From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Wed, 12 Jun 2019 15:57:38 +0000 (-0400)
Subject: Merge pull request #1616 in SNORT/snort3 from ~STECHEW/snort3:finalize_packet to... 
X-Git-Tag: 3.0.0-257~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=746a35678dfccdc13e5e8366187cd4ca168f0f3d;p=thirdparty%2Fsnort3.git

Merge pull request #1616 in SNORT/snort3 from ~STECHEW/snort3:finalize_packet to master

Squashed commit of the following:

commit 04aeec5d6e2c2285419a5a9e7eff8d1ed0a2787f
Author: Steve Chew <stechew@cisco.com>
Date:   Mon May 20 21:19:33 2019 -0400

    analyzer: publish finalize packet event before calling finalize_message.
---

diff --git a/src/flow/flow.h b/src/flow/flow.h
index 9e827f9e9..e7e301895 100644
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -28,13 +28,13 @@
 // of FlowData items.
 
 #include "detection/ips_context_chain.h"
+#include "flow/flow_stash.h"
 #include "framework/data_bus.h"
 #include "framework/decode_data.h"
 #include "framework/inspector.h"
 #include "protocols/layer.h"
 #include "sfip/sf_ip.h"
 #include "target_based/snort_protocols.h"
-#include "flow_stash.h"
 
 #define SSNFLAG_SEEN_CLIENT         0x00000001
 #define SSNFLAG_SEEN_SENDER         0x00000001
@@ -381,6 +381,7 @@ public:  // FIXIT-M privatize if possible
     uint8_t response_count;
 
     bool disable_inspect;
+    bool trigger_finalize_event;
 
 private:
     void clean();
diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index 0df55e5ee..e304e0134 100644
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -38,6 +38,7 @@
 #include "filters/rate_filter.h"
 #include "filters/sfrf.h"
 #include "filters/sfthreshold.h"
+#include "flow/flow.h"
 #include "flow/ha.h"
 #include "framework/data_bus.h"
 #include "latency/packet_latency.h"
@@ -56,6 +57,7 @@
 #include "packet_io/sfdaq_instance.h"
 #include "packet_tracer/packet_tracer.h"
 #include "profiler/profiler.h"
+#include "pub_sub/finalize_packet_event.h"
 #include "side_channel/side_channel.h"
 #include "stream/stream.h"
 #include "time/packet_time.h"
@@ -295,7 +297,17 @@ void Analyzer::post_process_daq_pkt_msg(Packet* p)
     if (verdict == DAQ_VERDICT_RETRY)
         retry_queue->put(p->daq_msg);
     else if ( !p->active->is_packet_held() )
+    {
+        // Publish an event if something has indicated that it wants the
+        // finalize event on this flow.
+        if (p->flow and p->flow->trigger_finalize_event)
+        {
+            FinalizePacketEvent event(p, verdict);
+            DataBus::publish(FINALIZE_PACKET_EVENT, event);
+        }
+
         p->daq_instance->finalize_message(p->daq_msg, verdict);
+    }
 }
 
 void Analyzer::process_daq_pkt_msg(DAQ_Msg_h msg, bool retry)
diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt
index 0d32afee1..4fa0f2874 100644
--- a/src/pub_sub/CMakeLists.txt
+++ b/src/pub_sub/CMakeLists.txt
@@ -1,6 +1,7 @@
 set (PUB_SUB_INCLUDES
     appid_events.h
     expect_events.h
+    finalize_packet_event.h
     http_events.h
     sip_events.h
 )
diff --git a/src/pub_sub/finalize_packet_event.h b/src/pub_sub/finalize_packet_event.h
new file mode 100644
index 000000000..e59febaa3
--- /dev/null
+++ b/src/pub_sub/finalize_packet_event.h
@@ -0,0 +1,56 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+// finalize_packet_event.h author Steve Chew <stechew@cisco.com>
+
+#ifndef FINALIZE_PACKET_EVENT_H
+#define FINALIZE_PACKET_EVENT_H
+
+// An event to indicate that the packet is about to be finalized (sent
+// back to the daq).
+
+#include <daq_common.h>
+
+#include "framework/data_bus.h"
+
+#define FINALIZE_PACKET_EVENT "analyzer.finalize.packet"
+
+namespace snort
+{
+
+class SO_PUBLIC FinalizePacketEvent : public snort::DataEvent
+{
+public:
+    FinalizePacketEvent(const snort::Packet* p, const DAQ_Verdict v) :
+        pkt(p), verdict(v)
+    {
+    }
+
+    const snort::Packet* get_packet() override
+    { return pkt; }
+
+    DAQ_Verdict get_verdict()
+    { return verdict; }
+
+private:
+    const snort::Packet* pkt;
+    const DAQ_Verdict verdict;
+};
+
+}
+
+#endif
diff --git a/src/stream/stream_splitter.h b/src/stream/stream_splitter.h
index a6007e99d..776897689 100644
--- a/src/stream/stream_splitter.h
+++ b/src/stream/stream_splitter.h
@@ -121,7 +121,7 @@ private:
 //-------------------------------------------------------------------------
 // length of given segment splitter (pass-thru)
 
-class LogSplitter : public StreamSplitter
+class SO_PUBLIC LogSplitter : public StreamSplitter
 {
 public:
     LogSplitter(bool);