From: Steve Chew (stechew) Date: Fri, 14 May 2021 20:53:12 +0000 (+0000) Subject: Merge pull request #2872 in SNORT/snort3 from ~SHASLAD/snort3:netflow_guard to master X-Git-Tag: 3.1.5.0~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51549be4c9f88b07459d6c89ecc4dd9c7184a230;p=thirdparty%2Fsnort3.git Merge pull request #2872 in SNORT/snort3 from ~SHASLAD/snort3:netflow_guard to master Squashed commit of the following: commit 2d8c1d90b2a54190da723464a1ead61a8d1106be Author: Shashi Lad Date: Tue May 4 10:33:50 2021 -0400 netflow: additional check before v5/v9 decode --- diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index f6a77fb62..75025ee60 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -328,7 +328,7 @@ static bool version_9_record_update(const unsigned char* data, uint32_t unix_sec } static bool decode_netflow_v9(const unsigned char* data, uint16_t size, - const Packet* p, const NetflowConfig* cfg) + const Packet* p, const NetflowRules* p_rules) { Netflow9Hdr header; const Netflow9Hdr *pheader; @@ -357,15 +357,6 @@ static bool decode_netflow_v9(const unsigned char* data, uint16_t size, header.unix_secs = ntohl(pheader->unix_secs); header.unix_secs -= header.sys_uptime; - const NetflowRules* p_rules = nullptr; - auto d = cfg->device_rule_map.find(*p->ptrs.ip_api.get_src()); - - if ( d != cfg->device_rule_map.end() ) - p_rules = &(d->second); - - if ( p_rules == nullptr ) - return false; - const int zone = p->pkth->ingress_index; data += sizeof(Netflow9Hdr); @@ -545,7 +536,7 @@ static bool decode_netflow_v9(const unsigned char* data, uint16_t size, } static bool decode_netflow_v5(const unsigned char* data, uint16_t size, - const Packet* p, const NetflowConfig* cfg) + const Packet* p, const NetflowRules* p_rules) { Netflow5Hdr header; const Netflow5Hdr *pheader; @@ -561,13 +552,6 @@ static bool decode_netflow_v5(const unsigned char* data, uint16_t size, if( header.flow_count < NETFLOW_MIN_COUNT or header.flow_count > NETFLOW_MAX_COUNT ) return false; - const NetflowRules* p_rules = nullptr; - auto d = cfg->device_rule_map.find(*p->ptrs.ip_api.get_src()); - if ( d != cfg->device_rule_map.end() ) - p_rules = &(d->second); - - if ( p_rules == nullptr ) - return false; const int zone = p->pkth->ingress_index; data += sizeof(Netflow5Hdr); @@ -640,7 +624,7 @@ static bool decode_netflow_v5(const unsigned char* data, uint16_t size, return true; } -static bool validate_netflow(const Packet* p, const NetflowConfig* cfg) +static bool validate_netflow(const Packet* p, const NetflowRules* p_rules) { uint16_t size = p->dsize; const unsigned char* data = p->data; @@ -655,7 +639,7 @@ static bool validate_netflow(const Packet* p, const NetflowConfig* cfg) if( version == 5 ) { - retval = decode_netflow_v5(data, size, p, cfg); + retval = decode_netflow_v5(data, size, p, p_rules); if ( retval ) { ++netflow_stats.packets; @@ -664,7 +648,7 @@ static bool validate_netflow(const Packet* p, const NetflowConfig* cfg) } else if ( version == 9 ) { - retval = decode_netflow_v9(data, size, p, cfg); + retval = decode_netflow_v9(data, size, p, p_rules); if ( retval ) { ++netflow_stats.packets; @@ -906,8 +890,15 @@ void NetflowInspector::eval(Packet* p) assert((p->is_udp() and p->dsize and p->data)); assert(netflow_cache); - if ( ! validate_netflow(p, config) ) - ++netflow_stats.invalid_netflow_record; + auto d = config->device_rule_map.find(*p->ptrs.ip_api.get_src()); + + if ( d != config->device_rule_map.end() ) + { + const NetflowRules* p_rules = &(d->second); + + if ( ! validate_netflow(p, p_rules) ) + ++netflow_stats.invalid_netflow_record; + } } void NetflowInspector::tinit()