From: Russ Combs (rucombs) Date: Sat, 17 Dec 2022 22:35:02 +0000 (+0000) Subject: Pull request #3691: Fc36 X-Git-Tag: 3.1.50.0~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4538b1867c255aef85e30ee0dc2b818e376f4d13;p=thirdparty%2Fsnort3.git Pull request #3691: Fc36 Merge in SNORT/snort3 from ~RUCOMBS/snort3:fc36 to master Squashed commit of the following: commit 4f9390f1b2414fb2592055501e47707d7b0bdbf3 Author: Russ Combs Date: Thu Dec 15 13:53:50 2022 -0500 pop, imap: gracefully decline buffer requests when flow data is not present commit 65518cead263c7b8990417fd2acb4ea50577c8a3 Author: Russ Combs Date: Tue Nov 29 23:22:44 2022 -0500 alert_fast: fix initialization of http_inspect cheat codes commit 11496a4b6bb98ee69db9fd6cd5f2c084748242f4 Author: Russ Combs Date: Tue Nov 29 09:01:20 2022 -0500 host_cache: simplify dump_file with std::string commit 6a8994a35402695fe73c7c4a948903d3a94c5d06 Author: Russ Combs Date: Tue Nov 29 08:58:18 2022 -0500 host_cache: fix initialization from Lua commit c009d930c5ddb5d00928dd11fa4cdd33d1aeea04 Author: Russ Combs Date: Mon Nov 28 16:09:54 2022 -0500 config: ensure table state is reset when starting a new shell commit c3ec2dcb0c3ea36ec22ef9ea6e6159a9cc19d45c Author: Russ Combs Date: Sat Nov 26 14:57:19 2022 -0500 talos: fix tweaks for the daq module --- diff --git a/lua/talos.lua b/lua/talos.lua index afa0a8f86..c420a7f72 100644 --- a/lua/talos.lua +++ b/lua/talos.lua @@ -13,16 +13,20 @@ function file_exists(name) end end -snort = +daq = { - ['-Q'] = true, - ['-s'] = 65535, - ['--daq'] = 'dump', - ['--daq-var'] = 'output=none' + modules = + { + { + name = 'dump', + variables = { 'output = none' } + } + }, + snaplen = 65535 } if file_exists('local.rules') then - snort['-R'] = 'local.rules' + ips.include = 'local.rules' end alert_talos = { } @@ -35,3 +39,5 @@ profiler = rules = { show = true } } +snort = { ['-Q'] = true } + diff --git a/src/host_tracker/host_cache_module.cc b/src/host_tracker/host_cache_module.cc index a81341fe3..3561b39c3 100644 --- a/src/host_tracker/host_cache_module.cc +++ b/src/host_tracker/host_cache_module.cc @@ -356,9 +356,7 @@ bool HostCacheModule::set(const char*, Value& v, SnortConfig*) { if ( v.is("dump_file") ) { - if ( dump_file ) - snort_free((void*)dump_file); - dump_file = snort_strdup(v.get_string()); + dump_file = v.get_string(); } else if ( v.is("memcap") ) memcap = v.get_size(); @@ -388,11 +386,8 @@ HostCacheModule::HostCacheModule() : HostCacheModule::~HostCacheModule() { - if ( dump_file ) - { - log_host_cache(dump_file); - snort_free((void*)dump_file); - } + if ( !dump_file.empty() ) + log_host_cache(dump_file.c_str()); } void HostCacheModule::log_host_cache(const char* file_name, bool verbose) diff --git a/src/host_tracker/host_cache_module.h b/src/host_tracker/host_cache_module.h index 30e01ca55..a469a6142 100644 --- a/src/host_tracker/host_cache_module.h +++ b/src/host_tracker/host_cache_module.h @@ -23,6 +23,8 @@ // Loads host cache configuration data. +#include + #include "framework/module.h" #include "main/snort.h" #include "main/reload_tuner.h" @@ -74,7 +76,7 @@ public: std::string get_host_cache_stats(); private: - const char* dump_file = nullptr; + std::string dump_file; size_t memcap = 0; }; diff --git a/src/host_tracker/host_tracker_module.cc b/src/host_tracker/host_tracker_module.cc index 1de162e3c..c84e71753 100644 --- a/src/host_tracker/host_tracker_module.cc +++ b/src/host_tracker/host_tracker_module.cc @@ -63,13 +63,13 @@ bool HostTrackerModule::set(const char*, Value& v, SnortConfig*) v.get_addr(addr); else if ( v.is("port") ) - host_cache[addr]->update_service_port(app, v.get_uint16()); + app.port = v.get_uint16(); else if ( v.is("proto") ) { const IpProtocol mask[] = { IpProtocol::IP, IpProtocol::TCP, IpProtocol::UDP }; - host_cache[addr]->update_service_proto(app, mask[v.get_uint8()]); + app.proto = mask[v.get_uint8()]; } return true; @@ -80,6 +80,7 @@ bool HostTrackerModule::begin(const char* fqn, int idx, SnortConfig*) if ( idx && !strcmp(fqn, "host_tracker") ) { addr.clear(); + apps.clear(); } return true; } @@ -87,17 +88,17 @@ bool HostTrackerModule::begin(const char* fqn, int idx, SnortConfig*) bool HostTrackerModule::end(const char* fqn, int idx, SnortConfig*) { if ( idx && !strcmp(fqn, "host_tracker.services") ) - { - if ( addr.is_set() ) - host_cache[addr]->add_service(app); + apps.emplace_back(app); - host_cache[addr]->clear_service(app); - } else if ( idx && !strcmp(fqn, "host_tracker") && addr.is_set() ) { host_cache[addr]; - host_cache[addr]->clear_service(app); + + for ( auto& a : apps ) + host_cache[addr]->add_service(a); + addr.clear(); + apps.clear(); } return true; diff --git a/src/host_tracker/host_tracker_module.h b/src/host_tracker/host_tracker_module.h index 9e338d6a4..8b2d87c15 100644 --- a/src/host_tracker/host_tracker_module.h +++ b/src/host_tracker/host_tracker_module.h @@ -28,6 +28,7 @@ // one. #include +#include #include "framework/module.h" #include "host_tracker/cache_allocator.cc" @@ -56,6 +57,7 @@ private: static const snort::Parameter host_tracker_params[]; static const snort::Parameter service_params[]; + std::vector apps; snort::HostApplication app; snort::SfIp addr; }; diff --git a/src/loggers/alert_fast.cc b/src/loggers/alert_fast.cc index 150144a89..26464da63 100644 --- a/src/loggers/alert_fast.cc +++ b/src/loggers/alert_fast.cc @@ -19,24 +19,11 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -/* alert_fast - * - * Purpose: output plugin for fast alerting - * - * Arguments: alert file - * - * Effect: - * - * Alerts are written to a file in the snort fast alert format - * - * Comments: Allows use of fast alerts with other output plugin types - * - */ - #ifdef HAVE_CONFIG_H #include "config.h" #endif +#include #include #include "detection/detection_engine.h" @@ -67,6 +54,7 @@ using namespace std; #define FAST_BUF (4*K_BYTES) static THREAD_LOCAL TextLog* fast_log = nullptr; +static once_flag init_flag; #define S_NAME "alert_fast" #define F_NAME S_NAME ".txt" @@ -133,6 +121,7 @@ bool FastModule::begin(const char*, int, SnortConfig*) //------------------------------------------------------------------------- // helper +//------------------------------------------------------------------------- static void load_buf_ids( Inspector* ins, const std::vector& keys, std::vector& ids) @@ -145,6 +134,8 @@ static void load_buf_ids( } } +using BufferIds = std::vector; + //------------------------------------------------------------------------- // logger stuff //------------------------------------------------------------------------- @@ -162,42 +153,55 @@ public: private: void log_data(Packet*, const Event&); + static void set_buffer_ids(Inspector*); + const BufferIds& get_buffer_ids(Inspector*, Packet*); + private: string file; unsigned long limit; bool packet; - std::vector req_ids; - std::vector rsp_ids; + static std::vector req_ids; + static std::vector rsp_ids; }; +std::vector FastLogger::req_ids; +std::vector FastLogger::rsp_ids; + FastLogger::FastLogger(FastModule* m) { file = m->file ? F_NAME : "stdout"; limit = m->limit; packet = m->packet; +} - //----------------------------------------------------------------- - // FIXIT-L generalize buffer sets when other inspectors get smarter - // this is only applicable to http_inspect - // could be configurable; and should be should be shared with u2 +//----------------------------------------------------------------- +// FIXIT-L generalize buffer sets when other inspectors get smarter +// this is only applicable to http_inspect +// could be configurable; and should be should be shared with u2 +//----------------------------------------------------------------- +void FastLogger::set_buffer_ids(Inspector* gadget) +{ + std::vector req + { "http_method", "http_version", "http_uri", "http_header", "http_cookie", "http_client_body" }; - Inspector* ins = InspectorManager::get_inspector("http_inspect"); + std::vector rsp + { "http_version", "http_stat_code", "http_stat_msg", "http_uri", "http_header", "http_cookie" }; - if ( !ins ) - return; + load_buf_ids(gadget, req, req_ids); + load_buf_ids(gadget, rsp, rsp_ids); +} - std::vector req - { "http_method", "http_version", "http_uri", "http_header", "http_cookie", - "http_client_body" }; +const BufferIds& FastLogger::get_buffer_ids(Inspector* gadget, Packet* p) +{ + // lazy init required because loggers don't have a configure (yet) + call_once(init_flag, set_buffer_ids, gadget); - std::vector rsp - { "http_version", "http_stat_code", "http_stat_msg", "http_uri", "http_header", - "http_cookie" }; - //----------------------------------------------------------------- + InspectionBuffer buf; + const std::vector& idv = + gadget->get_buf(HttpEnums::HTTP_BUFFER_RAW_STATUS, p, buf) ? rsp_ids : req_ids; - load_buf_ids(ins, req, req_ids); - load_buf_ids(ins, rsp, rsp_ids); + return idv; } void FastLogger::open() @@ -252,11 +256,12 @@ void FastLogger::alert(Packet* p, const char* msg, const Event& event) // available if a response was processed by http_inspect void FastLogger::log_data(Packet* p, const Event& event) { - bool log_pkt = true; - TextLog_NewLine(fast_log); + + bool log_pkt = true; const char* ins_name = "snort"; Inspector* gadget = nullptr; + if ( p->flow and p->flow->session ) { snort::StreamSplitter* ss = p->flow->session->get_splitter(p->is_from_client()); @@ -267,22 +272,20 @@ void FastLogger::log_data(Packet* p, const Event& event) ins_name = gadget->get_name(); } } - const char** buffers = gadget ? gadget->get_api()->buffers : nullptr; + const char** buffers = (gadget and !strcmp(ins_name, "http_inspect")) ? gadget->get_api()->buffers : nullptr; if ( buffers ) { - InspectionBuffer buf; - const std::vector& idv = gadget->get_buf(HttpEnums::HTTP_BUFFER_RAW_STATUS, - p, buf) ? rsp_ids : req_ids; - bool rsp = (idv == rsp_ids); + const BufferIds& idv = get_buffer_ids(gadget, p); for ( auto id : idv ) { + InspectionBuffer buf; if ( gadget->get_buf(id, p, buf) ) LogNetData(fast_log, buf.data, buf.len, p, buffers[id-1], ins_name); - log_pkt = rsp; + log_pkt = (idv == rsp_ids); } } else if ( gadget ) diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc index 0c9ffbae8..bb1bad671 100644 --- a/src/managers/module_manager.cc +++ b/src/managers/module_manager.cc @@ -995,7 +995,14 @@ static list get_all_modhooks() } void ModuleManager::set_config(SnortConfig* sc) -{ s_config = sc; } +{ + s_config = sc; + s_current.clear(); + s_aliased_name.clear(); + s_aliased_type.clear(); + s_ips_includer.clear(); + s_file_id_includer.clear(); +} void ModuleManager::reset_errors() { s_errors = 0; } diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index 6ad8c13f7..b1160ca7f 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -807,7 +807,9 @@ void Imap::eval(Packet* p) bool Imap::get_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b) { IMAPData* imap_ssn = get_session_data(p->flow); - assert(imap_ssn); + + if (!imap_ssn) + return false; const void* dst = nullptr; size_t dst_len = 0; diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index 657501a23..26863f6b4 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -745,7 +745,9 @@ void Pop::eval(Packet* p) bool Pop::get_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBuffer& b) { POPData* pop_ssn = get_session_data(p->flow); - assert(pop_ssn); + + if (!pop_ssn) + return false; const void* dst = nullptr; size_t dst_len = 0;