From: Mike Stepanek (mstepane) Date: Wed, 4 Sep 2019 12:58:58 +0000 (-0400) Subject: Merge pull request #1726 in SNORT/snort3 from ~MMATIRKO/snort3:bidirectional_icmp_ip_... X-Git-Tag: 3.0.0-261~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73dcc131d96b48eb6908d8f2f65d549fb28ab0a8;p=thirdparty%2Fsnort3.git Merge pull request #1726 in SNORT/snort3 from ~MMATIRKO/snort3:bidirectional_icmp_ip_udp to master Squashed commit of the following: commit 289756992b5a373f05a074032f694528a0916ef7 Author: Michael Matirko Date: Fri Aug 30 11:49:44 2019 -0400 rna: support for bidirectional flow with UDP, IP, and ICMP traffic --- diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h index fbd2e768c..47f66b67a 100644 --- a/src/framework/data_bus.h +++ b/src/framework/data_bus.h @@ -161,6 +161,11 @@ private: #define STREAM_IP_NEW_FLOW_EVENT "stream.ip_new_flow" #define STREAM_UDP_NEW_FLOW_EVENT "stream.udp_new_flow" +// A flow has been determined to be bidirectional +#define STREAM_ICMP_BIDIRECTIONAL_EVENT "stream.icmp_bidirectional" +#define STREAM_IP_BIDIRECTIONAL_EVENT "stream.ip.bidirectional" +#define STREAM_UDP_BIDIRECTIONAL_EVENT "stream.udp.bidirectional" + // A TCP flow has the flag; a midstream flow may not publish other events #define STREAM_TCP_SYN_EVENT "stream.tcp_syn" #define STREAM_TCP_SYN_ACK_EVENT "stream.tcp_syn_ack" diff --git a/src/network_inspectors/rna/rna_event_handler.cc b/src/network_inspectors/rna/rna_event_handler.cc index 4e021abcd..012a37947 100644 --- a/src/network_inspectors/rna/rna_event_handler.cc +++ b/src/network_inspectors/rna/rna_event_handler.cc @@ -26,17 +26,31 @@ using namespace snort; -void RnaIcmpEventHandler::handle(DataEvent& event, Flow*) +void RnaIcmpBidirectionalEventHandler::handle(DataEvent& event, Flow*) { Profile profile(rna_perf_stats); - ++rna_stats.icmp; + ++rna_stats.icmp_bidirectional; pnd.analyze_flow_icmp(event.get_packet()); } -void RnaIpEventHandler::handle(DataEvent& event, Flow*) +void RnaIcmpNewFlowEventHandler::handle(DataEvent& event, Flow*) { Profile profile(rna_perf_stats); - ++rna_stats.ip; + ++rna_stats.icmp_new; + pnd.analyze_flow_icmp(event.get_packet()); +} + +void RnaIpBidirectionalEventHandler::handle(DataEvent& event, Flow*) +{ + Profile profile(rna_perf_stats); + ++rna_stats.ip_bidirectional; + pnd.analyze_flow_ip(event.get_packet()); +} + +void RnaIpNewFlowEventHandler::handle(DataEvent& event, Flow*) +{ + Profile profile(rna_perf_stats); + ++rna_stats.ip_new; pnd.analyze_flow_ip(event.get_packet()); } @@ -61,9 +75,16 @@ void RnaTcpMidstreamEventHandler::handle(DataEvent& event, Flow*) pnd.analyze_flow_tcp(event.get_packet(), TcpPacketType::MIDSTREAM); } -void RnaUdpEventHandler::handle(DataEvent& event, Flow*) +void RnaUdpBidirectionalEventHandler::handle(DataEvent& event, Flow*) +{ + Profile profile(rna_perf_stats); + ++rna_stats.udp_bidirectional; + pnd.analyze_flow_udp(event.get_packet()); +} + +void RnaUdpNewFlowEventHandler::handle(DataEvent& event, Flow*) { Profile profile(rna_perf_stats); - ++rna_stats.udp; + ++rna_stats.udp_new; pnd.analyze_flow_udp(event.get_packet()); } diff --git a/src/network_inspectors/rna/rna_event_handler.h b/src/network_inspectors/rna/rna_event_handler.h index 2b4752a5a..cc6adbb29 100644 --- a/src/network_inspectors/rna/rna_event_handler.h +++ b/src/network_inspectors/rna/rna_event_handler.h @@ -26,19 +26,38 @@ #include "rna_module.h" #include "rna_pnd.h" -class RnaIcmpEventHandler : public snort::DataHandler +class RnaIcmpNewFlowEventHandler : public snort::DataHandler { public: - RnaIcmpEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } + RnaIcmpNewFlowEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } void handle(snort::DataEvent&, snort::Flow*) override; private: RnaPnd& pnd; }; -class RnaIpEventHandler : public snort::DataHandler +class RnaIcmpBidirectionalEventHandler : public snort::DataHandler { public: - RnaIpEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } + RnaIcmpBidirectionalEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } + void handle(snort::DataEvent&, snort::Flow*) override; +private: + RnaPnd& pnd; +}; + +class RnaIpNewFlowEventHandler : public snort::DataHandler +{ +public: + RnaIpNewFlowEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } + void handle(snort::DataEvent&, snort::Flow*) override; +private: + RnaPnd& pnd; +}; + + +class RnaIpBidirectionalEventHandler : public snort::DataHandler +{ +public: + RnaIpBidirectionalEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } void handle(snort::DataEvent&, snort::Flow*) override; private: RnaPnd& pnd; @@ -71,10 +90,19 @@ private: RnaPnd& pnd; }; -class RnaUdpEventHandler : public snort::DataHandler +class RnaUdpNewFlowEventHandler : public snort::DataHandler +{ +public: + RnaUdpNewFlowEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } + void handle(snort::DataEvent&, snort::Flow*) override; +private: + RnaPnd& pnd; +}; + +class RnaUdpBidirectionalEventHandler : public snort::DataHandler { public: - RnaUdpEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } + RnaUdpBidirectionalEventHandler(RnaPnd& nd) : DataHandler(RNA_NAME), pnd(nd) { } void handle(snort::DataEvent&, snort::Flow*) override; private: RnaPnd& pnd; diff --git a/src/network_inspectors/rna/rna_inspector.cc b/src/network_inspectors/rna/rna_inspector.cc index 31f06c5e9..3dcdd84af 100644 --- a/src/network_inspectors/rna/rna_inspector.cc +++ b/src/network_inspectors/rna/rna_inspector.cc @@ -65,9 +65,15 @@ RnaInspector::~RnaInspector() bool RnaInspector::configure(SnortConfig*) { - DataBus::subscribe( STREAM_ICMP_NEW_FLOW_EVENT, new RnaIcmpEventHandler(*pnd) ); - DataBus::subscribe( STREAM_IP_NEW_FLOW_EVENT, new RnaIpEventHandler(*pnd) ); - DataBus::subscribe( STREAM_UDP_NEW_FLOW_EVENT, new RnaUdpEventHandler(*pnd) ); + DataBus::subscribe( STREAM_ICMP_NEW_FLOW_EVENT, new RnaIcmpNewFlowEventHandler(*pnd) ); + DataBus::subscribe( STREAM_ICMP_BIDIRECTIONAL_EVENT, new RnaIcmpBidirectionalEventHandler(*pnd) ); + + DataBus::subscribe( STREAM_IP_NEW_FLOW_EVENT, new RnaIpNewFlowEventHandler(*pnd) ); + DataBus::subscribe( STREAM_IP_BIDIRECTIONAL_EVENT, new RnaIpBidirectionalEventHandler(*pnd) ); + + DataBus::subscribe( STREAM_UDP_NEW_FLOW_EVENT, new RnaUdpNewFlowEventHandler(*pnd) ); + DataBus::subscribe( STREAM_UDP_BIDIRECTIONAL_EVENT, new RnaUdpBidirectionalEventHandler(*pnd) ); + DataBus::subscribe( STREAM_TCP_SYN_EVENT, new RnaTcpSynEventHandler(*pnd) ); DataBus::subscribe( STREAM_TCP_SYN_ACK_EVENT, new RnaTcpSynAckEventHandler(*pnd) ); DataBus::subscribe( STREAM_TCP_MIDSTREAM_EVENT, new RnaTcpMidstreamEventHandler(*pnd) ); diff --git a/src/network_inspectors/rna/rna_module.cc b/src/network_inspectors/rna/rna_module.cc index 98cebdbff..708dd6de4 100644 --- a/src/network_inspectors/rna/rna_module.cc +++ b/src/network_inspectors/rna/rna_module.cc @@ -61,9 +61,12 @@ static const Parameter rna_params[] = static const PegInfo rna_pegs[] = { - { CountType::SUM, "icmp", "count of ICMP packets received" }, - { CountType::SUM, "ip", "count of IP packets received" }, - { CountType::SUM, "udp", "count of UDP packets received" }, + { CountType::SUM, "icmp_bidirectional", "count of bidirectional ICMP flows received" }, + { CountType::SUM, "icmp_new", "count of new ICMP flows received" }, + { CountType::SUM, "ip_bidirectional", "count of bidirectional IP received" }, + { CountType::SUM, "ip_new", "count of new IP flows received" }, + { CountType::SUM, "udp_bidirectional", "count of bidirectional UDP flows received" }, + { CountType::SUM, "udp_new", "count of new UDP flows received" }, { CountType::SUM, "tcp_syn", "count of TCP SYN packets received" }, { CountType::SUM, "tcp_syn_ack", "count of TCP SYN-ACK packets received" }, { CountType::SUM, "tcp_midstream", "count of TCP midstream packets received" }, diff --git a/src/network_inspectors/rna/rna_module.h b/src/network_inspectors/rna/rna_module.h index f5656380e..15f4157ef 100644 --- a/src/network_inspectors/rna/rna_module.h +++ b/src/network_inspectors/rna/rna_module.h @@ -31,9 +31,12 @@ struct RnaStats { - PegCount icmp; - PegCount ip; - PegCount udp; + PegCount icmp_bidirectional; + PegCount icmp_new; + PegCount ip_bidirectional; + PegCount ip_new; + PegCount udp_bidirectional; + PegCount udp_new; PegCount tcp_syn; PegCount tcp_syn_ack; PegCount tcp_midstream; diff --git a/src/stream/icmp/icmp_session.cc b/src/stream/icmp/icmp_session.cc index a1f2bc3b4..3c4d6b642 100644 --- a/src/stream/icmp/icmp_session.cc +++ b/src/stream/icmp/icmp_session.cc @@ -209,6 +209,12 @@ int IcmpSession::process(Packet* p) flow->set_expire(p, flow->default_session_timeout); + if (!(flow->ssn_state.session_flags & SSNFLAG_ESTABLISHED) and !(p->is_from_client())) + { + DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p); + flow->ssn_state.session_flags |= SSNFLAG_ESTABLISHED; + } + switch (p->ptrs.icmph->type) { case ICMP_DEST_UNREACH: diff --git a/src/stream/ip/ip_session.cc b/src/stream/ip/ip_session.cc index 06b50f25e..588afdd11 100644 --- a/src/stream/ip/ip_session.cc +++ b/src/stream/ip/ip_session.cc @@ -23,6 +23,7 @@ #include "ip_session.h" +#include "framework/data_bus.h" #include "memory/memory_cap.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" @@ -103,8 +104,16 @@ static inline void update_session(Packet* p, Flow* lws) (lws->ssn_state.session_flags & SSNFLAG_SEEN_SERVER) ) { lws->ssn_state.session_flags |= SSNFLAG_ESTABLISHED; - lws->set_ttl(p, false); + + if ( p->type() == PktType::ICMP and p->ptrs.icmph) + { + DataBus::publish(STREAM_ICMP_BIDIRECTIONAL_EVENT, p); + } + else + { + DataBus::publish(STREAM_IP_BIDIRECTIONAL_EVENT, p); + } } } diff --git a/src/stream/udp/udp_session.cc b/src/stream/udp/udp_session.cc index 463f539a6..df1fe1ca4 100644 --- a/src/stream/udp/udp_session.cc +++ b/src/stream/udp/udp_session.cc @@ -89,6 +89,7 @@ static int ProcessUdp( (lwssn->ssn_state.session_flags & SSNFLAG_SEEN_RESPONDER)) { lwssn->ssn_state.session_flags |= SSNFLAG_ESTABLISHED; + DataBus::publish(STREAM_UDP_BIDIRECTIONAL_EVENT, p); } }