From: Michael Altizer (mialtize) Date: Thu, 7 Feb 2019 18:06:18 +0000 (-0500) Subject: Merge pull request #1496 in SNORT/snort3 from ~STECHEW/snort3:splitter_scan to master X-Git-Tag: 3.0.0-251~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a4dd7ac1294f7ac2bb52c9c0c2e832f936362bb;p=thirdparty%2Fsnort3.git Merge pull request #1496 in SNORT/snort3 from ~STECHEW/snort3:splitter_scan to master Squashed commit of the following: commit 891499867ff983216f15e6d96b972046aba69c92 Author: Steve Chew Date: Wed Jan 30 21:52:24 2019 +0530 stream: Pass Packet in flush_pdu_* -> paf_eval -> paf_callback chain. commit f1b109aff3032302542e33b3c3c4213d254a4f9e Author: Steve Chew Date: Tue Jan 29 02:13:40 2019 +0530 stream: Change StreamSplitter::scan to take a Packet instead of a Flow. --- diff --git a/src/piglet_plugins/pp_stream_splitter_iface.cc b/src/piglet_plugins/pp_stream_splitter_iface.cc index 041872b3e..f12078716 100644 --- a/src/piglet_plugins/pp_stream_splitter_iface.cc +++ b/src/piglet_plugins/pp_stream_splitter_iface.cc @@ -27,6 +27,7 @@ #include "stream/stream_splitter.h" #include "pp_flow_iface.h" +#include "pp_packet_iface.h" #include "pp_raw_buffer_iface.h" using namespace snort; @@ -44,13 +45,13 @@ static const luaL_Reg methods[] = Lua::Args args(L); auto& self = StreamSplitterIface.get(L, 1); - auto& flow = FlowIface.get(L, 2); + auto& pkt = PacketIface.get(L, 2); auto& rb = RawBufferIface.get(L, 3); uint32_t len = args[4].opt_size(rb.size(), rb.size()); uint32_t flags = args[5].opt_size(); uint32_t fp = 0; - auto status = self.scan(&flow, get_data(rb), len, flags, &fp); + auto status = self.scan(&pkt, get_data(rb), len, flags, &fp); stack_push(L, status); Lua::Stack::push(L, fp); diff --git a/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc b/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc index 49d3a1323..4e354954f 100644 --- a/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc +++ b/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc @@ -52,7 +52,7 @@ const StreamBuffer DceHttpProxySplitter::reassemble( } StreamSplitter::Status DceHttpProxySplitter::scan( - Flow*, const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { StreamSplitter::Status status; @@ -168,87 +168,75 @@ DceHttpProxySplitter::DceHttpProxySplitter(bool c2s) : StreamSplitter(c2s) TEST_CASE("DceHttpProxySplitter-scan - first_proxy_request", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"RPC", 3, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"RPC", 3, PKT_FROM_CLIENT, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - first_proxy_request_no_direction", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"RPC", 3, 0, &fp) == StreamSplitter::ABORT); + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"RPC", 3, 0, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - bad_first_proxy_request", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)"xxx", 1, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"xxx", 1, PKT_FROM_CLIENT, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - first_bad_second_proxy_request", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)"RPC", 3, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"RPC", 3, PKT_FROM_CLIENT, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"R", 1, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"R", 1, PKT_FROM_CLIENT, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - first_good_second_proxy_request", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)"RPC", 3, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"RPC", 3, PKT_FROM_CLIENT, &fp) == StreamSplitter::SEARCH); - REQUIRE(splitter->scan(flow, (const uint8_t*)"_CON", 4, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"_CON", 4, PKT_FROM_CLIENT, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - full_proxy_request", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); - Flow* flow = new Flow(); uint32_t fp = 0; - REQUIRE(splitter->scan(flow, (const uint8_t*)HTTP_PROXY_REQUEST, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)HTTP_PROXY_REQUEST, strlen(HTTP_PROXY_REQUEST), PKT_FROM_CLIENT, &fp) == StreamSplitter::FLUSH); REQUIRE(fp == strlen(HTTP_PROXY_REQUEST)); - REQUIRE(splitter->scan(flow, (const uint8_t*)"0", 1, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"0", 1, PKT_FROM_CLIENT, &fp) == StreamSplitter::FLUSH); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; } @@ -257,19 +245,17 @@ TEST_CASE("DceHttpProxySplitter-scan - extra_proxy_request", "[http_proxy_splitt DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); const char* extra = "ignore"; char* string = new char[strlen(HTTP_PROXY_REQUEST)+strlen(extra)+1]; - Flow* flow = new Flow(); uint32_t fp = 0; strncpy(string,(const char*)HTTP_PROXY_REQUEST,strlen(HTTP_PROXY_REQUEST)+1); strncpy(string+strlen(HTTP_PROXY_REQUEST),extra,strlen(extra)+1); - REQUIRE(splitter->scan(flow, (const uint8_t*)string, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)string, (strlen(HTTP_PROXY_REQUEST)+strlen(extra)), PKT_FROM_CLIENT, &fp) == StreamSplitter::FLUSH); REQUIRE(fp == strlen(HTTP_PROXY_REQUEST)); - REQUIRE(splitter->scan(flow, (const uint8_t*)"0", 1, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"0", 1, PKT_FROM_CLIENT, &fp) == StreamSplitter::FLUSH); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; delete[] string; } @@ -277,100 +263,86 @@ TEST_CASE("DceHttpProxySplitter-scan - extra_proxy_request", "[http_proxy_splitt TEST_CASE("DceHttpProxySplitter-scan - first_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"xxx", 3, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"xxx", 3, PKT_FROM_SERVER, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - good_1_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp = 0; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\n\n", 12, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"HTTP/1.xxx\n\n", 12, PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); REQUIRE((fp == 12)); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - good_2_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp = 0; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\n", 15, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"HTTP/1.xxx\nxx\n\n", 15, PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); REQUIRE((fp == 15)); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - good_3_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp = 0; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\nyyy", 18, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"HTTP/1.xxx\nxx\n\nyyy", 18, PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); REQUIRE((fp == 18)); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - bad_1_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nx\n", 13, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"HTTP/1.xxx\nx\n", 13, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - bad_2_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nx", 12, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"HTTP/1.xxx\nx", 12, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpProxySplitter-scan - bad_3_proxy_response", "[http_proxy_splitter]") { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.", 7, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"HTTP/1.", 7, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } diff --git a/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.h b/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.h index ebbc0da4b..9a6e08fd5 100644 --- a/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.h +++ b/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.h @@ -30,7 +30,7 @@ class DceHttpProxySplitter : public snort::StreamSplitter public: DceHttpProxySplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; const snort::StreamBuffer reassemble(snort::Flow*, unsigned, unsigned, diff --git a/src/service_inspectors/dce_rpc/dce_http_server_splitter.cc b/src/service_inspectors/dce_rpc/dce_http_server_splitter.cc index 368826d01..1783b3349 100644 --- a/src/service_inspectors/dce_rpc/dce_http_server_splitter.cc +++ b/src/service_inspectors/dce_rpc/dce_http_server_splitter.cc @@ -37,7 +37,7 @@ using namespace snort; #define HTTP_SERVER_MARKER "ncacn_http/1.0" StreamSplitter::Status DceHttpServerSplitter::scan( - Flow*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) + Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { if ( (flags & PKT_FROM_CLIENT) != 0 ) return StreamSplitter::ABORT; @@ -84,86 +84,74 @@ DceHttpServerSplitter::DceHttpServerSplitter(bool c2s) : StreamSplitter(c2s) TEST_CASE("DceHttpServerSplitter-scan - first_server", "[http_server_splitter]") { DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpServerSplitter-scan - first_server_wrong_direction", "[http_server_splitter]") { DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); - Flow* flow = new Flow(); uint32_t fp; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"n", 1, PKT_FROM_CLIENT, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"n", 1, PKT_FROM_CLIENT, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpServerSplitter-scan - bad_first_server", "[http_server_splitter]") { DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)"x", 1, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"x", 1, PKT_FROM_SERVER, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpServerSplitter-scan - first_bad_second_server", "[http_server_splitter]") { DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == StreamSplitter::ABORT); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpServerSplitter-scan - first_good_second_server", "[http_server_splitter]") { DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"n", 1, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); - REQUIRE(splitter->scan(flow, (const uint8_t*)"c", 1, PKT_FROM_SERVER, &fp) == + REQUIRE(splitter->scan(nullptr, (const uint8_t*)"c", 1, PKT_FROM_SERVER, &fp) == StreamSplitter::SEARCH); REQUIRE(splitter->cutover_inspector() == false); - delete flow; delete splitter; } TEST_CASE("DceHttpServerSplitter-scan - full_server", "[http_server_splitter]") { DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); - Flow* flow = new Flow(); uint32_t fp; - REQUIRE(splitter->scan(flow, (const uint8_t*)HTTP_SERVER_MARKER, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)HTTP_SERVER_MARKER, strlen(HTTP_SERVER_MARKER), PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); REQUIRE(fp == strlen(HTTP_SERVER_MARKER)); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; } @@ -172,17 +160,15 @@ TEST_CASE("DceHttpServerSplitter-scan - extra_server", "[http_server_splitter]") DceHttpServerSplitter* splitter = new DceHttpServerSplitter(false); const char* extra = "ignore"; char* string = new char[strlen(HTTP_SERVER_MARKER)+strlen(extra)+1]; - Flow* flow = new Flow(); uint32_t fp; strncpy(string,(const char*)HTTP_SERVER_MARKER,strlen(HTTP_SERVER_MARKER)+1); strncpy(string+strlen(HTTP_SERVER_MARKER),extra,strlen(extra)+1); - REQUIRE(splitter->scan(flow, (const uint8_t*)string, + REQUIRE(splitter->scan(nullptr, (const uint8_t*)string, (strlen(HTTP_SERVER_MARKER)+strlen(extra)), PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); REQUIRE(fp == strlen(HTTP_SERVER_MARKER)); REQUIRE(splitter->cutover_inspector() == true); - delete flow; delete splitter; delete[] string; } diff --git a/src/service_inspectors/dce_rpc/dce_http_server_splitter.h b/src/service_inspectors/dce_rpc/dce_http_server_splitter.h index c2d33572e..f6b691485 100644 --- a/src/service_inspectors/dce_rpc/dce_http_server_splitter.h +++ b/src/service_inspectors/dce_rpc/dce_http_server_splitter.h @@ -30,7 +30,7 @@ class DceHttpServerSplitter : public snort::StreamSplitter public: DceHttpServerSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; // FIXIT-M - Should be able to implement but framework does not permit /* const StreamBuffer* reassemble(Flow*, unsigned, unsigned, diff --git a/src/service_inspectors/dce_rpc/dce_smb_paf.cc b/src/service_inspectors/dce_rpc/dce_smb_paf.cc index d47d415c1..fa7b0f31d 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_paf.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_paf.cc @@ -156,10 +156,10 @@ Dce2SmbSplitter::Dce2SmbSplitter(bool c2s) : StreamSplitter(c2s) } StreamSplitter::Status Dce2SmbSplitter::scan( - Flow* flow, const uint8_t* data, uint32_t len, + Packet* pkt, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { DCE2_PafSmbData* pfdata = &state; - return dce2_smb_paf(pfdata, flow, data, len, flags, fp); + return dce2_smb_paf(pfdata, pkt->flow, data, len, flags, fp); } diff --git a/src/service_inspectors/dce_rpc/dce_smb_paf.h b/src/service_inspectors/dce_rpc/dce_smb_paf.h index b64c74de6..04a2d400d 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_paf.h +++ b/src/service_inspectors/dce_rpc/dce_smb_paf.h @@ -52,7 +52,7 @@ class Dce2SmbSplitter : public snort::StreamSplitter public: Dce2SmbSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override diff --git a/src/service_inspectors/dce_rpc/dce_tcp_paf.cc b/src/service_inspectors/dce_rpc/dce_tcp_paf.cc index 0d6e6d8ec..ddb0b5e73 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp_paf.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp_paf.cc @@ -149,10 +149,10 @@ Dce2TcpSplitter::Dce2TcpSplitter(bool c2s) : StreamSplitter(c2s) } StreamSplitter::Status Dce2TcpSplitter::scan( - Flow* flow, const uint8_t* data, uint32_t len, + Packet* pkt, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { DCE2_PafTcpData* pfdata = &state; - return dce2_tcp_paf(pfdata, flow, data, len, flags, fp); + return dce2_tcp_paf(pfdata, pkt->flow, data, len, flags, fp); } diff --git a/src/service_inspectors/dce_rpc/dce_tcp_paf.h b/src/service_inspectors/dce_rpc/dce_tcp_paf.h index c993fa43b..4f2e91c46 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp_paf.h +++ b/src/service_inspectors/dce_rpc/dce_tcp_paf.h @@ -54,7 +54,7 @@ class Dce2TcpSplitter : public snort::StreamSplitter public: Dce2TcpSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override diff --git a/src/service_inspectors/dnp3/dnp3_paf.cc b/src/service_inspectors/dnp3/dnp3_paf.cc index 8b96364fd..05c6e9350 100644 --- a/src/service_inspectors/dnp3/dnp3_paf.cc +++ b/src/service_inspectors/dnp3/dnp3_paf.cc @@ -111,7 +111,7 @@ Dnp3Splitter::Dnp3Splitter(bool c2s) : StreamSplitter(c2s) } StreamSplitter::Status Dnp3Splitter::scan( - Flow*, const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t, uint32_t* fp) { dnp3_paf_data* pfdata = &state; diff --git a/src/service_inspectors/dnp3/dnp3_paf.h b/src/service_inspectors/dnp3/dnp3_paf.h index 55eb4041e..d1108627e 100644 --- a/src/service_inspectors/dnp3/dnp3_paf.h +++ b/src/service_inspectors/dnp3/dnp3_paf.h @@ -46,7 +46,7 @@ class Dnp3Splitter : public snort::StreamSplitter public: Dnp3Splitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override diff --git a/src/service_inspectors/ftp_telnet/ftp_splitter.cc b/src/service_inspectors/ftp_telnet/ftp_splitter.cc index d5795ef0c..3407ecd78 100644 --- a/src/service_inspectors/ftp_telnet/ftp_splitter.cc +++ b/src/service_inspectors/ftp_telnet/ftp_splitter.cc @@ -32,7 +32,7 @@ FtpSplitter::FtpSplitter(bool c2s) : StreamSplitter(c2s) { } // flush at last line feed in data // preproc will deal with any pipelined commands StreamSplitter::Status FtpSplitter::scan( - Flow*, const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t, uint32_t* fp) { #ifdef HAVE_MEMRCHR diff --git a/src/service_inspectors/ftp_telnet/ftp_splitter.h b/src/service_inspectors/ftp_telnet/ftp_splitter.h index 91e5b2dcc..18af44b1f 100644 --- a/src/service_inspectors/ftp_telnet/ftp_splitter.h +++ b/src/service_inspectors/ftp_telnet/ftp_splitter.h @@ -26,7 +26,7 @@ class FtpSplitter : public snort::StreamSplitter public: FtpSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override { return true; } diff --git a/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc b/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc index 4f23f9f46..8e7777e0b 100644 --- a/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc +++ b/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc @@ -44,9 +44,12 @@ static void set_ftp_flush_flag(Flow* flow) fdfd->session.packet_flags |= FTPDATA_FLG_FLUSH; } -StreamSplitter::Status FtpDataSplitter::scan(Flow* flow, const uint8_t*, uint32_t len, +StreamSplitter::Status FtpDataSplitter::scan(Packet* pkt, const uint8_t*, uint32_t len, uint32_t, uint32_t* fp) { + Flow* flow = pkt->flow; + assert(flow); + if ( len ) { if(expected_seg_size == 0) diff --git a/src/service_inspectors/ftp_telnet/ftpdata_splitter.h b/src/service_inspectors/ftp_telnet/ftpdata_splitter.h index 59c6981ce..d76bc2cc2 100644 --- a/src/service_inspectors/ftp_telnet/ftpdata_splitter.h +++ b/src/service_inspectors/ftp_telnet/ftpdata_splitter.h @@ -23,11 +23,6 @@ #include "stream/flush_bucket.h" #include "stream/stream_splitter.h" -namespace snort -{ -class Flow; -} - //--------------------------------------------------------------------------------- // FtpDataSplitter - flush when current seg size is different from previous segment //--------------------------------------------------------------------------------- @@ -42,7 +37,7 @@ public: } - Status scan(snort::Flow*, const uint8_t*, uint32_t len, uint32_t flags, uint32_t* fp ) override; + Status scan(snort::Packet*, const uint8_t*, uint32_t len, uint32_t flags, uint32_t* fp ) override; bool finish(snort::Flow*) override; private: diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc index 6c4134c6a..96460dddc 100644 --- a/src/service_inspectors/http2_inspect/http2_stream_splitter.cc +++ b/src/service_inspectors/http2_inspect/http2_stream_splitter.cc @@ -23,6 +23,8 @@ #include +#include "protocols/packet.h" + #include "http2_stream_splitter.h" #include "http2_module.h" @@ -30,17 +32,17 @@ using namespace snort; using namespace Http2Enums; // Mindless scan() that just flushes whatever it is given -StreamSplitter::Status Http2StreamSplitter::scan(Flow* flow, const uint8_t* data, uint32_t length, +StreamSplitter::Status Http2StreamSplitter::scan(Packet* pkt, const uint8_t* data, uint32_t length, uint32_t, uint32_t* flush_offset) { // This is the session state information we share with Http2Inspect and store with stream. A // session is defined by a TCP connection. Since scan() is the first to see a new TCP // connection the new flow data object is created here. - Http2FlowData* session_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); + Http2FlowData* session_data = (Http2FlowData*)pkt->flow->get_flow_data(Http2FlowData::inspector_id); if (session_data == nullptr) { - flow->set_flow_data(session_data = new Http2FlowData); + pkt->flow->set_flow_data(session_data = new Http2FlowData); Http2Module::increment_peg_counts(PEG_FLOW); } diff --git a/src/service_inspectors/http2_inspect/http2_stream_splitter.h b/src/service_inspectors/http2_inspect/http2_stream_splitter.h index 6ab6bcdf5..8bf2a72b2 100644 --- a/src/service_inspectors/http2_inspect/http2_stream_splitter.h +++ b/src/service_inspectors/http2_inspect/http2_stream_splitter.h @@ -32,7 +32,7 @@ class Http2StreamSplitter : public snort::StreamSplitter public: Http2StreamSplitter(bool is_client_to_server) : snort::StreamSplitter(is_client_to_server), source_id(is_client_to_server ? Http2Enums::SRC_CLIENT : Http2Enums::SRC_SERVER) { } - Status scan(snort::Flow* flow, const uint8_t* data, uint32_t length, uint32_t not_used, + Status scan(snort::Packet* pkt, const uint8_t* data, uint32_t length, uint32_t not_used, uint32_t* flush_offset) override; const snort::StreamBuffer reassemble(snort::Flow* flow, unsigned total, unsigned offset, const uint8_t* data, unsigned len, uint32_t flags, unsigned& copied) override; diff --git a/src/service_inspectors/http_inspect/http_stream_splitter.h b/src/service_inspectors/http_inspect/http_stream_splitter.h index 284aeccb3..653854b1b 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter.h +++ b/src/service_inspectors/http_inspect/http_stream_splitter.h @@ -36,7 +36,7 @@ public: snort::StreamSplitter(is_client_to_server), my_inspector(my_inspector_), source_id(is_client_to_server ? HttpEnums::SRC_CLIENT : HttpEnums::SRC_SERVER) {} - Status scan(snort::Flow* flow, const uint8_t* data, uint32_t length, uint32_t not_used, + Status scan(snort::Packet* pkt, const uint8_t* data, uint32_t length, uint32_t not_used, uint32_t* flush_offset) override; const snort::StreamBuffer reassemble(snort::Flow* flow, unsigned total, unsigned, const uint8_t* data, unsigned len, uint32_t flags, unsigned& copied) override; diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc index 25f760aee..13c59fe78 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc @@ -79,13 +79,15 @@ HttpCutter* HttpStreamSplitter::get_cutter(SectionType type, } } -StreamSplitter::Status HttpStreamSplitter::scan(Flow* flow, const uint8_t* data, uint32_t length, +StreamSplitter::Status HttpStreamSplitter::scan(Packet* pkt, const uint8_t* data, uint32_t length, uint32_t, uint32_t* flush_offset) { snort::Profile profile(HttpModule::get_profile_stats()); assert(length <= MAX_OCTETS); + Flow* flow = pkt->flow; + // This is the session state information we share with HttpInspect and store with stream. A // session is defined by a TCP connection. Since scan() is the first to see a new TCP // connection the new flow data object is created here. diff --git a/src/service_inspectors/imap/imap_paf.cc b/src/service_inspectors/imap/imap_paf.cc index e7292dab9..996d31d5c 100644 --- a/src/service_inspectors/imap/imap_paf.cc +++ b/src/service_inspectors/imap/imap_paf.cc @@ -497,7 +497,7 @@ ImapSplitter::ImapSplitter(bool c2s) : StreamSplitter(c2s) */ StreamSplitter::Status ImapSplitter::scan( - Flow* , const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { ImapPafData* pfdata = &state; diff --git a/src/service_inspectors/imap/imap_paf.h b/src/service_inspectors/imap/imap_paf.h index 9643c70c3..5bb3a453a 100644 --- a/src/service_inspectors/imap/imap_paf.h +++ b/src/service_inspectors/imap/imap_paf.h @@ -71,7 +71,7 @@ class ImapSplitter : public snort::StreamSplitter public: ImapSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override { return true; } diff --git a/src/service_inspectors/modbus/modbus_paf.cc b/src/service_inspectors/modbus/modbus_paf.cc index a9c0711c7..6ca525650 100644 --- a/src/service_inspectors/modbus/modbus_paf.cc +++ b/src/service_inspectors/modbus/modbus_paf.cc @@ -48,7 +48,7 @@ ModbusSplitter::ModbusSplitter(bool b) : StreamSplitter(b) // Reads up until the length octet is found, then sets a flush point. StreamSplitter::Status ModbusSplitter::scan( - Flow*, const uint8_t* data, uint32_t len, uint32_t /*flags*/, uint32_t* fp) + Packet*, const uint8_t* data, uint32_t len, uint32_t /*flags*/, uint32_t* fp) { uint32_t bytes_processed = 0; diff --git a/src/service_inspectors/modbus/modbus_paf.h b/src/service_inspectors/modbus/modbus_paf.h index d3a56f0dc..9fdd42a7d 100644 --- a/src/service_inspectors/modbus/modbus_paf.h +++ b/src/service_inspectors/modbus/modbus_paf.h @@ -42,7 +42,7 @@ class ModbusSplitter : public snort::StreamSplitter public: ModbusSplitter(bool); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, uint32_t flags, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override { return true; } diff --git a/src/service_inspectors/pop/pop_paf.cc b/src/service_inspectors/pop/pop_paf.cc index 746e1ef88..657054a10 100644 --- a/src/service_inspectors/pop/pop_paf.cc +++ b/src/service_inspectors/pop/pop_paf.cc @@ -390,7 +390,7 @@ PopSplitter::PopSplitter(bool c2s) : StreamSplitter(c2s) */ StreamSplitter::Status PopSplitter::scan( - Flow* ssn, const uint8_t* data, uint32_t len, + Packet* pkt, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { PopPafData* pfdata = &state; @@ -398,7 +398,7 @@ StreamSplitter::Status PopSplitter::scan( if (flags & PKT_FROM_SERVER) return pop_paf_server(pfdata, data, len, fp); else - return pop_paf_client(ssn, pfdata, data, len, fp); + return pop_paf_client(pkt->flow, pfdata, data, len, fp); } bool pop_is_data_end(Flow* ssn) diff --git a/src/service_inspectors/pop/pop_paf.h b/src/service_inspectors/pop/pop_paf.h index 7b405e62a..96bc5da32 100644 --- a/src/service_inspectors/pop/pop_paf.h +++ b/src/service_inspectors/pop/pop_paf.h @@ -67,7 +67,7 @@ class PopSplitter : public snort::StreamSplitter public: PopSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override { return true; } diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index 82605f038..6dee1ca83 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -784,7 +784,7 @@ class RpcSplitter : public StreamSplitter public: RpcSplitter(bool c2s) : StreamSplitter(c2s) { } - Status scan(Flow*, const uint8_t*, uint32_t, + Status scan(Packet*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override { return SEARCH; } diff --git a/src/service_inspectors/sip/sip_splitter.cc b/src/service_inspectors/sip/sip_splitter.cc index c0bb3c246..4d4144a01 100644 --- a/src/service_inspectors/sip/sip_splitter.cc +++ b/src/service_inspectors/sip/sip_splitter.cc @@ -167,7 +167,7 @@ void SipSplitter::process_command(const uint8_t ch) } StreamSplitter::Status SipSplitter::scan( - Flow *, const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t, uint32_t* fp) { for (uint32_t i = 0; i < len; i++) diff --git a/src/service_inspectors/sip/sip_splitter.h b/src/service_inspectors/sip/sip_splitter.h index 8229aa0b0..51568ca85 100644 --- a/src/service_inspectors/sip/sip_splitter.h +++ b/src/service_inspectors/sip/sip_splitter.h @@ -58,7 +58,7 @@ class SipSplitter : public snort::StreamSplitter public: SipSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override diff --git a/src/service_inspectors/sip/test/sip_splitter_test.h b/src/service_inspectors/sip/test/sip_splitter_test.h index a14cbae7e..904d4f251 100644 --- a/src/service_inspectors/sip/test/sip_splitter_test.h +++ b/src/service_inspectors/sip/test/sip_splitter_test.h @@ -119,10 +119,10 @@ public: ss.process_command(ch); } - snort::StreamSplitter::Status splitter_scan(snort::Flow *flow, const uint8_t* data, + snort::StreamSplitter::Status splitter_scan(snort::Packet* pkt, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { - return ss.scan(flow, data, len, flags, fp); + return ss.scan(pkt, data, len, flags, fp); } bool is_init() diff --git a/src/service_inspectors/smtp/smtp_paf.cc b/src/service_inspectors/smtp/smtp_paf.cc index cf325890e..8c876426e 100644 --- a/src/service_inspectors/smtp/smtp_paf.cc +++ b/src/service_inspectors/smtp/smtp_paf.cc @@ -370,7 +370,7 @@ SmtpSplitter::SmtpSplitter(bool c2s, int len) : StreamSplitter(c2s) */ StreamSplitter::Status SmtpSplitter::scan( - Flow* , const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) { SmtpPafData* pfdata = &state; diff --git a/src/service_inspectors/smtp/smtp_paf.h b/src/service_inspectors/smtp/smtp_paf.h index 4e7d6a316..46c82a59f 100644 --- a/src/service_inspectors/smtp/smtp_paf.h +++ b/src/service_inspectors/smtp/smtp_paf.h @@ -65,7 +65,7 @@ class SmtpSplitter : public snort::StreamSplitter public: SmtpSplitter(bool c2s, int max_auth_cmd_line_len); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override { return true; } diff --git a/src/service_inspectors/ssl/ssl_splitter.cc b/src/service_inspectors/ssl/ssl_splitter.cc index 63b9ef90b..60ef4d123 100644 --- a/src/service_inspectors/ssl/ssl_splitter.cc +++ b/src/service_inspectors/ssl/ssl_splitter.cc @@ -35,7 +35,7 @@ SslSplitter::SslSplitter(bool c2s) : StreamSplitter(c2s) } StreamSplitter::Status SslSplitter::scan( - Flow*, const uint8_t* data, uint32_t len, + Packet*, const uint8_t* data, uint32_t len, uint32_t, uint32_t* fp) { uint32_t n = 0; diff --git a/src/service_inspectors/ssl/ssl_splitter.h b/src/service_inspectors/ssl/ssl_splitter.h index 44fa4f312..b8006f72c 100644 --- a/src/service_inspectors/ssl/ssl_splitter.h +++ b/src/service_inspectors/ssl/ssl_splitter.h @@ -49,7 +49,7 @@ class SslSplitter : public snort::StreamSplitter public: SslSplitter(bool c2s); - Status scan(snort::Flow*, const uint8_t* data, uint32_t len, + Status scan(snort::Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override diff --git a/src/service_inspectors/wizard/wizard.cc b/src/service_inspectors/wizard/wizard.cc index 405372001..a19449510 100644 --- a/src/service_inspectors/wizard/wizard.cc +++ b/src/service_inspectors/wizard/wizard.cc @@ -85,7 +85,7 @@ public: MagicSplitter(bool, class Wizard*); ~MagicSplitter() override; - Status scan(Flow*, const uint8_t* data, uint32_t len, + Status scan(Packet*, const uint8_t* data, uint32_t len, uint32_t flags, uint32_t* fp) override; bool is_paf() override { return true; } @@ -166,14 +166,14 @@ MagicSplitter::~MagicSplitter() // FIXIT-M stop search on hit and failure (no possible match) StreamSplitter::Status MagicSplitter::scan( - Flow* f, const uint8_t* data, uint32_t len, + Packet* pkt, const uint8_t* data, uint32_t len, uint32_t, uint32_t*) { Profile profile(wizPerfStats); - count_scan(f); + count_scan(pkt->flow); - if ( wizard->cast_spell(wand, f, data, len) ) - count_hit(f); + if ( wizard->cast_spell(wand, pkt->flow, data, len) ) + count_hit(pkt->flow); else if ( wizard->finished(wand) ) return ABORT; diff --git a/src/stream/paf.cc b/src/stream/paf.cc index 9847742e1..bb2d129db 100644 --- a/src/stream/paf.cc +++ b/src/stream/paf.cc @@ -25,6 +25,7 @@ #include "paf.h" +#include "detection/detection_engine.h" #include "protocols/packet.h" using namespace snort; @@ -127,11 +128,12 @@ static uint32_t paf_flush (PAF_State* ps, PafAux& px, uint32_t* flags) //-------------------------------------------------------------------- static bool paf_callback ( - StreamSplitter* ss, PAF_State* ps, PafAux& px, Flow* ssn, + StreamSplitter* ss, PAF_State* ps, PafAux& px, Packet* pkt, const uint8_t* data, uint32_t len, uint32_t flags) { ps->fpt = 0; - ps->paf = ss->scan(ssn, data, len, flags, &ps->fpt); + + ps->paf = ss->scan(pkt, data, len, flags, &ps->fpt); if ( ps->paf == StreamSplitter::ABORT ) return false; @@ -153,7 +155,7 @@ static bool paf_callback ( //-------------------------------------------------------------------- static inline bool paf_eval ( - StreamSplitter* ss, PAF_State* ps, PafAux& px, Flow* ssn, + StreamSplitter* ss, PAF_State* ps, PafAux& px, Packet* pkt, uint32_t flags, const uint8_t* data, uint32_t len) { uint16_t fuzz = 0; // FIXIT-L PAF add a little zippedy-do-dah @@ -163,7 +165,7 @@ static inline bool paf_eval ( case StreamSplitter::SEARCH: if ( px.len > px.idx ) { - return paf_callback(ss, ps, px, ssn, data, len, flags); + return paf_callback(ss, ps, px, pkt, data, len, flags); } return false; @@ -174,7 +176,7 @@ static inline bool paf_eval ( ps->paf = StreamSplitter::SEARCH; return true; } - if ( px.len >= ss->max(ssn) + fuzz ) + if ( px.len >= ss->max(pkt->flow) + fuzz ) { px.ft = FT_MAX; return false; @@ -183,7 +185,7 @@ static inline bool paf_eval ( case StreamSplitter::LIMIT: // if we are within PAF_LIMIT_FUZZ character of paf_max ... - if ( px.len + PAF_LIMIT_FUZZ >= ss->max(ssn) + fuzz) + if ( px.len + PAF_LIMIT_FUZZ >= ss->max(pkt->flow) + fuzz) { px.ft = FT_LIMIT; ps->paf = StreamSplitter::LIMITED; @@ -204,7 +206,7 @@ static inline bool paf_eval ( len -= delta; } px.idx = ps->fpt; - return paf_callback(ss, ps, px, ssn, data, len, flags); + return paf_callback(ss, ps, px, pkt, data, len, flags); } return false; @@ -249,7 +251,7 @@ void paf_clear (PAF_State* ps) //-------------------------------------------------------------------- int32_t paf_check ( - StreamSplitter* ss, PAF_State* ps, Flow* ssn, + StreamSplitter* ss, PAF_State* ps, Packet* pkt, const uint8_t* data, uint32_t len, uint32_t total, uint32_t seq, uint32_t* flags) { @@ -301,7 +303,7 @@ int32_t paf_check ( // unflushed data. uint16_t fuzz = 0; // FIXIT-L PAF add a little zippedy-do-dah - if ( total >= MAX_PAF_MAX && total > ss->max(ssn) + fuzz ) + if ( total >= MAX_PAF_MAX && total > ss->max(pkt->flow) + fuzz ) { px.len = MAX_PAF_MAX + fuzz; len = len + px.len - total; @@ -316,7 +318,7 @@ int32_t paf_check ( px.ft = FT_NOP; uint32_t idx = px.idx; - bool cont = paf_eval(ss, ps, px, ssn, *flags, data, len); + bool cont = paf_eval(ss, ps, px, pkt, *flags, data, len); if ( px.ft != FT_NOP ) { @@ -341,7 +343,7 @@ int32_t paf_check ( if ( ps->paf == StreamSplitter::ABORT ) *flags = 0; - else if ( (ps->paf != StreamSplitter::FLUSH) && (px.len > ss->max(ssn)+fuzz) ) + else if ( (ps->paf != StreamSplitter::FLUSH) && (px.len > ss->max(pkt->flow)+fuzz) ) { px.ft = FT_MAX; uint32_t fp = paf_flush(ps, px, flags); diff --git a/src/stream/paf.h b/src/stream/paf.h index a8dce40bf..57e947ad3 100644 --- a/src/stream/paf.h +++ b/src/stream/paf.h @@ -29,7 +29,7 @@ namespace snort { -class Flow; +struct Packet; } void* paf_new(unsigned max); // create new paf config (per policy) @@ -72,7 +72,7 @@ inline void paf_jump(PAF_State* ps, uint32_t n) } // called on each in order segment -int32_t paf_check(snort::StreamSplitter* paf_config, PAF_State*, snort::Flow* ssn, +int32_t paf_check(snort::StreamSplitter* paf_config, PAF_State*, snort::Packet* p, const uint8_t* data, uint32_t len, uint32_t total, uint32_t seq, uint32_t* flags); #endif diff --git a/src/stream/stream_splitter.cc b/src/stream/stream_splitter.cc index 6eb2984d4..f61892b71 100644 --- a/src/stream/stream_splitter.cc +++ b/src/stream/stream_splitter.cc @@ -70,7 +70,7 @@ AtomSplitter::AtomSplitter(bool b, uint16_t sz) : StreamSplitter(b) } StreamSplitter::Status AtomSplitter::scan( - Flow*, const uint8_t*, uint32_t len, uint32_t, uint32_t* fp) + Packet*, const uint8_t*, uint32_t len, uint32_t, uint32_t* fp) { bytes += len; segs++; @@ -100,7 +100,7 @@ void AtomSplitter::update() LogSplitter::LogSplitter(bool b) : StreamSplitter(b) { } -StreamSplitter::Status LogSplitter::scan(Flow*, const uint8_t*, uint32_t len, uint32_t, +StreamSplitter::Status LogSplitter::scan(Packet*, const uint8_t*, uint32_t len, uint32_t, uint32_t* fp) { *fp = len; @@ -111,10 +111,11 @@ StreamSplitter::Status LogSplitter::scan(Flow*, const uint8_t*, uint32_t len, ui // stop-and-wait splitter //-------------------------------------------------------------------------- -StreamSplitter::Status StopAndWaitSplitter::scan(Flow* flow, const uint8_t*, uint32_t len, +StreamSplitter::Status StopAndWaitSplitter::scan(Packet* pkt, const uint8_t*, uint32_t len, uint32_t, uint32_t*) { - StopAndWaitSplitter* peer = (StopAndWaitSplitter*)Stream::get_splitter(flow, !to_server()); + assert(pkt); + StopAndWaitSplitter* peer = (StopAndWaitSplitter*)Stream::get_splitter(pkt->flow, !to_server()); if ( peer and peer->saw_data() ) { diff --git a/src/stream/stream_splitter.h b/src/stream/stream_splitter.h index 63d0bbd48..64d2e93fa 100644 --- a/src/stream/stream_splitter.h +++ b/src/stream/stream_splitter.h @@ -25,6 +25,7 @@ namespace snort { class Flow; +struct Packet; struct StreamBuffer { @@ -54,7 +55,7 @@ public: // (scan (reassemble)*)* finish (reassemble)* virtual Status scan( - Flow*, + Packet*, const uint8_t* data, // in order segment data as it arrives uint32_t len, // length of data uint32_t flags, // packet flags indicating direction of data @@ -103,7 +104,7 @@ class AtomSplitter : public StreamSplitter public: AtomSplitter(bool, uint16_t size = 0); - Status scan(Flow*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override; + Status scan(Packet*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override; void update() override; private: @@ -124,7 +125,7 @@ class LogSplitter : public StreamSplitter public: LogSplitter(bool); - Status scan(Flow*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override; + Status scan(Packet*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override; }; //------------------------------------------------------------------------- @@ -135,7 +136,7 @@ class StopAndWaitSplitter : public StreamSplitter public: StopAndWaitSplitter(bool b) : StreamSplitter(b) { } - Status scan(Flow*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override; + Status scan(Packet*, const uint8_t*, uint32_t, uint32_t, uint32_t*) override; private: bool saw_data() diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index 4ba25cc72..f9df889a4 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -878,7 +878,7 @@ uint32_t TcpReassembler::get_forward_packet_dir(TcpReassemblerState&, const Pack // see flush_pdu_ackd() for details // the key difference is that we operate on forward moving data // because we don't wait until it is acknowledged -int32_t TcpReassembler::flush_pdu_ips(TcpReassemblerState& trs, uint32_t* flags) +int32_t TcpReassembler::flush_pdu_ips(TcpReassemblerState& trs, uint32_t* flags, Packet* p) { DeepProfile profile(s5TcpPAFPerfStats); @@ -904,9 +904,11 @@ int32_t TcpReassembler::flush_pdu_ips(TcpReassemblerState& trs, uint32_t* flags) continue; } + assert(trs.sos.session->flow == p->flow); + flush_pt = paf_check( - trs.tracker->splitter, &trs.tracker->paf_state, trs.sos.session->flow, - tsn->payload(), size, total, tsn->c_seq, flags); + trs.tracker->splitter, &trs.tracker->paf_state, p, tsn->payload(), + size, total, tsn->c_seq, flags); if (flush_pt >= 0) { @@ -951,7 +953,7 @@ void TcpReassembler::fallback(TcpReassemblerState& trs) // - if we partially scan a segment we must save state so we // know where we left off and can resume scanning the remainder -int32_t TcpReassembler::flush_pdu_ackd(TcpReassemblerState& trs, uint32_t* flags) +int32_t TcpReassembler::flush_pdu_ackd(TcpReassemblerState& trs, uint32_t* flags, Packet* p) { DeepProfile profile(s5TcpPAFPerfStats); @@ -979,10 +981,12 @@ int32_t TcpReassembler::flush_pdu_ackd(TcpReassemblerState& trs, uint32_t* flags if ( SEQ_GT(end, trs.tracker->r_win_base)) size = trs.tracker->r_win_base - tsn->c_seq; + assert(trs.sos.session->flow == p->flow); + total += size; flush_pt = paf_check( - trs.tracker->splitter, &trs.tracker->paf_state, trs.sos.session->flow, - tsn->payload(), size, total, tsn->c_seq, flags); + trs.tracker->splitter, &trs.tracker->paf_state, p, tsn->payload(), + size, total, tsn->c_seq, flags); if ( flush_pt >= 0 ) { @@ -1028,7 +1032,7 @@ int TcpReassembler::flush_on_data_policy(TcpReassemblerState& trs, Packet* p) case STREAM_FLPOLICY_ON_DATA: { uint32_t flags = get_forward_packet_dir(trs, p); - int32_t flush_amt = flush_pdu_ips(trs, &flags); + int32_t flush_amt = flush_pdu_ips(trs, &flags, p); while ( flush_amt >= 0 ) { @@ -1041,7 +1045,7 @@ int TcpReassembler::flush_on_data_policy(TcpReassemblerState& trs, Packet* p) flushed += this_flush; flags = get_forward_packet_dir(trs, p); - flush_amt = flush_pdu_ips(trs, &flags); + flush_amt = flush_pdu_ips(trs, &flags, p); } if ( !flags && trs.tracker->splitter->is_paf() ) @@ -1069,7 +1073,7 @@ int TcpReassembler::flush_on_ack_policy(TcpReassemblerState& trs, Packet* p) case STREAM_FLPOLICY_ON_ACK: { uint32_t flags = get_reverse_packet_dir(trs, p); - int32_t flush_amt = flush_pdu_ackd(trs, &flags); + int32_t flush_amt = flush_pdu_ackd(trs, &flags, p); while (flush_amt >= 0) { @@ -1085,7 +1089,7 @@ int TcpReassembler::flush_on_ack_policy(TcpReassemblerState& trs, Packet* p) { purge_to_seq(trs, trs.sos.seglist_base_seq); flags = get_reverse_packet_dir(trs, p); - flush_amt = flush_pdu_ackd(trs, &flags); + flush_amt = flush_pdu_ackd(trs, &flags, p); } else break; // bail if nothing flushed diff --git a/src/stream/tcp/tcp_reassembler.h b/src/stream/tcp/tcp_reassembler.h index 68283de92..bbb221b75 100644 --- a/src/stream/tcp/tcp_reassembler.h +++ b/src/stream/tcp/tcp_reassembler.h @@ -80,9 +80,9 @@ protected: void final_flush(TcpReassemblerState&, snort::Packet*, uint32_t dir); uint32_t get_reverse_packet_dir(TcpReassemblerState&, const snort::Packet*); uint32_t get_forward_packet_dir(TcpReassemblerState&, const snort::Packet*); - int32_t flush_pdu_ips(TcpReassemblerState&, uint32_t*); + int32_t flush_pdu_ips(TcpReassemblerState&, uint32_t*, snort::Packet*); void fallback(TcpReassemblerState&); - int32_t flush_pdu_ackd(TcpReassemblerState&, uint32_t* flags); + int32_t flush_pdu_ackd(TcpReassemblerState&, uint32_t* flags, snort::Packet*); int purge_to_seq(TcpReassemblerState&, uint32_t flush_seq); bool next_no_gap(TcpSegmentNode&); diff --git a/src/stream/test/stream_splitter_test.cc b/src/stream/test/stream_splitter_test.cc index fe59e6519..2535a2c7f 100644 --- a/src/stream/test/stream_splitter_test.cc +++ b/src/stream/test/stream_splitter_test.cc @@ -44,6 +44,8 @@ SnortConfig* SnortConfig::get_conf() static StreamSplitter* next_splitter = nullptr; Flow::Flow() = default; +Packet::Packet(bool) { } +Packet::~Packet() { } struct Packet* DetectionEngine::get_current_packet() { return nullptr; } @@ -139,7 +141,7 @@ TEST(other_splitter, log) TEST(other_splitter, stop_and_wait) { - Flow flow; + Packet pkt(false); StopAndWaitSplitter cs(false); StopAndWaitSplitter ss(true); @@ -147,19 +149,19 @@ TEST(other_splitter, stop_and_wait) uint32_t fp = 0; next_splitter = &ss; - CHECK(cs.scan(nullptr, nullptr, 123, 0, &fp) == StreamSplitter::SEARCH); + CHECK(cs.scan(&pkt, nullptr, 123, 0, &fp) == StreamSplitter::SEARCH); CHECK(fp == 0); CHECK(flushed == 0); next_splitter = &cs; - CHECK(ss.scan(nullptr, nullptr, 456, 0, &fp) == StreamSplitter::SEARCH); + CHECK(ss.scan(&pkt, nullptr, 456, 0, &fp) == StreamSplitter::SEARCH); CHECK(fp == 0); CHECK(flushed == 1); next_splitter = &ss; - CHECK(cs.scan(nullptr, nullptr, 123, 0, &fp) == StreamSplitter::SEARCH); + CHECK(cs.scan(&pkt, nullptr, 123, 0, &fp) == StreamSplitter::SEARCH); CHECK(fp == 0); CHECK(flushed == 2); } diff --git a/src/stream/user/user_session.cc b/src/stream/user/user_session.cc index 6cad140c1..b64b3200a 100644 --- a/src/stream/user/user_session.cc +++ b/src/stream/user/user_session.cc @@ -182,7 +182,7 @@ int UserTracker::scan(Packet* p, uint32_t& flags) trace_logf(stream_user, "scan[%d]\n", len); int32_t flush_amt = paf_check( - splitter, &paf_state, p->flow, us->get_unused_data(), len, + splitter, &paf_state, p, us->get_unused_data(), len, total, paf_state.seq, &flags); if ( flush_amt >= 0 )