From: Michael Altizer (mialtize) <mialtize@cisco.com>
Date: Mon, 11 May 2020 16:03:51 +0000 (+0000)
Subject: Merge pull request #2204 in SNORT/snort3 from ~SMINUT/snort3:hpq_daq_verdict to master
X-Git-Tag: 3.0.1-4~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cbb98d1f889a6e48902a0c055cfd19dbe0aa0d3;p=thirdparty%2Fsnort3.git

Merge pull request #2204 in SNORT/snort3 from ~SMINUT/snort3:hpq_daq_verdict to master

Squashed commit of the following:

commit 006990ce86bed6fd6710ee2f868d4672887fa1eb
Author: Silviu Minut <sminut@cisco.com>
Date:   Thu May 7 16:31:26 2020 -0400

    stream_tcp: change the DAQ verdict from drop to blacklist for held packets that timed out
---

diff --git a/src/stream/tcp/held_packet_queue.cc b/src/stream/tcp/held_packet_queue.cc
index cb1a9092b..2c5656509 100644
--- a/src/stream/tcp/held_packet_queue.cc
+++ b/src/stream/tcp/held_packet_queue.cc
@@ -32,7 +32,7 @@
 using namespace snort;
 
 HeldPacket::HeldPacket(DAQ_Msg_h msg, uint32_t seq, const timeval& exp, TcpStreamTracker& trk)
-    : daq_msg(msg), seq_num(seq), expiration(exp), tracker(trk)
+    : daq_msg(msg), seq_num(seq), expiration(exp), tracker(trk), expired(false)
 {
 }
 
diff --git a/src/stream/tcp/held_packet_queue.h b/src/stream/tcp/held_packet_queue.h
index b78e027ea..ded1c8e70 100644
--- a/src/stream/tcp/held_packet_queue.h
+++ b/src/stream/tcp/held_packet_queue.h
@@ -36,7 +36,13 @@ public:
 
     bool has_expired(const timeval& cur_time)
     {
-        return !timercmp(&cur_time, &expiration, <);
+        expired = (timercmp(&cur_time, &expiration, <) == 0);
+        return expired;
+    }
+
+    bool has_expired()
+    {
+        return expired;
     }
 
     TcpStreamTracker& get_tracker() const { return tracker; }
@@ -48,6 +54,7 @@ private:
     uint32_t seq_num;
     timeval expiration;
     TcpStreamTracker& tracker;
+    bool expired;
 };
 
 class HeldPacketQueue
diff --git a/src/stream/tcp/tcp_stream_tracker.cc b/src/stream/tcp/tcp_stream_tracker.cc
index b75ef7d90..120ef09cc 100644
--- a/src/stream/tcp/tcp_stream_tracker.cc
+++ b/src/stream/tcp/tcp_stream_tracker.cc
@@ -704,7 +704,8 @@ void TcpStreamTracker::finalize_held_packet(Packet* cp)
     {
         if ( cp->active->packet_was_dropped() )
         {
-            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), DAQ_VERDICT_BLOCK);
+            DAQ_Verdict verdict = held_packet->has_expired() ? DAQ_VERDICT_BLACKLIST : DAQ_VERDICT_BLOCK;
+            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), verdict);
             tcpStats.held_packets_dropped++;
         }
         else
@@ -729,7 +730,8 @@ void TcpStreamTracker::finalize_held_packet(Flow* flow)
         if ( (flow->session_state & STREAM_STATE_BLOCK_PENDING) ||
              (flow->ssn_state.session_flags & SSNFLAG_BLOCK) )
         {
-            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), DAQ_VERDICT_BLOCK);
+            DAQ_Verdict verdict = held_packet->has_expired() ? DAQ_VERDICT_BLACKLIST : DAQ_VERDICT_BLOCK;
+            Analyzer::get_local_analyzer()->finalize_daq_message(held_packet->get_daq_msg(), verdict);
             tcpStats.held_packets_dropped++;
         }
         else