From: Ron Dempster (rdempste) Date: Fri, 18 Nov 2022 12:30:20 +0000 (+0000) Subject: Pull request #3659: flow: added an event to allow post processing of new expected... X-Git-Tag: 3.1.48.0~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75cbc4e7b62435d07c544e5d3851ea13c57020ef;p=thirdparty%2Fsnort3.git Pull request #3659: flow: added an event to allow post processing of new expected flows Merge in SNORT/snort3 from ~RDEMPSTE/snort3:expected_flows to master Squashed commit of the following: commit 0e0addce6885fcd71a01c1a81e632542ac4ac128 Author: Ron Dempster (rdempste) Date: Thu Oct 13 10:50:22 2022 -0400 flow: added an event to allow post processing of new expected flows --- diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index 831e1b56d..27f820535 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -86,6 +86,15 @@ void ExpectFlow::reset_expect_flows() packet_expect_flows->clear(); } +void ExpectFlow::handle_expected_flows(const Packet* p) +{ + if (p->flow && packet_expect_flows && !packet_expect_flows->empty()) + { + ExpectedFlowsEvent event(*packet_expect_flows, *p); + DataBus::publish(EXPECT_EVENT_TYPE_HANDLE_FLOWS, event); + } +} + FlowData* ExpectFlow::get_flow_data(unsigned id) { for (FlowData* p = data; p; p = p->next) diff --git a/src/flow/expect_cache.h b/src/flow/expect_cache.h index 5a5fadee8..df125d9ab 100644 --- a/src/flow/expect_cache.h +++ b/src/flow/expect_cache.h @@ -83,6 +83,7 @@ struct SO_PUBLIC ExpectFlow snort::FlowData* get_flow_data(unsigned); static std::vector* get_expect_flows(); static void reset_expect_flows(); + static void handle_expected_flows(const snort::Packet*); }; } @@ -108,7 +109,7 @@ public: unsigned long get_realized() { return realized; } unsigned long get_prunes() { return prunes; } unsigned long get_overflows() { return overflows; } - void reset_stats() + void reset_stats() { expects = 0; realized = 0; diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 7562041b4..4106a9ce0 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -31,6 +31,7 @@ #include "detection/detect.h" #include "detection/detection_engine.h" #include "detection/fp_utils.h" +#include "flow/expect_cache.h" #include "flow/flow.h" #include "flow/session.h" #include "log/messages.h" @@ -2063,6 +2064,9 @@ void InspectorManager::execute(Packet* p) internal_execute(p); else internal_execute(p); + + if ( p->flow && ( !p->is_cooked() or p->is_defrag() ) ) + ExpectFlow::handle_expected_flows(p); } template diff --git a/src/managers/test/get_inspector_stubs.h b/src/managers/test/get_inspector_stubs.h index 5d81ab2fe..3be184ba1 100644 --- a/src/managers/test/get_inspector_stubs.h +++ b/src/managers/test/get_inspector_stubs.h @@ -18,6 +18,7 @@ // stubs.h author Ron Dempster #include "detection/detection_engine.h" +#include "flow/expect_cache.h" #include "main/policy.h" #include "main/snort.h" #include "main/snort_config.h" @@ -77,6 +78,7 @@ void Module::reset_stats() { } DataBus::DataBus() { } DataBus::~DataBus() { } Module* ModuleManager::get_module(const char*) { return nullptr; } +void ExpectFlow::handle_expected_flows(const Packet*) { } NetworkPolicy* get_default_network_policy(const SnortConfig*) { return nullptr; } void set_network_policy(NetworkPolicy*) { } diff --git a/src/pub_sub/expect_events.h b/src/pub_sub/expect_events.h index 20520eee7..d24d4367e 100644 --- a/src/pub_sub/expect_events.h +++ b/src/pub_sub/expect_events.h @@ -24,6 +24,7 @@ // by data bus subscribers #include +#include #include "framework/data_bus.h" @@ -62,4 +63,24 @@ private: const snort::FlowData* flow_data; }; +#define EXPECT_EVENT_TYPE_HANDLE_FLOWS "expect.handle_flows" + +class ExpectedFlowsEvent : public snort::DataEvent +{ +public: + ExpectedFlowsEvent(std::vector& expected_flows, const snort::Packet& p) + : expected_flows(expected_flows), pkt(p) + { } + + std::vector& get_expected_flows() + { return expected_flows; } + + const snort::Packet* get_packet() const override + { return &pkt; } + +private: + std::vector& expected_flows; + const snort::Packet& pkt; +}; + #endif