From: Pranav Bhalerao (prbhaler) Date: Sat, 23 Jan 2021 07:34:13 +0000 (+0000) Subject: Merge pull request #2681 in SNORT/snort3 from ~PRBHALER/snort3:fw_ha to master X-Git-Tag: 3.1.1.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=774304f613dab9a73cc468d899412b39daa04405;p=thirdparty%2Fsnort3.git Merge pull request #2681 in SNORT/snort3 from ~PRBHALER/snort3:fw_ha to master Squashed commit of the following: commit 8947b45af8169786b9b46a8f6139e3532abcde20 Author: Pranav Bhalerao Date: Mon Jan 18 10:17:47 2021 -0500 flow: updating direction and interface info in HA flow. --- diff --git a/src/flow/flow.cc b/src/flow/flow.cc index 1cd14a7a3..2553a7acd 100644 --- a/src/flow/flow.cc +++ b/src/flow/flow.cc @@ -31,6 +31,7 @@ #include "ips_options/ips_flowbits.h" #include "memory/memory_cap.h" #include "protocols/packet.h" +#include "protocols/tcp.h" #include "sfip/sf_ip.h" #include "utils/stats.h" #include "utils/util.h" @@ -377,6 +378,22 @@ void Flow::markup_packet_flags(Packet* p) } } +void Flow::set_client_initiate(Packet* p) +{ + if (p->pkth->flags & DAQ_PKT_FLAG_REV_FLOW) + flags.client_initiated = p->is_from_server(); + // If we are tracking on syn, client initiated follows from client + else if (p->context->conf->track_on_syn()) + flags.client_initiated = p->is_from_client(); + // If not tracking on SYN and the packet is a SYN-ACK, assume the SYN did not create a + // session and client initiated follows from server + else if (p->is_tcp() and p->ptrs.tcph->is_syn_ack()) + flags.client_initiated = p->is_from_server(); + // Otherwise, client initiated follows from client + else + flags.client_initiated = p->is_from_client(); +} + void Flow::set_direction(Packet* p) { ip::IpApi* ip_api = &p->ptrs.ip_api; diff --git a/src/flow/flow.h b/src/flow/flow.h index e90ee0686..e12f18099 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -186,6 +186,7 @@ public: void call_handlers(Packet* p, bool eof = false); void markup_packet_flags(Packet*); + void set_client_initiate(Packet*); void set_direction(Packet*); void set_expire(const Packet*, uint32_t timeout); bool expired(const Packet*); diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 53bd55315..07882b002 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -469,19 +469,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) ++news; flow->flowstats.start_time = p->pkth->ts; - // If DAQ specifies reverse flow, client initiated follows from server - if (p->pkth->flags & DAQ_PKT_FLAG_REV_FLOW) - flow->flags.client_initiated = p->is_from_server(); - // If we are tracking on syn, client initiated follows from client - else if (p->context->conf->track_on_syn()) - flow->flags.client_initiated = p->is_from_client(); - // If not tracking on SYN and the packet is a SYN-ACK, assume the SYN did not create a - // session and client initiated follows from server - else if (p->is_tcp() && p->ptrs.tcph->is_syn_ack()) - flow->flags.client_initiated = p->is_from_server(); - // Otherwise, client initiated follows from client - else - flow->flags.client_initiated = p->is_from_client(); + flow->set_client_initiate(p); } // This requires the packet direction to be set diff --git a/src/flow/ha.cc b/src/flow/ha.cc index ab0712b98..701360e2c 100644 --- a/src/flow/ha.cc +++ b/src/flow/ha.cc @@ -445,6 +445,23 @@ static Flow* consume_ha_update_message(HAMessage& msg, const FlowKey& key, Packe if( p && no_flow_found && flow && flow->session ) { flow->session->setup(p); + flow->set_direction(p); + flow->set_client_initiate(p); + + if (p->is_from_client()) + { + flow->client_intf = p->pkth->ingress_index; + flow->server_intf = p->pkth->egress_index; + flow->client_group = p->pkth->ingress_group; + flow->server_group = p->pkth->egress_group; + } + else + { + flow->client_intf = p->pkth->egress_index; + flow->server_intf = p->pkth->ingress_index; + flow->client_group = p->pkth->egress_group; + flow->server_group = p->pkth->ingress_group; + } } return flow; diff --git a/src/flow/test/flow_cache_test.cc b/src/flow/test/flow_cache_test.cc index ce16061be..1fb570f99 100644 --- a/src/flow/test/flow_cache_test.cc +++ b/src/flow/test/flow_cache_test.cc @@ -79,6 +79,7 @@ void set_network_policy(const SnortConfig*, unsigned) { } void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { } void DataBus::publish(const char*, Packet*, Flow*) { } const SnortConfig* SnortConfig::get_conf() { return nullptr; } +void Flow::set_client_initiate(Packet*) { } void Flow::set_direction(Packet*) { } void set_inspection_policy(const SnortConfig*, unsigned) { } void set_ips_policy(const SnortConfig*, unsigned) { } diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index 5c4ac306f..b49bee6e0 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -85,6 +85,7 @@ void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { } void DataBus::publish(const char*, Packet*, Flow*) { } const SnortConfig* SnortConfig::get_conf() { return nullptr; } void FlowCache::unlink_uni(Flow*) { } +void Flow::set_client_initiate(Packet*) { } void Flow::set_direction(Packet*) { } void set_inspection_policy(const SnortConfig*, unsigned) { } void set_ips_policy(const SnortConfig*, unsigned) { } diff --git a/src/flow/test/ha_test.cc b/src/flow/test/ha_test.cc index 470286724..6572303b3 100644 --- a/src/flow/test/ha_test.cc +++ b/src/flow/test/ha_test.cc @@ -222,6 +222,9 @@ Flow::~Flow() { delete key; delete ha_state; } FlowStash::~FlowStash() { } +void Flow::set_client_initiate(Packet*) { } +void Flow::set_direction(Packet*) { } + SideChannel* SideChannelManager::get_side_channel(SCPort) { return &s_side_channel; }