From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Tue, 2 Feb 2021 18:28:20 +0000 (+0000)
Subject: Merge pull request #2718 in SNORT/snort3 from ~MASHASAN/snort3:tcp_dso to master
X-Git-Tag: 3.1.2.0~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7473f9afb1c5fcda098cd907f110359f4be81415;p=thirdparty%2Fsnort3.git

Merge pull request #2718 in SNORT/snort3 from ~MASHASAN/snort3:tcp_dso to master

Squashed commit of the following:

commit 4cc835adb34938ecb1e9c1b9c9e5bf914ed09558
Author: Masud Hasan <mashasan@cisco.com>
Date:   Sun Jan 17 20:34:34 2021 -0500

    stream_tcp: Supporting data on SYN by default with or without Fast Open option
---

diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc
index 874190e22..c238a5e77 100644
--- a/src/network_inspectors/appid/appid_http_event_handler.cc
+++ b/src/network_inspectors/appid/appid_http_event_handler.cc
@@ -37,25 +37,37 @@
 #include "appid_http_session.h"
 #include "appid_inspector.h"
 #include "appid_session.h"
-#include "utils/util.h"
 
 using namespace snort;
 
 void HttpEventHandler::handle(DataEvent& event, Flow* flow)
 {
+    if ( !pkt_thread_odp_ctxt )
+        return;
+
     assert(flow);
     AppIdSession* asd = appid_api.get_appid_session(*flow);
-    if (!asd)
-        return;
-    else
+    Packet* p = DetectionEngine::get_current_packet();
+    assert(p);
+    auto direction = event_type == REQUEST_EVENT ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
+
+    if ( !asd )
     {
-        // Skip detection for sessions using old odp context after odp reload
-        if (!pkt_thread_odp_ctxt or
-            (asd->get_odp_ctxt_version() != pkt_thread_odp_ctxt->get_version()))
-            return;
+        // The event is received before appid has seen any packet, e.g., data on SYN
+        auto inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME);
+        asd = AppIdSession::allocate_session( p, p->get_ip_proto_next(), direction,
+            inspector, *pkt_thread_odp_ctxt );
+        if ( appidDebug->is_enabled() )
+        {
+            appidDebug->activate(flow, asd, inspector->get_ctxt().config.log_all_sessions);
+            if ( appidDebug->is_active() )
+                LogMessage("AppIdDbg %s New AppId session at HTTP event\n",
+                    appidDebug->get_debug_session());
+        }
     }
+    else if ( asd->get_odp_ctxt_version() != pkt_thread_odp_ctxt->get_version() )
+        return; // Skip detection for sessions using old odp context after odp reload
 
-    AppidSessionDirection direction;
     const uint8_t* header_start;
     int32_t header_length;
     HttpEvent* http_event = (HttpEvent*)&event;
@@ -70,7 +82,6 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow)
             appidDebug->get_debug_session(), http_event->get_http2_stream_id());
 
     asd->set_session_flags(APPID_SESSION_HTTP_SESSION);
-    direction = event_type == REQUEST_EVENT ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
 
     AppIdHttpSession* hsession;
     if (http_event->get_is_http2())
@@ -195,8 +206,6 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow)
     else
         asd->set_application_ids_service(APP_ID_HTTP2, change_bits);
 
-    Packet* p = DetectionEngine::get_current_packet();
-    assert(p);
     asd->publish_appid_event(change_bits, *p, http_event->get_is_http2(),
         asd->get_api().get_hsessions_size() - 1);
 }
diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc
index f0ad62ff7..1ef7d05f5 100644
--- a/src/network_inspectors/appid/test/appid_http_event_test.cc
+++ b/src/network_inspectors/appid/test/appid_http_event_test.cc
@@ -84,6 +84,11 @@ class FakeHttpMsgHeader
 };
 FakeHttpMsgHeader* fake_msg_header = nullptr;
 
+AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, AppidSessionDirection,
+    AppIdInspector*, OdpContext&)
+{
+    return nullptr;
+}
 void AppIdSession::set_application_ids_service(AppId, AppidChangeBits&) {}
 void AppIdSession::set_ss_application_ids(AppId, AppId, AppId, AppId, AppId, AppidChangeBits&) {}
 AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) const
diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index 027bd335a..cb6d0278a 100644
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -57,18 +57,19 @@ NormPegs TcpNormalizer::get_normalization_counts(unsigned& c)
     return tcp_norm_stats;
 }
 
-void TcpNormalizer::trim_payload(
+bool TcpNormalizer::trim_payload(
     TcpNormalizerState&, TcpSegmentDescriptor& tsd, uint32_t max, NormMode mode, TcpPegCounts peg)
 {
+    tcp_norm_stats[peg][mode]++;
     if (mode == NORM_MODE_ON)
     {
         uint16_t fat = tsd.get_len() - max;
         tsd.set_len(max);
         tsd.set_packet_flags(PKT_RESIZED);
         tsd.set_end_seq(tsd.get_end_seq() - fat);
+        return true;
     }
-
-    tcp_norm_stats[peg][mode]++;
+    return false;
 }
 
 bool TcpNormalizer::strip_tcp_timestamp(
@@ -108,11 +109,12 @@ bool TcpNormalizer::packet_dropper(
     return false;
 }
 
-void TcpNormalizer::trim_syn_payload(
+bool TcpNormalizer::trim_syn_payload(
     TcpNormalizerState& tns, TcpSegmentDescriptor& tsd, uint32_t max)
 {
     if (tsd.get_len() > max)
-        trim_payload(tns, tsd, max, (NormMode)tns.trim_syn, PC_TCP_TRIM_SYN);
+        return trim_payload(tns, tsd, max, (NormMode)tns.trim_syn, PC_TCP_TRIM_SYN);
+    return false;
 }
 
 void TcpNormalizer::trim_rst_payload(
diff --git a/src/stream/tcp/tcp_normalizer.h b/src/stream/tcp/tcp_normalizer.h
index e3e26ca4e..0ad6b8d6b 100644
--- a/src/stream/tcp/tcp_normalizer.h
+++ b/src/stream/tcp/tcp_normalizer.h
@@ -79,7 +79,7 @@ public:
 
     virtual void init(State&) { }
     virtual bool packet_dropper(State&, TcpSegmentDescriptor&, NormFlags);
-    virtual void trim_syn_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
+    virtual bool trim_syn_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
     virtual void trim_rst_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
     virtual void trim_win_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
     virtual void trim_mss_payload(State&, TcpSegmentDescriptor&, uint32_t max = 0);
@@ -98,7 +98,7 @@ public:
 protected:
     TcpNormalizer() = default;
 
-    virtual void trim_payload(State&, TcpSegmentDescriptor&, uint32_t, NormMode, TcpPegCounts);
+    virtual bool trim_payload(State&, TcpSegmentDescriptor&, uint32_t, NormMode, TcpPegCounts);
     virtual bool strip_tcp_timestamp(
         State&, TcpSegmentDescriptor&, const snort::tcp::TcpOption*, NormMode);
     virtual bool validate_rst_seq_geq(State&, TcpSegmentDescriptor&);
diff --git a/src/stream/tcp/tcp_normalizers.h b/src/stream/tcp/tcp_normalizers.h
index 97bac383b..666bb776d 100644
--- a/src/stream/tcp/tcp_normalizers.h
+++ b/src/stream/tcp/tcp_normalizers.h
@@ -53,8 +53,8 @@ public:
     bool packet_dropper(TcpSegmentDescriptor& tsd, NormFlags nflags)
     { return norm->packet_dropper(tns, tsd, nflags); }
 
-    void trim_syn_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
-    { norm->trim_syn_payload(tns, tsd, max); }
+    bool trim_syn_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
+    { return norm->trim_syn_payload(tns, tsd, max); }
 
     void trim_rst_payload(TcpSegmentDescriptor& tsd, uint32_t max = 0)
     { norm->trim_rst_payload(tns, tsd, max); }
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index 692e9bd74..41d4583de 100644
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -400,15 +400,7 @@ int TcpSession::process_tcp_data(TcpSegmentDescriptor& tsd)
     uint32_t seq = tsd.get_seq();
 
     if ( tcph->is_syn() )
-    {
-        if (listener->normalizer.get_os_policy() == StreamPolicy::OS_MACOS)
-            seq++;
-        else
-        {
-            listener->normalizer.trim_syn_payload(tsd);
-            return STREAM_UNALIGNED;
-        }
-    }
+        seq++;
 
     /* we're aligned, so that's nice anyway */
     if (seq == listener->rcv_nxt)
@@ -634,16 +626,11 @@ void TcpSession::update_ignored_session(TcpSegmentDescriptor& tsd)
 void TcpSession::handle_data_on_syn(TcpSegmentDescriptor& tsd)
 {
     TcpStreamTracker* listener = tsd.get_listener();
-    TcpStreamTracker* talker = tsd.get_talker();
 
-    /* MacOS accepts data on SYN, so don't alert if policy is MACOS */
-    if ( talker->normalizer.get_os_policy() == StreamPolicy::OS_MACOS )
-        handle_data_segment(tsd);
-    else
+    if ( !listener->normalizer.trim_syn_payload(tsd) )
     {
-        listener->normalizer.trim_syn_payload(tsd);
+        handle_data_segment(tsd);
         tel.set_tcp_event(EVENT_DATA_ON_SYN);
-        set_pkt_action_flag(ACTION_BAD_PKT);
     }
 }