From: Russ Combs Date: Fri, 21 Oct 2016 20:54:59 +0000 (-0400) Subject: refactor, establish DetectionEngine class X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96347da1d13c9a014c2ccb2853d9b91419b9e97a;p=thirdparty%2Fsnort3.git refactor, establish DetectionEngine class --- diff --git a/extra/src/inspectors/http_server/hi_main.cc b/extra/src/inspectors/http_server/hi_main.cc index 57c0ffe64..c74315c3d 100644 --- a/extra/src/inspectors/http_server/hi_main.cc +++ b/extra/src/inspectors/http_server/hi_main.cc @@ -53,7 +53,8 @@ #include "hi_main.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" +#include "detection/detection_util.h" #include "file_api/file_flows.h" #include "log/messages.h" #include "log/unified2.h" @@ -611,7 +612,6 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) DisableDetect(); return 0; } - // see comments on call to snort_detect() below { ProfileExclude exclude(hiPerfStats); get_data_bus().publish(PACKET_EVENT, p); @@ -1107,7 +1107,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) */ { Profile exclude(hiPerfStats); - snort_detect(p); + DetectionEngine::process(p); } /* @@ -1120,7 +1120,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( iCallDetect == 0 ) { - /* snort_detect called at least once from above pkt processing loop. */ + // DetectionEngine::process called at least once from above pkt processing loop. // FIXIT-M this throws off nfp rules like this: // alert tcp any any -> any any ( sid:1; msg:"1"; flags:S; ) // (check shutdown counts) diff --git a/src/detection/CMakeLists.txt b/src/detection/CMakeLists.txt index 6ff9a8953..fffbc7202 100644 --- a/src/detection/CMakeLists.txt +++ b/src/detection/CMakeLists.txt @@ -2,6 +2,8 @@ set (DETECTION_INCLUDES detect.h detection_defines.h + detection_engine.h + detection_options.h detection_util.h ips_context.h rule_option_types.h @@ -15,6 +17,7 @@ add_library (detection STATIC context_switcher.cc context_switcher.h detect.cc + detection_engine.cc detection_options.cc detection_options.h detection_util.cc diff --git a/src/detection/Makefile.am b/src/detection/Makefile.am index 5ff947845..e8b51bb3a 100644 --- a/src/detection/Makefile.am +++ b/src/detection/Makefile.am @@ -6,6 +6,8 @@ x_includedir = $(pkgincludedir)/detection x_include_HEADERS = \ detect.h \ detection_defines.h \ +detection_engine.h \ +detection_options.h \ detection_util.h \ ips_context.h \ rule_option_types.h \ @@ -17,6 +19,7 @@ libdetection_a_SOURCES = \ context_switcher.cc \ context_switcher.h \ detect.cc \ +detection_engine.cc \ detection_options.cc \ detection_options.h \ detection_util.cc \ diff --git a/src/detection/detect.cc b/src/detection/detect.cc index d11b5189e..c4439ddb5 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -17,11 +17,11 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -/* Dan Roelker -** Marc Norton -** NOTES -** 5.7.02: Added interface for new detection engine. (Norton/Roelker) + +/* Dan Roelker +** Marc Norton ** +** 5.7.02: Added interface for new detection engine. (Norton/Roelker) */ #ifdef HAVE_CONFIG_H @@ -44,9 +44,9 @@ #include "utils/stats.h" #include "detection_defines.h" +#include "detection_engine.h" #include "fp_detect.h" #include "tag.h" -#include "treenodes.h" #define CHECK_SRC_IP 0x01 #define CHECK_DST_IP 0x02 @@ -108,7 +108,7 @@ void snort_inspect(Packet* p) Active::apply_delayed_action(p); if ( do_detect ) - snort_detect(p); + DetectionEngine::process(p); } check_tags_flag = 1; @@ -237,62 +237,6 @@ int CheckTagging(Packet* p) return 0; } -/**************************************************************************** - * - * Function: snort_detect(Packet *) - * - * Purpose: Apply the rules lists to the current packet - * - * Arguments: p => ptr to the decoded packet struct - * - * Returns: 1 == detection event - * 0 == no detection - * - ***************************************************************************/ -bool snort_detect(Packet* p) -{ - Profile profile(detectPerfStats); - - if ((p == NULL) || !p->ptrs.ip_api.is_valid()) - { - return false; - } - - if (p->packet_flags & PKT_PASS_RULE) - { - /* If we've already seen a pass rule on this, - * no need to continue do inspection. - */ - return false; - } - - // FIXIT-M restrict detect to current ip layer - // Curently, if a rule is found on any IP layer, we perform the detect routine - // on the entire packet. Instead, we should only perform detect on that layer!! - switch ( p->type() ) - { - case PktType::IP: - case PktType::TCP: - case PktType::UDP: - case PktType::ICMP: - case PktType::PDU: - case PktType::FILE: - { - if ( PacketLatency::fastpath() ) - return false; - - /* - ** This is where we short circuit so - ** that we can do IP checks. - */ - return fpEvalPacket(p); - } - - default: - return false; - } -} - static int CheckAddrPort( sfip_var_t* rule_addr, PortObject* po, diff --git a/src/detection/detect.h b/src/detection/detect.h index 1c1342ae2..1915d45c5 100644 --- a/src/detection/detect.h +++ b/src/detection/detect.h @@ -42,9 +42,6 @@ void snort_ignore(Packet*); void snort_inspect(Packet*); void snort_log(Packet*); -// detection only (no decode or inspection) -SO_PUBLIC bool snort_detect(Packet*); - // parsing int RuleListEnd(Packet*, RuleTreeNode*, RuleFpList*, int); int OptListEnd(void* option_data, class Cursor&, Packet*); diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 121a529e8..7b8ba6302 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -1214,12 +1214,7 @@ static void fpEvalPacketUdp(Packet* p) } /* -** -** NAME -** fpEvalPacket:: -** ** DESCRIPTION -** This function is the interface to the snort_detect() routine. ** the IP protocol is processed. If it is TCP, UDP, or ICMP, we ** process the both that particular ruleset and the IP ruleset ** with in the fpEvalHeader for that protocol. If the protocol @@ -1236,7 +1231,6 @@ static void fpEvalPacketUdp(Packet* p) ** ** FORMAL OUTPUT ** int - 0 means that packet has been processed. -** */ int fpEvalPacket(Packet* p) { diff --git a/src/events/event_queue.cc b/src/events/event_queue.cc index be0eddb14..62d7fea46 100644 --- a/src/events/event_queue.cc +++ b/src/events/event_queue.cc @@ -58,6 +58,7 @@ #include "event_queue.h" +#include "detection/detection_engine.h" #include "detection/fp_detect.h" #include "filters/sfthreshold.h" #include "log/messages.h" @@ -109,7 +110,7 @@ int SnortEventqAdd(const OptTreeNode* otn) return 0; } - SF_EVENTQ* pq = Snort::get_event_queue(); + SF_EVENTQ* pq = DetectionEngine::get_event_queue(); EventNode* en = (EventNode*)sfeventq_event_alloc(pq); if ( !en ) @@ -134,7 +135,7 @@ int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType type) if ( !otn ) return 0; - SF_EVENTQ* pq = Snort::get_event_queue(); + SF_EVENTQ* pq = DetectionEngine::get_event_queue(); EventNode* en = (EventNode*)sfeventq_event_alloc(pq); if ( !en ) @@ -190,7 +191,7 @@ static int LogSnortEvents(void* event, void* user) */ int SnortEventqLog(Packet* p) { - SF_EVENTQ* pq = Snort::get_event_queue(); + SF_EVENTQ* pq = DetectionEngine::get_event_queue(); sfeventq_action(pq, LogSnortEvents, (void*)p); return 0; } @@ -208,7 +209,7 @@ void SnortEventqResetCounts() void SnortEventqReset() { - SF_EVENTQ* pq = Snort::get_event_queue(); + SF_EVENTQ* pq = DetectionEngine::get_event_queue(); sfeventq_reset(pq); reset_counts(); } diff --git a/src/events/event_wrapper.cc b/src/events/event_wrapper.cc index 88d8e9cd0..fc288b0db 100644 --- a/src/events/event_wrapper.cc +++ b/src/events/event_wrapper.cc @@ -55,17 +55,14 @@ */ uint32_t GenerateSnortEvent(Packet* p, uint32_t gid, uint32_t sid) { - OptTreeNode* otn; - RuleTreeNode* rtn; + OptTreeNode* otn = GetOTN(gid, sid); - otn = GetOTN(gid, sid); - - if (otn == NULL) + if ( !otn ) return 0; - rtn = getRuntimeRtnFromOtn(otn); + RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn); - if (rtn == NULL) + if ( !rtn ) return 0; fpLogEvent(rtn, otn, p); diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc index ac62f0b84..d2b1c7a9b 100644 --- a/src/file_api/file_service.cc +++ b/src/file_api/file_service.cc @@ -42,6 +42,7 @@ bool FileService::file_type_id_enabled = false; bool FileService::file_signature_enabled = false; bool FileService::file_capture_enabled = false; bool FileService::file_processing_initiated = false; + FileEnforcer* FileService::file_enforcer = nullptr; FileCache* FileService::file_cache = nullptr; diff --git a/src/main/policy.cc b/src/main/policy.cc index cd336a9dc..3b0f61b38 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -23,7 +23,7 @@ #include "policy.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "managers/inspector_manager.h" #include "parser/vars.h" #include "ports/port_var_table.h" @@ -62,7 +62,7 @@ public: AltPktHandler() { } void handle(DataEvent& e, Flow*) - { snort_detect((Packet*)e.get_packet()); } // FIXIT-L not const! + { DetectionEngine::process((Packet*)e.get_packet()); } // FIXIT-L not const! }; InspectionPolicy::InspectionPolicy() diff --git a/src/main/snort.cc b/src/main/snort.cc index 12c8e94f4..6dc3154fc 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -31,7 +31,7 @@ #include "connectors/connectors.h" #include "decompress/file_decomp.h" #include "detection/context_switcher.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "detection/detection_util.h" #include "detection/fp_config.h" #include "detection/fp_detect.h" @@ -107,6 +107,9 @@ static THREAD_LOCAL uint8_t s_data[65536]; static THREAD_LOCAL Packet* s_packet = nullptr; static THREAD_LOCAL ContextSwitcher* s_switcher = nullptr; +ContextSwitcher* Snort::get_switcher() +{ return s_switcher; } + //------------------------------------------------------------------------- // perf stats // FIXIT-M move these to appropriate modules @@ -728,59 +731,7 @@ void Snort::thread_term() delete s_switcher; } -DetectionContext::DetectionContext() -{ - s_switcher->interrupt(); -} - -DetectionContext::~DetectionContext() -{ Snort::clear_detect_packet(); } - -Packet* DetectionContext::get_packet() -{ return Snort::get_detect_packet(); } - -SF_EVENTQ* Snort::get_event_queue() -{ - return s_switcher->get_context()->equeue; -} - -Packet* Snort::set_detect_packet() -{ - // we need to stay in the current context until rebuild is successful - // any events while rebuilding will be logged against the current packet - // FIXIT-H bypass the interrupt / complete - const IpsContext* c = s_switcher->interrupt(); - Packet* p = c->packet; - s_switcher->complete(); - - p->pkth = c->pkth; - p->data = c->buf; - p->reset(); - return p; -} - -Packet* Snort::get_detect_packet() -{ - Packet* p = s_switcher->get_context()->packet; - return p; -} - -void Snort::clear_detect_packet() -{ - Packet* p = get_detect_packet(); - SnortEventqLog(p); - SnortEventqReset(); - - if ( p->endianness ) - { - delete p->endianness; - p->endianness = nullptr; - } - - s_switcher->complete(); -} - -void Snort::detect_rebuilt_packet(Packet* p) +void Snort::inspect(Packet* p) { // Need to include this b/c call is outside the detect tree Profile detect_profile(detectPerfStats); @@ -789,7 +740,7 @@ void Snort::detect_rebuilt_packet(Packet* p) auto save_do_detect = do_detect; auto save_do_detect_content = do_detect_content; - DetectionContext dc; + DetectionEngine de; main_hook(p); DetectReset(); // FIXIT-H context @@ -812,7 +763,6 @@ DAQ_Verdict Snort::process_packet( set_policy(p); // FIXIT-M should not need this here - /* just throw away the packet if we are configured to ignore this port */ if ( !(p->packet_flags & PKT_IGNORE) ) { DetectReset(); diff --git a/src/main/snort.h b/src/main/snort.h index fe7437245..bee0b9259 100644 --- a/src/main/snort.h +++ b/src/main/snort.h @@ -35,17 +35,7 @@ struct SnortConfig; typedef void (* MainHook_f)(Packet*); -// FIXIT-H this needs to move to detection -class SO_PUBLIC DetectionContext -{ -public: - DetectionContext(); - ~DetectionContext(); - - Packet* get_packet(); -}; - -class SO_PUBLIC Snort +class Snort { public: static SnortConfig* get_reload_config(const char* fname); @@ -66,20 +56,15 @@ public: static void capture_packet(); - // FIXIT-H these need to move to detection - static Packet* set_detect_packet(); - static Packet* get_detect_packet(); - static void clear_detect_packet(); - static void detect_rebuilt_packet(Packet*); - - static struct SF_EVENTQ* get_event_queue(); - static DAQ_Verdict process_packet( Packet*, const DAQ_PktHdr_t*, const uint8_t* pkt, bool is_frag=false); static DAQ_Verdict packet_callback(void*, const DAQ_PktHdr_t*, const uint8_t*); + static void inspect(Packet*); + static void set_main_hook(MainHook_f); + static class ContextSwitcher* get_switcher(); SO_PUBLIC static Packet* get_packet(); diff --git a/src/service_inspectors/dce_rpc/dce_co.cc b/src/service_inspectors/dce_rpc/dce_co.cc index d641d52ef..687f5c31a 100644 --- a/src/service_inspectors/dce_rpc/dce_co.cc +++ b/src/service_inspectors/dce_rpc/dce_co.cc @@ -25,8 +25,8 @@ #include "dce_co.h" +#include "detection/detection_engine.h" #include "main/snort_debug.h" -#include "main/snort.h" #include "utils/util.h" #include "dce_smb.h" @@ -1317,7 +1317,7 @@ static Packet* dce_co_reassemble(DCE2_SsnData* sd, DCE2_CoTracker* cot, ********************************************************************/ static void DCE2_CoReassemble(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoRpktType co_rtype) { - DetectionContext dc; + DetectionEngine de; DceRpcCoHdr* co_hdr = nullptr; Packet* rpkt = dce_co_reassemble(sd,cot,co_rtype,&co_hdr); @@ -2165,7 +2165,7 @@ static Packet* DCE2_CoGetSegRpkt(DCE2_SsnData* sd, ********************************************************************/ static void DCE2_CoSegDecode(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoSeg* seg) { - DetectionContext dc; + DetectionEngine de; const uint8_t* frag_ptr = nullptr; uint16_t frag_len = 0; diff --git a/src/service_inspectors/dce_rpc/dce_common.cc b/src/service_inspectors/dce_rpc/dce_common.cc index 60dd424c9..283d0ad60 100644 --- a/src/service_inspectors/dce_rpc/dce_common.cc +++ b/src/service_inspectors/dce_rpc/dce_common.cc @@ -24,10 +24,10 @@ #include "dce_common.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "ips_options/extract.h" #include "log/messages.h" -#include "main/snort.h" +#include "main/snort_debug.h" #include "utils/safec.h" #include "dce_smb_utils.h" @@ -194,7 +194,7 @@ static void dce2_protocol_detect(DCE2_SsnData* sd, Packet* pkt) // FIXIT-M add HTTP case when these are ported // Same for all other instances of profiling - snort_detect(pkt); + DetectionEngine::process(pkt); dce2_detected = 1; } @@ -204,11 +204,11 @@ void DCE2_Detect(DCE2_SsnData* sd) if ( using_rpkt ) { using_rpkt = false; - DetectionContext dc; + DetectionEngine de; DCE2_Detect(sd); return; } - Packet* top_pkt = Snort::get_detect_packet(); + Packet* top_pkt = DetectionEngine::get_current_packet(); DCE2_PrintRoptions(&sd->ropts); DebugMessage(DEBUG_DCE_COMMON, "Payload:\n"); @@ -365,7 +365,7 @@ static void dce2_fill_rpkt_info(Packet* rpkt, Packet* p) Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, const uint8_t* data, uint32_t data_len) { - Packet* rpkt = Snort::set_detect_packet(); + Packet* rpkt = DetectionEngine::set_packet(); dce2_fill_rpkt_info(rpkt, p); uint16_t data_overhead = 0; diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index e446c65cf..a38501f00 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -25,7 +25,7 @@ #include "dce_smb_utils.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "detection/detection_util.h" #include "main/snort.h" #include "packet_io/active.h" @@ -1982,15 +1982,15 @@ void DCE2_SmbProcessFileData(DCE2_SmbSsnData* ssd, void DCE2_FileDetect() { - Packet* top_pkt = Snort::set_detect_packet(); - DetectionContext dc; + Packet* top_pkt = DetectionEngine::set_packet(); + DetectionEngine de; DebugMessage(DEBUG_DCE_SMB, "Payload:\n"); DCE2_PrintPktData(top_pkt->data, top_pkt->dsize); Profile profile(dce2_smb_pstat_smb_file_detect); - snort_detect(top_pkt); + DetectionEngine::process(top_pkt); // Reset file data pointer after detecting set_file_data(nullptr, 0); diff --git a/src/service_inspectors/dce_rpc/dce_udp_processing.cc b/src/service_inspectors/dce_rpc/dce_udp_processing.cc index 4a8dc7034..ec7e4a0f2 100644 --- a/src/service_inspectors/dce_rpc/dce_udp_processing.cc +++ b/src/service_inspectors/dce_rpc/dce_udp_processing.cc @@ -32,9 +32,9 @@ #include "dce_udp.h" +#include "detection/detection_engine.h" #include "flow/session.h" #include "main/snort_debug.h" -#include "main/snort.h" #include "utils/safec.h" #include "utils/util.h" @@ -558,7 +558,7 @@ static int DCE2_ClFragCompare(const void* a, const void* b) static void DCE2_ClFragReassemble( DCE2_SsnData* sd, DCE2_ClActTracker* at, const DceRpcClHdr* cl_hdr) { - DetectionContext dc; + DetectionEngine de; uint8_t dce2_cl_rbuf[IP_MAXPACKET]; DCE2_ClFragTracker* ft = &at->frag_tracker; diff --git a/src/service_inspectors/dnp3/dnp3_reassembly.cc b/src/service_inspectors/dnp3/dnp3_reassembly.cc index 917a9968d..a613492e7 100644 --- a/src/service_inspectors/dnp3/dnp3_reassembly.cc +++ b/src/service_inspectors/dnp3/dnp3_reassembly.cc @@ -26,7 +26,7 @@ #include "dnp3_reassembly.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "protocols/packet.h" @@ -411,7 +411,7 @@ bool dnp3_full_reassembly(dnp3ProtoConf& config, dnp3_session_data_t* session, P { { ProfileExclude profile_exclude(dnp3_perf_stats); - snort_detect(packet); + DetectionEngine::process(packet); } /* Since detection was done, reset reassembly state to avoid double alerts diff --git a/src/service_inspectors/ftp_telnet/ftp.cc b/src/service_inspectors/ftp_telnet/ftp.cc index 816ee13e1..ffa3aebd3 100644 --- a/src/service_inspectors/ftp_telnet/ftp.cc +++ b/src/service_inspectors/ftp_telnet/ftp.cc @@ -113,12 +113,11 @@ static int SnortFTP( if ( ret == FTPP_SUCCESS ) { ProfileExclude exclude(ftpPerfStats); - // Ideally, snort_detect(), called from do_detection, will look at - // the cmd & param buffers, or the rsp & msg buffers. Current - // architecture does not support this... - // So, we call do_detection() here. Otherwise, we'd call it - // from inside check_ftp -- each time we process a pipelined - // FTP command. + + // FIXIT-L ideally do_detection will look at the cmd & param buffers + // or the rsp & msg buffers. We should call it from inside check_ftp + // each time we process a pipelined FTP command. + do_detection(p); } diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 31cc698da..fe4f1b41e 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -25,6 +25,7 @@ #include +#include "detection/detection_engine.h" #include "flow/flow_control.h" #include "flow/flow_key.h" #include "flow/ha.h" @@ -352,10 +353,10 @@ void Stream::purge_flows() // FIXIT-H stream tcp needs to do this and prep pkt to handle // shutdown alerts while rebuilding (during flush before a // rebuilt packet is available) - Snort::set_detect_packet(); - DetectionContext dc; + DetectionEngine::set_packet(); + DetectionEngine de; // this is a hack to work around the above issue - DAQ_PktHdr_t* ph = (DAQ_PktHdr_t*)dc.get_packet()->pkth; + DAQ_PktHdr_t* ph = (DAQ_PktHdr_t*)de.get_packet()->pkth; memset(ph, 0, sizeof(*ph)); flow_con->purge_flows(PktType::IP); diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index f9ae6bb24..0bd078496 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -28,6 +28,7 @@ #include "log/log.h" #include "main/snort.h" #include "profiler/profiler.h" +#include "detection/detection_engine.h" #include "protocols/packet_manager.h" #include "tcp_module.h" @@ -596,6 +597,8 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) Profile profile(s5TcpFlushPerfStats); s5_pkt = Snort::set_detect_packet(); + s5_pkt = DetectionEngine::set_packet(); + DAQ_PktHdr_t pkth; session->GetPacketHeaderFoo(&pkth, pkt_flags); @@ -664,7 +667,7 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) tcpStats.rebuilt_bytes += flushed_bytes; ProfileExclude profile_exclude(s5TcpFlushPerfStats); - Snort::detect_rebuilt_packet(s5_pkt); + Snort::inspect(s5_pkt); } else { diff --git a/src/stream/user/user_session.cc b/src/stream/user/user_session.cc index 362ad1c3b..df7513e82 100644 --- a/src/stream/user/user_session.cc +++ b/src/stream/user/user_session.cc @@ -149,7 +149,7 @@ void UserTracker::detect(const Packet* p, const StreamBuffer* sb, uint32_t flags up.packet_flags |= (p->packet_flags & (PKT_STREAM_EST|PKT_STREAM_UNEST_UNI)); trace_logf(stream_user, "detect[%d]\n", up.dsize); - Snort::detect_rebuilt_packet(&up); + Snort::inspect(&up); } int UserTracker::scan(Packet* p, uint32_t& flags)