From: Steve Chew (stechew) <stechew@cisco.com>
Date: Tue, 31 Mar 2020 14:41:57 +0000 (+0000)
Subject: Merge pull request #2102 in SNORT/snort3 from ~STECHEW/snort3:detained_packet_with_ss... 
X-Git-Tag: 3.0.1-1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f5a1bcdd48a68d543d0f5b1fe5bd86743b7e59e;p=thirdparty%2Fsnort3.git

Merge pull request #2102 in SNORT/snort3 from ~STECHEW/snort3:detained_packet_with_ssl to master

Squashed commit of the following:

commit 403c0de29a90c3a101730357a9bd5ba9caabf243
Author: Steve Chew <stechew@cisco.com>
Date:   Mon Mar 23 20:48:52 2020 -0400

    analyzer: Send detained packet event when a packet is held.

commit 43ecbb9b1cdb32a532342e29be6162ada75e2ecf
Author: Steve Chew <stechew@cisco.com>
Date:   Thu Mar 26 12:01:35 2020 -0400

    dce_rpc: Fixed missing space in string.
---

diff --git a/src/flow/flow.h b/src/flow/flow.h
index 8e2bd8b0f..feafe1261 100644
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -420,13 +420,13 @@ public:  // FIXIT-M privatize if possible
     {
         bool client_initiated : 1;
         bool disable_inspect : 1;
-        bool trigger_finalize_event : 1;
-        bool use_direct_inject : 1;
-
         bool reputation_src_dest : 1;
         bool reputation_blacklist : 1;
         bool reputation_monitor : 1;
         bool reputation_whitelist : 1;
+        bool trigger_detained_packet_event : 1;
+        bool trigger_finalize_event : 1;
+        bool use_direct_inject : 1;
     } flags;
 
     FlowState flow_state;
diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h
index 477d09eca..0209c27d8 100644
--- a/src/framework/data_bus.h
+++ b/src/framework/data_bus.h
@@ -126,6 +126,9 @@ private:
 #define THREAD_IDLE_EVENT "thread.idle"
 #define THREAD_ROTATE_EVENT "thread.rotate"
 
+// A packet is being detained.
+#define DETAINED_PACKET_EVENT "analyzer.detained.packet"
+
 // A flow changed its service
 #define FLOW_SERVICE_CHANGE_EVENT "flow.service_change_event"
 
diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index 9197b51ac..1e2020b60 100644
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -339,7 +339,12 @@ void Analyzer::post_process_daq_pkt_msg(Packet* p)
         retry_queue->put(p->daq_msg);
         daq_stats.retries_queued++;
     }
-    else if (!p->active->is_packet_held() || !Stream::set_packet_action_to_hold(p))
+    else if (p->active->is_packet_held() and Stream::set_packet_action_to_hold(p))
+    {
+        if (p->flow and p->flow->flags.trigger_detained_packet_event)
+            DataBus::publish(DETAINED_PACKET_EVENT, p);
+    }
+    else
         verdict = distill_verdict(p);
 
     if (PacketTracer::is_active())
diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc
index 724a452a7..cbf463e8c 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2.cc
@@ -70,7 +70,7 @@ static inline DCE2_Ret DCE2_Smb2InsertTid(DCE2_SmbSsnData* ssd, const uint32_t t
             (ssd->max_file_depth ==
             -1 and DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1) )
     {
-        debug_logf(dce_smb_trace, "Not inserting TID (%u) for DISK share type"
+        debug_logf(dce_smb_trace, "Not inserting TID (%u) for DISK share type "
             "as mandatory configuration max_file_depth is not present."
             "This will result in non-inspection of file data.\n", tid);
         return ret;
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
index 85c600baf..6b1f65ed6 100644
--- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc
@@ -125,9 +125,16 @@ void HttpStreamSplitter::detain_packet(Packet* pkt)
         fprintf(HttpTestManager::get_output_file(), "Packet detain request\n");
         fflush(HttpTestManager::get_output_file());
     }
+
     if (!HttpTestManager::use_test_input(HttpTestManager::IN_HTTP))
+    {
 #endif
     pkt->active->hold_packet(pkt);
+#ifdef REG_TEST
+    }
+#endif
+
+    // Count attempted detains.
     HttpModule::increment_peg_counts(PEG_DETAINED);
 }
 
diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 145579d33..62ebd4f4d 100644
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -412,7 +412,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
     { CountType::SUM, "uri_coding", "URIs with character coding problems" },
     { CountType::NOW, "concurrent_sessions", "total concurrent http sessions" },
     { CountType::MAX, "max_concurrent_sessions", "maximum concurrent http sessions" },
-    { CountType::SUM, "detained_packets", "TCP packets delayed by detained inspection" },
+    { CountType::SUM, "detained_packets", "packet hold requests for detained inspection" },
     { CountType::SUM, "partial_inspections", "pre-inspections for detained inspection" },
     { CountType::SUM, "excess_parameters", "repeat parameters exceeding max" },
     { CountType::SUM, "parameters", "HTTP parameters inspected" },