From: Russ Combs (rucombs) Date: Wed, 25 Aug 2021 20:16:53 +0000 (+0000) Subject: Merge pull request #2998 in SNORT/snort3 from ~PRBHALER/snort3:sip to master X-Git-Tag: 3.1.11.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a21242f6ee3e3e93cb6677f7c7a0d7dfc717607;p=thirdparty%2Fsnort3.git Merge pull request #2998 in SNORT/snort3 from ~PRBHALER/snort3:sip to master Squashed commit of the following: commit 7a9104eaafb9a37030540bd69a354bd95b371520 Author: Pranav Bhalerao Date: Mon Jul 26 11:13:19 2021 -0400 flow: introduce bidirectional flag for expected session. --- diff --git a/cmake/FindDAQ.cmake b/cmake/FindDAQ.cmake index b92f00030..6f74a496b 100644 --- a/cmake/FindDAQ.cmake +++ b/cmake/FindDAQ.cmake @@ -16,7 +16,7 @@ This module defines: #]=======================================================================] find_package(PkgConfig) -pkg_check_modules(PC_DAQ libdaq>=3.0.4) +pkg_check_modules(PC_DAQ libdaq>=3.0.5) # Use DAQ_INCLUDE_DIR_HINT and DAQ_LIBRARIES_DIR_HINT from configure_cmake.sh as primary hints # and then package config information after that. diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index e6748772c..1f185780d 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -317,7 +317,8 @@ ExpectCache::~ExpectCache() */ int ExpectCache::add_flow(const Packet *ctrlPkt, PktType type, IpProtocol ip_proto, const SfIp* cliIP, uint16_t cliPort, const SfIp* srvIP, uint16_t srvPort, char direction, - FlowData* fd, SnortProtocolId snort_protocol_id, bool swap_app_direction, bool expect_multi) + FlowData* fd, SnortProtocolId snort_protocol_id, bool swap_app_direction, bool expect_multi, + bool bidirectional) { /* Just pull the VLAN ID, MPLS ID, and Address Space ID from the control packet until we have a use case for not doing so. */ @@ -395,6 +396,10 @@ int ExpectCache::add_flow(const Packet *ctrlPkt, PktType type, IpProtocol ip_pro unsigned flag = 0; if (expect_multi) flag |= DAQ_EFLOW_ALLOW_MULTIPLE; + + if (bidirectional) + flag |= DAQ_EFLOW_BIDIRECTIONAL; + ctrlPkt->daq_instance->add_expected(ctrlPkt, cliIP, cliPort, srvIP, srvPort, ip_proto, 1000, flag); } diff --git a/src/flow/expect_cache.h b/src/flow/expect_cache.h index 5b5313bab..1f88aac38 100644 --- a/src/flow/expect_cache.h +++ b/src/flow/expect_cache.h @@ -98,7 +98,7 @@ public: int add_flow(const snort::Packet *ctrlPkt, PktType, IpProtocol, const snort::SfIp* cliIP, uint16_t cliPort, const snort::SfIp* srvIP, uint16_t srvPort, char direction, snort::FlowData*, SnortProtocolId snort_protocol_id = UNKNOWN_PROTOCOL_ID, - bool swap_app_direction = false, bool expect_multi = false); + bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false); bool is_expected(snort::Packet*); bool check(snort::Packet*, snort::Flow*); diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index fc8bff39d..20245dd26 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -573,10 +573,11 @@ int FlowControl::add_expected_ignore( const Packet* ctrlPkt, PktType type, IpPro int FlowControl::add_expected( const Packet* ctrlPkt, PktType type, IpProtocol ip_proto, const SfIp *srcIP, uint16_t srcPort, const SfIp *dstIP, uint16_t dstPort, - SnortProtocolId snort_protocol_id, FlowData* fd, bool swap_app_direction, bool expect_multi) + SnortProtocolId snort_protocol_id, FlowData* fd, bool swap_app_direction, bool expect_multi, + bool bidirectional) { return exp_cache->add_flow( ctrlPkt, type, ip_proto, srcIP, srcPort, dstIP, dstPort, - SSN_DIR_BOTH, fd, snort_protocol_id, swap_app_direction, expect_multi); + SSN_DIR_BOTH, fd, snort_protocol_id, swap_app_direction, expect_multi, bidirectional); } bool FlowControl::is_expected(Packet* p) diff --git a/src/flow/flow_control.h b/src/flow/flow_control.h index de1930301..006931440 100644 --- a/src/flow/flow_control.h +++ b/src/flow/flow_control.h @@ -79,7 +79,8 @@ public: int add_expected(const snort::Packet* ctrlPkt, PktType, IpProtocol, const snort::SfIp *srcIP, uint16_t srcPort, const snort::SfIp *dstIP, uint16_t dstPort, SnortProtocolId snort_protocol_id, - snort::FlowData*, bool swap_app_direction = false, bool expect_multi = false); + snort::FlowData*, bool swap_app_direction = false, bool expect_multi = false, + bool bidirectional = false); class ExpectCache* get_exp_cache() { return exp_cache; } diff --git a/src/flow/test/flow_cache_test.cc b/src/flow/test/flow_cache_test.cc index 582818dd1..9a74618ca 100644 --- a/src/flow/test/flow_cache_test.cc +++ b/src/flow/test/flow_cache_test.cc @@ -121,7 +121,7 @@ void Stream::stop_inspection(Flow*, Packet*, char, int32_t, int) { } int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t, - const SfIp*, uint16_t, char, FlowData*, SnortProtocolId, bool, bool) + const SfIp*, uint16_t, char, FlowData*, SnortProtocolId, bool, bool, bool) { return 1; } diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index d03fb7aea..f7bb208d7 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -167,7 +167,7 @@ int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t, const SfIp*, uint16_t, - char, FlowData*, SnortProtocolId, bool, bool) + char, FlowData*, SnortProtocolId, bool, bool, bool) { return 1; } diff --git a/src/framework/base_api.h b/src/framework/base_api.h index 45a3a8873..e416771be 100644 --- a/src/framework/base_api.h +++ b/src/framework/base_api.h @@ -29,7 +29,7 @@ // this is the current version of the base api // must be prefixed to subtype version -#define BASE_API_VERSION 5 +#define BASE_API_VERSION 6 // set options to API_OPTIONS to ensure compatibility #ifndef API_OPTIONS diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index d57c6422c..ef39c7981 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -209,7 +209,7 @@ static inline PktType get_pkt_type_from_ip_proto(IpProtocol proto) AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const SfIp* cliIp, uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol proto, - SnortProtocolId snort_protocol_id, bool swap_app_direction) + SnortProtocolId snort_protocol_id, bool swap_app_direction, bool bidirectional) { char src_ip[INET6_ADDRSTRLEN]; char dst_ip[INET6_ADDRSTRLEN]; @@ -228,7 +228,7 @@ AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const S is_session_monitored(asd->flags, ctrlPkt, *inspector); if (Stream::set_snort_protocol_id_expected(ctrlPkt, type, proto, cliIp, - cliPort, srvIp, srvPort, snort_protocol_id, asd, swap_app_direction)) + cliPort, srvIp, srvPort, snort_protocol_id, asd, swap_app_direction, false, bidirectional)) { if (appidDebug->is_active()) { diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index f8bcdd452..9ed1cf72c 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -236,7 +236,8 @@ public: static AppIdSession* allocate_session(const snort::Packet*, IpProtocol, AppidSessionDirection, AppIdInspector&, OdpContext&); static AppIdSession* create_future_session(const snort::Packet*, const snort::SfIp*, uint16_t, - const snort::SfIp*, uint16_t, IpProtocol, SnortProtocolId, bool swap_app_direction=false); + const snort::SfIp*, uint16_t, IpProtocol, SnortProtocolId, bool swap_app_direction=false, + bool bidirectional=false); void initialize_future_session(AppIdSession&, uint64_t); size_t size_of() override diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index 714597ae6..3342c6a79 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -181,7 +181,7 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con { AppIdSession* fp = AppIdSession::create_future_session( pkt, cliIp, cliPort, srvIp, srvPort, protocol, - asd.config.snort_proto_ids[PROTO_INDEX_SIP]); + asd.config.snort_proto_ids[PROTO_INDEX_SIP], false, true); if ( fp ) { @@ -200,7 +200,7 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con AppIdSession* fp2 = AppIdSession::create_future_session( pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, - asd.config.snort_proto_ids[PROTO_INDEX_SIP]); + asd.config.snort_proto_ids[PROTO_INDEX_SIP], false, true); if ( fp2 ) { @@ -235,8 +235,6 @@ void SipServiceDetector::addFutureRtpFlows(SipEvent& event, AppIdSession& asd) { createRtpFlow(asd, event.get_packet(), media_a->get_address(), media_a->get_port(), media_b->get_address(), media_b->get_port(), IpProtocol::UDP); - createRtpFlow(asd, event.get_packet(), media_b->get_address(), media_b->get_port(), - media_a->get_address(), media_b->get_port(), IpProtocol::UDP); media_a = session_a->next_media_data(); media_b = session_b->next_media_data(); diff --git a/src/packet_io/sfdaq_instance.cc b/src/packet_io/sfdaq_instance.cc index a3e0c694c..4f506e3d8 100644 --- a/src/packet_io/sfdaq_instance.cc +++ b/src/packet_io/sfdaq_instance.cc @@ -390,6 +390,8 @@ int SFDAQInstance::add_expected(const Packet* ctrlPkt, const SfIp* cliIP, uint16 if (flags & DAQ_EFLOW_ALLOW_MULTIPLE) d_cef.flags |= DAQ_EFLOW_ALLOW_MULTIPLE; + if (flags & DAQ_EFLOW_BIDIRECTIONAL) + d_cef.flags |= DAQ_EFLOW_BIDIRECTIONAL; /* if (flags & DAQ_DC_FLOAT) d_cef.flags |= DAQ_EFLOW_FLOAT; diff --git a/src/stream/stream.cc b/src/stream/stream.cc index c0ca827ff..028c6e276 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -386,13 +386,14 @@ int Stream::set_snort_protocol_id_expected( const Packet* ctrlPkt, PktType type, IpProtocol ip_proto, const SfIp* srcIP, uint16_t srcPort, const SfIp* dstIP, uint16_t dstPort, - SnortProtocolId snort_protocol_id, FlowData* fd, bool swap_app_direction, bool expect_multi) + SnortProtocolId snort_protocol_id, FlowData* fd, bool swap_app_direction, bool expect_multi, + bool bidirectional) { assert(flow_con); return flow_con->add_expected( ctrlPkt, type, ip_proto, srcIP, srcPort, dstIP, dstPort, snort_protocol_id, fd, - swap_app_direction, expect_multi); + swap_app_direction, expect_multi, bidirectional); } void Stream::set_snort_protocol_id_from_ha( diff --git a/src/stream/stream.h b/src/stream/stream.h index 0ef87b9c9..e99007a92 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -173,7 +173,7 @@ public: static int set_snort_protocol_id_expected( const Packet* ctrlPkt, PktType, IpProtocol, const snort::SfIp* srcIP, uint16_t srcPort, const snort::SfIp* dstIP, uint16_t dstPort, SnortProtocolId, FlowData*, - bool swap_app_direction = false, bool expect_multi = false); + bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false); // Get pointer to application data for a flow based on the lookup tuples for cases where // Snort does not have an active packet that is relevant.