From: Shravan Rangarajuvenkata (shrarang) Date: Fri, 4 Sep 2020 23:09:26 +0000 (+0000) Subject: Merge pull request #2448 in SNORT/snort3 from ~SATHIRKA/snort3:clear_snort_protoid_re... X-Git-Tag: 3.0.2-6~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fa9c2453a5b2bb50241dd9628763574ef83b22a;p=thirdparty%2Fsnort3.git Merge pull request #2448 in SNORT/snort3 from ~SATHIRKA/snort3:clear_snort_protoid_reload to master Squashed commit of the following: commit 8033a1cefaf99d7c5f8818971de44dc9fcc33f60 Author: Sreeja Athirkandathil Narayanan Date: Tue Sep 1 12:37:55 2020 -0400 appid: Clear services set in host attribute table upon detector reload --- diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 7fb90f1ba..9c25c92a0 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -36,6 +36,7 @@ #include "managers/inspector_manager.h" #include "profiler/profiler.h" #include "src/main.h" +#include "target_based/host_attributes.h" #include "trace/trace.h" #include "utils/util.h" @@ -221,6 +222,7 @@ bool ACOdpContextSwap::execute(Analyzer&, void**) OdpContext& current_odp_ctxt = ctxt.get_odp_ctxt(); assert(pkt_thread_odp_ctxt != ¤t_odp_ctxt); + HostAttributesManager::clear_appid_services(); AppIdServiceState::clean(); AppIdPegCounts::cleanup_pegs(); AppIdServiceState::initialize(ctxt.config.memcap); @@ -344,6 +346,7 @@ static int reload_detectors(lua_State* L) AppIdContext& ctxt = inspector->get_ctxt(); OdpContext& old_odp_ctxt = ctxt.get_odp_ctxt(); + ServiceDiscovery::clear_ftp_service_state(); clear_dynamic_host_cache_services(); AppIdPegCounts::cleanup_peg_info(); LuaDetectorManager::clear_lua_detector_mgrs(); diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 62d1f7d11..24dff6e3c 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -347,7 +347,7 @@ void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p) if (tmp_snort_protocol_id != snort_protocol_id) { snort_protocol_id = tmp_snort_protocol_id; - Stream::set_snort_protocol_id(p->flow, tmp_snort_protocol_id); + Stream::set_snort_protocol_id(p->flow, tmp_snort_protocol_id, true); } } diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 5473284d6..391f8648a 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -551,6 +551,11 @@ int ServiceDiscovery::add_ftp_service_state(AppIdSession& asd) return asd.add_flow_data_id(21, ftp_service); } +void ServiceDiscovery::clear_ftp_service_state() +{ + ftp_service = nullptr; +} + bool ServiceDiscovery::do_service_discovery(AppIdSession& asd, Packet* p, AppidSessionDirection direction, AppidChangeBits& change_bits) { diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.h b/src/network_inspectors/appid/service_plugins/service_discovery.h index 09c76ec13..1fe8f1f50 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.h +++ b/src/network_inspectors/appid/service_plugins/service_discovery.h @@ -83,6 +83,7 @@ public: int fail_service(AppIdSession&, const snort::Packet*, AppidSessionDirection dir, ServiceDetector*, ServiceDiscoveryState* sds = nullptr); int incompatible_data(AppIdSession&, const snort::Packet*, AppidSessionDirection dir, ServiceDetector*); static int add_ftp_service_state(AppIdSession&); + static void clear_ftp_service_state(); private: void get_next_service(const snort::Packet*, const AppidSessionDirection dir, AppIdSession&); diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 630765cd0..eb58070db 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -461,7 +461,7 @@ SnortProtocolId Stream::get_snort_protocol_id(Flow* flow) return UNKNOWN_PROTOCOL_ID; } -SnortProtocolId Stream::set_snort_protocol_id(Flow* flow, SnortProtocolId id) +SnortProtocolId Stream::set_snort_protocol_id(Flow* flow, SnortProtocolId id, bool is_appid_service) { if (!flow) return UNKNOWN_PROTOCOL_ID; @@ -474,7 +474,7 @@ SnortProtocolId Stream::set_snort_protocol_id(Flow* flow, SnortProtocolId id) if ( !flow->is_proxied() ) { HostAttributesManager::update_service - (flow->server_ip, flow->server_port, flow->ssn_state.ipprotocol, id); + (flow->server_ip, flow->server_port, flow->ssn_state.ipprotocol, id, is_appid_service); } return id; diff --git a/src/stream/stream.h b/src/stream/stream.h index 5b8bff216..bf0562bf6 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -165,7 +165,7 @@ public: static SnortProtocolId get_snort_protocol_id(Flow*); // Set the protocol identifier for a stream - static SnortProtocolId set_snort_protocol_id(Flow*, SnortProtocolId); + static SnortProtocolId set_snort_protocol_id(Flow*, SnortProtocolId, bool is_appid_service = false); // initialize response count and expiration time static void init_active_response(const Packet*, Flow*); diff --git a/src/target_based/host_attributes.cc b/src/target_based/host_attributes.cc index fc1c1600d..1b71a3306 100644 --- a/src/target_based/host_attributes.cc +++ b/src/target_based/host_attributes.cc @@ -60,7 +60,8 @@ static HostAttributesSharedCache* old_cache = nullptr; static THREAD_LOCAL HostAttributeStats host_attribute_stats; bool HostAttributesDescriptor::update_service - (uint16_t port, uint16_t protocol, SnortProtocolId snort_protocol_id, bool& updated) + (uint16_t port, uint16_t protocol, SnortProtocolId snort_protocol_id, bool& updated, + bool is_appid_service) { std::lock_guard lck(host_attributes_lock); @@ -68,6 +69,8 @@ bool HostAttributesDescriptor::update_service { if ( s.ipproto == protocol && (uint16_t)s.port == port ) { + if ( s.snort_protocol_id != snort_protocol_id ) + s.appid_service = is_appid_service; s.snort_protocol_id = snort_protocol_id; updated = true; return true; @@ -78,13 +81,25 @@ bool HostAttributesDescriptor::update_service if ( services.size() < SnortConfig::get_conf()->get_max_services_per_host() ) { updated = false; - services.emplace_back(HostServiceDescriptor(port, protocol, snort_protocol_id)); + services.emplace_back(HostServiceDescriptor(port, protocol, snort_protocol_id, is_appid_service)); return true; } return false; } +void HostAttributesDescriptor::clear_appid_services() +{ + std::lock_guard lck(host_attributes_lock); + for ( auto s = services.begin(); s != services.end(); ) + { + if ( s->appid_service and s->snort_protocol_id != UNKNOWN_PROTOCOL_ID ) + s = services.erase(s); + else + s++; + } +} + SnortProtocolId HostAttributesDescriptor::get_snort_protocol_id(int ipprotocol, uint16_t port) const { std::lock_guard lck(host_attributes_lock); @@ -148,7 +163,8 @@ HostAttributesEntry HostAttributesManager::find_host(const snort::SfIp& host_ip) return nullptr; } -void HostAttributesManager::update_service(const snort::SfIp& host_ip, uint16_t port, uint16_t protocol, SnortProtocolId snort_protocol_id) +void HostAttributesManager::update_service(const snort::SfIp& host_ip, uint16_t port, + uint16_t protocol, SnortProtocolId snort_protocol_id, bool is_appid_service) { if ( active_cache ) { @@ -163,7 +179,7 @@ void HostAttributesManager::update_service(const snort::SfIp& host_ip, uint16_t } bool updated = false; - if ( host->update_service(port, protocol, snort_protocol_id, updated) ) + if ( host->update_service(port, protocol, snort_protocol_id, updated, is_appid_service) ) { if ( updated ) host_attribute_stats.dynamic_service_updates++; @@ -176,6 +192,16 @@ void HostAttributesManager::update_service(const snort::SfIp& host_ip, uint16_t } } +void HostAttributesManager::clear_appid_services() +{ + if ( active_cache ) + { + auto hosts = active_cache->get_all_data(); + for ( auto& h : hosts ) + h.second->clear_appid_services(); + } +} + int32_t HostAttributesManager::get_num_host_entries() { if ( active_cache ) diff --git a/src/target_based/host_attributes.h b/src/target_based/host_attributes.h index d5bb913ce..cb852e5b2 100644 --- a/src/target_based/host_attributes.h +++ b/src/target_based/host_attributes.h @@ -52,8 +52,8 @@ class HostServiceDescriptor { public: HostServiceDescriptor() = default; - HostServiceDescriptor(uint16_t port, uint16_t protocol, SnortProtocolId spi) - : port(port), ipproto(protocol), snort_protocol_id(spi) + HostServiceDescriptor(uint16_t port, uint16_t protocol, SnortProtocolId spi, bool appid_service) + : port(port), ipproto(protocol), snort_protocol_id(spi), appid_service(appid_service) { } ~HostServiceDescriptor() = default; @@ -68,6 +68,7 @@ public: uint16_t port = 0; uint16_t ipproto = 0; SnortProtocolId snort_protocol_id = UNKNOWN_PROTOCOL_ID; + bool appid_service = false; }; struct HostPolicyDescriptor @@ -82,7 +83,9 @@ public: HostAttributesDescriptor() = default; ~HostAttributesDescriptor() = default; - bool update_service(uint16_t port, uint16_t protocol, SnortProtocolId, bool& updated); + bool update_service(uint16_t port, uint16_t protocol, SnortProtocolId, bool& updated, + bool is_appid_service = false); + void clear_appid_services(); SnortProtocolId get_snort_protocol_id(int ipprotocol, uint16_t port) const; const snort::SfIp& get_ip_addr() const @@ -147,7 +150,9 @@ public: static bool add_host(HostAttributesEntry, snort::SnortConfig*); static HostAttributesEntry find_host(const snort::SfIp&); - static void update_service(const snort::SfIp&, uint16_t port, uint16_t protocol, SnortProtocolId); + static void update_service(const snort::SfIp&, uint16_t port, uint16_t protocol, + SnortProtocolId, bool is_appid_service = false); + static void clear_appid_services(); static int32_t get_num_host_entries(); static const PegInfo* get_pegs(); static PegCount* get_peg_counts();