From: Sreeja Athirkandathil Narayanan (sathirka) Date: Thu, 5 Jan 2023 18:07:52 +0000 (+0000) Subject: Pull request #3715: appid: use packet thread's odp context for future flow creation X-Git-Tag: 3.1.51.0~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a93139f226fcdf8523970a223e66ed9a1cf6e2e;p=thirdparty%2Fsnort3.git Pull request #3715: appid: use packet thread's odp context for future flow creation Merge in SNORT/snort3 from ~SATHIRKA/snort3:future_flow_odpctxt to master Squashed commit of the following: commit e11067b4a8b84060118b0378d65d0ed53c2e35b4 Author: Sreeja Athirkandathil Narayanan Date: Mon Dec 19 11:10:07 2022 -0500 appid: use packet thread's odp context for future flow creation --- diff --git a/src/network_inspectors/appid/appid_dcerpc_event_handler.h b/src/network_inspectors/appid/appid_dcerpc_event_handler.h index cc8026500..05bbbceaa 100644 --- a/src/network_inspectors/appid/appid_dcerpc_event_handler.h +++ b/src/network_inspectors/appid/appid_dcerpc_event_handler.h @@ -57,12 +57,13 @@ public: IpProtocol proto = map_resp_event.get_ip_proto(); SnortProtocolId protocol_id = map_resp_event.get_proto_id(); + OdpContext& odp_ctxt = asd->get_odp_ctxt(); AppIdSession* fp = AppIdSession::create_future_session(pkt, src_ip, src_port, - dst_ip, dst_port, proto, protocol_id); + dst_ip, dst_port, proto, protocol_id, odp_ctxt); if (fp) // initialize data session { - fp->set_service_id(APP_ID_DCE_RPC, asd->get_odp_ctxt()); + fp->set_service_id(APP_ID_DCE_RPC, odp_ctxt); asd->initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS); } } diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 6243a43f4..398aa734c 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -207,8 +207,8 @@ static inline PktType get_pkt_type_from_ip_proto(IpProtocol proto) AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const SfIp* cliIp, uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol proto, - SnortProtocolId snort_protocol_id, bool swap_app_direction, bool bidirectional, - bool expect_persist) + SnortProtocolId snort_protocol_id, OdpContext& odp_ctxt, bool swap_app_direction, + bool bidirectional, bool expect_persist) { enum PktType type = get_pkt_type_from_ip_proto(proto); @@ -229,8 +229,8 @@ AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const S // FIXIT-RC - port parameter passed in as 0 since we may not know client port, verify - AppIdSession* asd = new AppIdSession(proto, cliIp, 0, *inspector, - inspector->get_ctxt().get_odp_ctxt(), ctrlPkt->pkth->address_space_id); + AppIdSession* asd = new AppIdSession(proto, cliIp, 0, *inspector, odp_ctxt, + ctrlPkt->pkth->address_space_id); is_session_monitored(asd->flags, ctrlPkt, *inspector); if (Stream::set_snort_protocol_id_expected(ctrlPkt, type, proto, cliIp, diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index b873ac04a..a94011c74 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -232,8 +232,8 @@ public: static AppIdSession* allocate_session(const snort::Packet*, IpProtocol, AppidSessionDirection, AppIdInspector&, OdpContext&); static AppIdSession* create_future_session(const snort::Packet*, const snort::SfIp*, uint16_t, - const snort::SfIp*, uint16_t, IpProtocol, SnortProtocolId, bool swap_app_direction=false, - bool bidirectional=false, bool expect_persist=false); + const snort::SfIp*, uint16_t, IpProtocol, SnortProtocolId, OdpContext&, + bool swap_app_direction=false, bool bidirectional=false, bool expect_persist=false); void initialize_future_session(AppIdSession&, uint64_t); snort::Flow* flow = nullptr; diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index c36ae7a80..75c1e3e33 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -179,15 +179,15 @@ struct ServiceSIPData void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp, uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol) { - AppIdSession* fp = AppIdSession::create_future_session( - pkt, cliIp, cliPort, srvIp, srvPort, protocol, - asd.config.snort_proto_ids[PROTO_INDEX_SIP], false, true); + OdpContext& odp_ctxt = asd.get_odp_ctxt(); + AppIdSession* fp = AppIdSession::create_future_session(pkt, cliIp, cliPort, srvIp, srvPort, protocol, + asd.config.snort_proto_ids[PROTO_INDEX_SIP], odp_ctxt, false, true); if ( fp ) { fp->set_client_id(asd.get_client_id()); fp->set_payload_id(asd.get_payload_id()); - fp->set_service_id(APP_ID_RTP, asd.get_odp_ctxt()); + fp->set_service_id(APP_ID_RTP, odp_ctxt); // FIXIT-M : snort 2.9.x updated the flag to APPID_SESSION_EXPECTED_EVALUATE. // Check if it is needed here as well. @@ -198,15 +198,14 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con // create an RTCP flow as well - AppIdSession* fp2 = AppIdSession::create_future_session( - pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, - asd.config.snort_proto_ids[PROTO_INDEX_SIP], false, true); + AppIdSession* fp2 = AppIdSession::create_future_session(pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, + asd.config.snort_proto_ids[PROTO_INDEX_SIP], odp_ctxt, false, true); if ( fp2 ) { fp2->set_client_id(asd.get_client_id()); fp2->set_payload_id(asd.get_payload_id()); - fp2->set_service_id(APP_ID_RTCP, asd.get_odp_ctxt()); + fp2->set_service_id(APP_ID_RTCP, odp_ctxt); // FIXIT-M : same comment as above // asd.initialize_future_session(*fp2, APPID_SESSION_EXPECTED_EVALUATE); diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 5e49fca9f..0ef36d2d5 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -2643,11 +2643,12 @@ static int create_future_flow(lua_State* L) snort_protocol_id = entry->snort_protocol_id; } + OdpContext& odp_ctxt = lsd->ldp.asd->get_odp_ctxt(); AppIdSession* fp = AppIdSession::create_future_session(lsd->ldp.pkt, &client_addr, - client_port, &server_addr, server_port, proto, snort_protocol_id); + client_port, &server_addr, server_port, proto, snort_protocol_id, odp_ctxt); if (fp) { - fp->set_service_id(service_id, ud->get_odp_ctxt()); + fp->set_service_id(service_id, odp_ctxt); fp->set_client_id(client_id); fp->set_payload_id(payload_id); fp->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE | diff --git a/src/network_inspectors/appid/service_plugins/service_ftp.cc b/src/network_inspectors/appid/service_plugins/service_ftp.cc index e324ee29d..8281f2a95 100644 --- a/src/network_inspectors/appid/service_plugins/service_ftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_ftp.cc @@ -890,21 +890,22 @@ void FtpServiceDetector::create_expected_session(AppIdSession& asd, const Packet uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol, AppidSessionDirection dir) { bool swap_flow_app_direction = (dir == APP_ID_FROM_RESPONDER) ? true : false; + OdpContext& odp_ctxt = asd.get_odp_ctxt(); AppIdSession* fp = AppIdSession::create_future_session(pkt, cliIp, cliPort, srvIp, srvPort, - protocol, asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA], swap_flow_app_direction); + protocol, asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA], odp_ctxt, swap_flow_app_direction); if (fp) // initialize data session { uint64_t encrypted_flags = asd.get_session_flags(APPID_SESSION_ENCRYPTED | APPID_SESSION_DECRYPTED); if (encrypted_flags == APPID_SESSION_ENCRYPTED) { - fp->set_service_id(APP_ID_FTPSDATA, asd.get_odp_ctxt()); + fp->set_service_id(APP_ID_FTPSDATA, odp_ctxt); } else { encrypted_flags = 0; // reset (APPID_SESSION_ENCRYPTED | APPID_SESSION_DECRYPTED) bits - fp->set_service_id(APP_ID_FTP_DATA, asd.get_odp_ctxt()); + fp->set_service_id(APP_ID_FTP_DATA, odp_ctxt); } asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS | encrypted_flags); diff --git a/src/network_inspectors/appid/service_plugins/service_rexec.cc b/src/network_inspectors/appid/service_plugins/service_rexec.cc index deb240cec..66eef772d 100644 --- a/src/network_inspectors/appid/service_plugins/service_rexec.cc +++ b/src/network_inspectors/appid/service_plugins/service_rexec.cc @@ -164,7 +164,7 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args) sip = args.pkt->ptrs.ip_api.get_src(); AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip,(uint16_t)port, IpProtocol::TCP, - args.asd.config.snort_proto_ids[PROTO_INDEX_REXEC]); + args.asd.config.snort_proto_ids[PROTO_INDEX_REXEC], args.asd.get_odp_ctxt()); if (pf) { diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc index 93efbca8b..409ccc2d7 100644 --- a/src/network_inspectors/appid/service_plugins/service_rpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc @@ -491,9 +491,9 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi uint32_t addr = htonl(address); sip.set(&addr, AF_INET); const SfIp* dip = pkt->ptrs.ip_api.get_dst(); - AppIdSession* fsession = AppIdSession::create_future_session( - pkt, dip, 0, &sip, port, rd->proto, - asd.config.snort_proto_ids[PROTO_INDEX_SUNRPC], false, false, true); + AppIdSession* fsession = AppIdSession::create_future_session(pkt, dip, 0, &sip, + port, rd->proto, asd.config.snort_proto_ids[PROTO_INDEX_SUNRPC], + asd.get_odp_ctxt(), false, false, true); if (fsession) { @@ -518,9 +518,9 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi const SfIp* sip = pkt->ptrs.ip_api.get_src(); tmp = ntohl(pmr->port); - AppIdSession* pf = AppIdSession::create_future_session( - pkt, dip, 0, sip, (uint16_t)tmp, rd->proto, - asd.config.snort_proto_ids[PROTO_INDEX_SUNRPC], false, false, true); + AppIdSession* pf = AppIdSession::create_future_session(pkt, dip, 0, sip, + (uint16_t)tmp, rd->proto, asd.config.snort_proto_ids[PROTO_INDEX_SUNRPC], + asd.get_odp_ctxt(), false, false, true); if (pf) { diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index da2561608..eb533a9d1 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -157,7 +157,7 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args) const SfIp* sip = args.pkt->ptrs.ip_api.get_src(); AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, (uint16_t)port, IpProtocol::TCP, - args.asd.config.snort_proto_ids[PROTO_INDEX_RSH_ERROR]); + args.asd.config.snort_proto_ids[PROTO_INDEX_RSH_ERROR], args.asd.get_odp_ctxt()); if (pf) { diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index 737c3629d..819535df7 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -469,7 +469,7 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) const SfIp* sip = args.pkt->ptrs.ip_api.get_src(); AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, args.pkt->ptrs.sp, args.asd.protocol, - args.asd.config.snort_proto_ids[PROTO_INDEX_SNMP]); + args.asd.config.snort_proto_ids[PROTO_INDEX_SNMP], args.asd.get_odp_ctxt()); if (pf) { diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index edbf4a0e5..fc73a5fbd 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -189,7 +189,7 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) sip = args.pkt->ptrs.ip_api.get_src(); pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, args.pkt->ptrs.sp, args.asd.protocol, - args.asd.config.snort_proto_ids[PROTO_INDEX_TFTP]); + args.asd.config.snort_proto_ids[PROTO_INDEX_TFTP], args.asd.get_odp_ctxt()); if (pf) {