From: Shravan Rangarajuvenkata (shrarang) Date: Sat, 5 Jun 2021 22:23:01 +0000 (+0000) Subject: Merge pull request #2900 in SNORT/snort3 from ~ADIKAPOO/snort3:adikapoo-extradata... X-Git-Tag: 3.1.6.0~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68a22783df7ec04a8e5176eac018e2e3ab50bbe1;p=thirdparty%2Fsnort3.git Merge pull request #2900 in SNORT/snort3 from ~ADIKAPOO/snort3:adikapoo-extradata to master Squashed commit of the following: commit 20a235eea96f40bf1d8af2c44f7b502934370830 Author: adikapoo Date: Fri Jun 4 14:42:36 2021 -0400 mime: store extra data in stash --- diff --git a/src/flow/stash_item.h b/src/flow/stash_item.h index e022372bf..ef36fb693 100644 --- a/src/flow/stash_item.h +++ b/src/flow/stash_item.h @@ -29,6 +29,7 @@ #define STASH_APPID_DATA "appid_data" #define STASH_GENERIC_OBJECT_APPID 1 +#define STASH_GENERIC_OBJECT_MIME 2 namespace snort { diff --git a/src/mime/file_mime_log.cc b/src/mime/file_mime_log.cc index 1c466e806..5ab68398d 100644 --- a/src/mime/file_mime_log.cc +++ b/src/mime/file_mime_log.cc @@ -223,7 +223,7 @@ bool MailLogState::is_email_to_present() const return log_flags & MIME_FLAG_RCPT_TO_PRESENT; } -MailLogState::MailLogState(MailLogConfig* conf) +MailLogState::MailLogState(MailLogConfig* conf) : StashGenericObject(STASH_GENERIC_OBJECT_MIME) { if (conf && (conf->log_email_hdrs || conf->log_filename || conf->log_mailfrom || conf->log_rcptto)) diff --git a/src/mime/file_mime_log.h b/src/mime/file_mime_log.h index 84e8962c4..019a36ff8 100644 --- a/src/mime/file_mime_log.h +++ b/src/mime/file_mime_log.h @@ -26,6 +26,8 @@ #include #include "main/snort_types.h" +#include "flow/flow_stash.h" +#define STASH_EXTRADATA_MIME "mime_data" namespace snort { @@ -46,11 +48,11 @@ struct MailLogConfig class Flow; -class SO_PUBLIC MailLogState +class SO_PUBLIC MailLogState : public snort::StashGenericObject { public: MailLogState(MailLogConfig* conf); - ~MailLogState(); + ~MailLogState() override; /* accumulate MIME attachment filenames. The filenames are appended by commas */ int log_file_name(const uint8_t* start, int length); @@ -66,6 +68,8 @@ public: bool is_email_hdrs_present() const; bool is_email_from_present() const; bool is_email_to_present() const; + size_t size_of() const override + { return sizeof(*this); } private: int log_flags = 0; diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc index 7e172594e..9dc51c7b3 100644 --- a/src/mime/file_mime_process.cc +++ b/src/mime/file_mime_process.cc @@ -802,12 +802,13 @@ void MimeSession::exit() delete mime_hdr_search_mpse; } -MimeSession::MimeSession(DecodeConfig* dconf, MailLogConfig* lconf, uint64_t base_file_id, +MimeSession::MimeSession(Packet* p, DecodeConfig* dconf, MailLogConfig* lconf, uint64_t base_file_id, bool session_is_http) { decode_conf = dconf; log_config = lconf; log_state = new MailLogState(log_config); + p->flow->stash->store(STASH_EXTRADATA_MIME, log_state); session_base_file_id = base_file_id; is_http = session_is_http; reset_mime_paf_state(&mime_boundary); @@ -817,9 +818,6 @@ MimeSession::~MimeSession() { if ( decode_state ) delete(decode_state); - - if ( log_state ) - delete(log_state); } // File verdicts get cached with key (file_id, sip, dip). File_id is hash of filename if available. diff --git a/src/mime/file_mime_process.h b/src/mime/file_mime_process.h index b36f13b9b..82b494423 100644 --- a/src/mime/file_mime_process.h +++ b/src/mime/file_mime_process.h @@ -55,7 +55,7 @@ namespace snort class SO_PUBLIC MimeSession { public: - MimeSession(DecodeConfig*, MailLogConfig*, uint64_t base_file_id=0, bool session_is_http=false); + MimeSession(Packet*, DecodeConfig*, MailLogConfig*, uint64_t base_file_id=0, bool session_is_http=false); virtual ~MimeSession(); MimeSession(const MimeSession&) = delete; diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index e454bf6d4..c43587d51 100755 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -479,14 +479,14 @@ void HttpMsgHeader::setup_file_processing() { if (boundary_present(content_type)) { - session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf, + Packet* p = DetectionEngine::get_current_packet(); + session_data->mime_state[source_id] = new MimeSession(p, &FileService::decode_conf, &mime_conf, get_multi_file_processing_id(), true); // Show file processing the Content-Type header as if it were regular data. // This will enable it to find the boundary string. // FIXIT-L develop a proper interface for passing the boundary string. // This interface is a leftover from when OHI pushed whole messages through // this interface. - Packet* p = DetectionEngine::get_current_packet(); session_data->mime_state[source_id]->process_mime_data(p, content_type.start(), content_type.length(), true, SNORT_FILE_POSITION_UNKNOWN); diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index d0d1fc489..fb03f2e74 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -177,7 +177,7 @@ static IMAPData* SetNewIMAPData(IMAP_PROTO_CONF* config, Packet* p) imap_ssn = &fd->session; imapstats.sessions++; - imap_ssn->mime_ssn= new ImapMime(&(config->decode_conf),&(config->log_config)); + imap_ssn->mime_ssn= new ImapMime(p, &(config->decode_conf),&(config->log_config)); imap_ssn->mime_ssn->set_mime_stats(&(imapstats.mime_stats)); if (p->packet_flags & SSNFLAG_MIDSTREAM) diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index d0a5256c7..e8ee1e066 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -137,7 +137,7 @@ static POPData* SetNewPOPData(POP_PROTO_CONF* config, Packet* p) pop_ssn = &fd->session; popstats.sessions++; - pop_ssn->mime_ssn = new PopMime( &(config->decode_conf), &(config->log_config)); + pop_ssn->mime_ssn = new PopMime(p, &(config->decode_conf), &(config->log_config)); pop_ssn->mime_ssn->set_mime_stats(&(popstats.mime_stats)); if (p->packet_flags & SSNFLAG_MIDSTREAM) diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index e1216a6a7..9137e1a6a 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -233,7 +233,7 @@ static SMTPData* SetNewSMTPData(SmtpProtoConf* config, Packet* p) p->flow->set_flow_data(fd); smtp_ssn = &fd->session; - smtp_ssn->mime_ssn = new SmtpMime(&(config->decode_conf), &(config->log_config)); + smtp_ssn->mime_ssn = new SmtpMime(p, &(config->decode_conf), &(config->log_config)); smtp_ssn->mime_ssn->config = config; smtp_ssn->mime_ssn->set_mime_stats(&(smtpstats.mime_stats)); @@ -1625,15 +1625,21 @@ TEST_CASE("handle_header_line", "[smtp]") // Setup MailLogConfig log_config; DecodeConfig decode_conf; + const SnortConfig* sc = SnortConfig::get_conf(); + SnortConfig::set_conf(sc); log_config.log_email_hdrs = false; - SmtpMime mime_ssn(&decode_conf, &log_config); + Packet p; + Flow flow; + p.flow = &flow; + FlowStash stash; + p.flow->stash = &stash; + p.context = new IpsContext(1); + SmtpMime mime_ssn(&p, &decode_conf, &log_config); smtp_normalizing = true; SmtpProtoConf config; mime_ssn.config = &config; uint8_t ptr[68] = "Date: Tue, 1 Mar 2016 22:37:56 -0500\r\nFrom: acc2 \r\n"; uint8_t* eol = ptr + 38; - Packet p; - p.context = new IpsContext(1); SMTP_ResetAltBuffer(&p); int res = mime_ssn.handle_header_line(ptr, eol, 0, &p); REQUIRE((res == 0)); @@ -1651,14 +1657,20 @@ TEST_CASE("normalize_data", "[smtp]") // Setup MailLogConfig log_config; DecodeConfig decode_conf; - SmtpMime mime_ssn(&decode_conf, &log_config); + const SnortConfig* sc = SnortConfig::get_conf(); + SnortConfig::set_conf(sc); + Packet p; + Flow flow; + p.flow =& flow; + FlowStash stash; + p.flow->stash = &stash; + p.context = new IpsContext(1); + SmtpMime mime_ssn(&p, &decode_conf, &log_config); smtp_normalizing = true; SmtpProtoConf config; mime_ssn.config = &config; uint8_t ptr[23] = "\r\n--wac7ysb48OaltWcw\r\n"; uint8_t* data_end = ptr + 22; - Packet p; - p.context = new IpsContext(1); SMTP_ResetAltBuffer(&p); int res = mime_ssn.normalize_data(ptr, data_end, &p); REQUIRE((res == 0));