctx->log_file_event(flow, policy); - policy->log_file_action(flow, file_ctx, FILE_RESUME_BLOCK); + policy->log_file_action(processing_flow, file_ctx, FILE_RESUME_BLOCK); } else if (file_ctx->is_cacheable()) store_verdict(flow, file_ctx, block_timeout); @@ -378,7 +383,9 @@ FileVerdict FileCache::cached_verdict_lookup(Packet* p, FileInfo* file, if (file_found) { - /*Query the file policy in case verdict has been changed*/ + // file_found might be a new context, set the flow here + file_found->set_processing_flow(flow); + //Query the file policy in case verdict has been changed verdict = check_verdict(p, file_found, policy); apply_verdict(p, file_found, verdict, true, policy); // Update the current file context from cached context diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc index 3e940bb11..33e432e42 100644 --- a/src/file_api/file_flows.cc +++ b/src/file_api/file_flows.cc @@ -187,6 +187,7 @@ FileContext* FileFlows::find_main_file_context(FilePosition pos, FileDirection d } context = new FileContext; + context->set_processing_flow(flow); main_context = context; context->check_policy(flow, dir, file_policy); @@ -239,6 +240,8 @@ FileContext* FileFlows::get_file_context( else { context = new FileContext; + context->set_processing_flow(flow); + partially_processed_contexts[multi_file_processing_id] = context; if (partially_processed_contexts.size() > file_counts.max_concurrent_files_per_flow) file_counts.max_concurrent_files_per_flow = partially_processed_contexts.size(); diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index fcd3d4850..54d58ee02 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -115,6 +115,7 @@ void FileInfo::copy(const FileInfo& other) file_capture_enabled = other.file_capture_enabled; file_state = other.file_state; pending_expire_time = other.pending_expire_time; + processing_flow = other.processing_flow; // only one copy of file capture file_capture = nullptr; } @@ -315,7 +316,7 @@ void FileContext::log_file_event(Flow* flow, FilePolicyBase* policy) } if (policy and log_needed) - policy->log_file_action(flow, this, FILE_ACTION_DEFAULT); + policy->log_file_action(processing_flow, this, FILE_ACTION_DEFAULT); if ( config->trace_type ) print(std::cout); diff --git a/src/file_api/file_lib.h b/src/file_api/file_lib.h index d250f3aa1..bd1a9528b 100644 --- a/src/file_api/file_lib.h +++ b/src/file_api/file_lib.h @@ -85,6 +85,8 @@ public: FileVerdict verdict = FILE_VERDICT_UNKNOWN; bool processing_complete = false; struct timeval pending_expire_time = {0, 0}; + void set_processing_flow(Flow* flow) { processing_flow = flow; } + Flow* get_processing_flow() { return processing_flow; } protected: std::string file_name; @@ -95,6 +97,7 @@ protected: uint8_t* sha256 = nullptr; uint64_t file_id = 0; FileCapture* file_capture = nullptr; + Flow* processing_flow = nullptr; bool file_type_enabled = false; bool file_signature_enabled = false; bool file_capture_enabled = false;