From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 25 Aug 2020 19:58:49 +0000 (+0000) Subject: Merge pull request #2419 in SNORT/snort3 from ~EBURMAI/snort3:sip_future_session... X-Git-Tag: 3.0.2-6~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fe0b27cf004596f7ec20d28a6108cfe4e634efa;p=thirdparty%2Fsnort3.git Merge pull request #2419 in SNORT/snort3 from ~EBURMAI/snort3:sip_future_session to master Squashed commit of the following: commit a8138a99828ef883106248ea028750845c71e888 Author: Eduard Burmai Date: Tue Aug 25 08:14:58 2020 -0400 appid: Pass snort protocol id instead of appid while creating future flow --- diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index 3ede28b9b..c37ccb120 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -348,7 +348,8 @@ bool AppIdApi::is_inspection_needed(const Inspector& inspector) const true); if (appid_inspector and - (inspector.get_service() == appid_inspector->get_ctxt().config.snortId_for_http2)) + (inspector.get_service() == + appid_inspector->get_ctxt().config.snort_proto_ids[PROTO_INDEX_HTTP2])) return true; return false; diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index 844d27d79..6167801ca 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -52,16 +52,16 @@ OdpContext* AppIdContext::odp_ctxt = nullptr; static void map_app_names_to_snort_ids(SnortConfig* sc, AppIdConfig& config) { - config.snortId_for_unsynchronized = sc->proto_ref->add("unsynchronized"); - config.snortId_for_ftp_data = sc->proto_ref->add("ftp-data"); - config.snortId_for_http2 = sc->proto_ref->add("http2"); - // Have to create SnortProtocolIds during configuration initialization. - sc->proto_ref->add("rexec"); - sc->proto_ref->add("rsh-error"); - sc->proto_ref->add("snmp"); - sc->proto_ref->add("sunrpc"); - sc->proto_ref->add("tftp"); + config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED] = sc->proto_ref->add("unsynchronized"); + config.snort_proto_ids[PROTO_INDEX_FTP_DATA] = sc->proto_ref->add("ftp-data"); + config.snort_proto_ids[PROTO_INDEX_HTTP2] = sc->proto_ref->add("http2"); + config.snort_proto_ids[PROTO_INDEX_REXEC] = sc->proto_ref->add("rexec"); + config.snort_proto_ids[PROTO_INDEX_RSH_ERROR] = sc->proto_ref->add("rsh-error"); + config.snort_proto_ids[PROTO_INDEX_SNMP] = sc->proto_ref->add("snmp"); + config.snort_proto_ids[PROTO_INDEX_SUNRPC] = sc->proto_ref->add("sunrpc"); + config.snort_proto_ids[PROTO_INDEX_TFTP] = sc->proto_ref->add("tftp"); + config.snort_proto_ids[PROTO_INDEX_SIP] = sc->proto_ref->add("sip"); } AppIdConfig::~AppIdConfig() diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index 08edfe6ab..dadeb0437 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -48,6 +48,21 @@ #define MIN_MAX_PKTS_BEFORE_SERVICE_FAIL 5 #define MIN_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES 15 +enum SnortProtoIdIndex +{ + PROTO_INDEX_UNSYNCHRONIZED = 0, + PROTO_INDEX_FTP_DATA, + PROTO_INDEX_HTTP2, + PROTO_INDEX_REXEC, + PROTO_INDEX_RSH_ERROR, + PROTO_INDEX_SNMP, + PROTO_INDEX_SUNRPC, + PROTO_INDEX_TFTP, + PROTO_INDEX_SIP, + + PROTO_INDEX_MAX +}; + class PatternClientDetector; class PatternServiceDetector; @@ -75,9 +90,7 @@ public: size_t memcap = 0; bool list_odp_detectors = false; bool log_all_sessions = false; - SnortProtocolId snortId_for_unsynchronized; - SnortProtocolId snortId_for_ftp_data; - SnortProtocolId snortId_for_http2; + SnortProtocolId snort_proto_ids[PROTO_INDEX_MAX]; void show() const; }; diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 82fb40d9a..582169af7 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -88,7 +88,7 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, AppIdSession* asd = new AppIdSession(proto, ip, port, *inspector, odp_context); asd->flow = p->flow; asd->stats.first_packet_second = p->pkth->ts.tv_sec; - asd->snort_protocol_id = asd->config.snortId_for_unsynchronized; + asd->snort_protocol_id = asd->config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED]; p->flow->set_flow_data(asd); return asd; } diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index 24f7b2f03..3b8daad8b 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -177,14 +177,11 @@ struct ServiceSIPData }; void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp, - uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol, int16_t app_id) + uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol) { - // FIXIT-E: Passing app_id instead of SnortProtocolId to - // create_future_session is incorrect. We need to look up - // snort_protocol_id. - AppIdSession* fp = AppIdSession::create_future_session( - pkt, cliIp, cliPort, srvIp, srvPort, protocol, app_id); + pkt, cliIp, cliPort, srvIp, srvPort, protocol, + asd.config.snort_proto_ids[PROTO_INDEX_SIP]); if ( fp ) { @@ -203,7 +200,8 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con // create an RTCP flow as well AppIdSession* fp2 = AppIdSession::create_future_session( - pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, app_id); + pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, + asd.config.snort_proto_ids[PROTO_INDEX_SIP]); if ( fp2 ) { @@ -238,9 +236,9 @@ void SipServiceDetector::addFutureRtpFlows(SipEvent& event, AppIdSession& asd) while ( media_a && media_b ) { createRtpFlow(asd, event.get_packet(), media_a->get_address(), media_a->get_port(), - media_b->get_address(), media_b->get_port(), IpProtocol::UDP, APP_ID_RTP); + media_b->get_address(), media_b->get_port(), IpProtocol::UDP); createRtpFlow(asd, event.get_packet(), media_b->get_address(), media_b->get_port(), - media_a->get_address(), media_b->get_port(), IpProtocol::UDP, APP_ID_RTP); + media_a->get_address(), media_b->get_port(), IpProtocol::UDP); media_a = session_a->next_media_data(); media_b = session_b->next_media_data(); diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.h b/src/network_inspectors/appid/detector_plugins/detector_sip.h index d4c081f67..9dddfef6b 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.h +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.h @@ -63,7 +63,7 @@ public: private: void createRtpFlow(AppIdSession&, const snort::Packet*, const snort::SfIp* cliIp, - uint16_t cliPort, const snort::SfIp* srvIp, uint16_t srvPort, IpProtocol, int16_t app_id); + uint16_t cliPort, const snort::SfIp* srvIp, uint16_t srvPort, IpProtocol); }; class SipEventHandler : public snort::DataHandler diff --git a/src/network_inspectors/appid/service_plugins/service_ftp.cc b/src/network_inspectors/appid/service_plugins/service_ftp.cc index a8a497345..f5da9064b 100644 --- a/src/network_inspectors/appid/service_plugins/service_ftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_ftp.cc @@ -884,15 +884,10 @@ static inline void WatchForCommandResult(ServiceFTPData* fd, AppIdSession& asd, void FtpServiceDetector::create_expected_session(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp, uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol, AppidSessionDirection dir) { - // FIXIT-M - Avoid thread locals - static THREAD_LOCAL SnortProtocolId ftp_data_snort_protocol_id = UNKNOWN_PROTOCOL_ID; - if(ftp_data_snort_protocol_id == UNKNOWN_PROTOCOL_ID) - ftp_data_snort_protocol_id = pkt->context->conf->proto_ref->find("ftp-data"); - bool swap_flow_app_direction = (dir == APP_ID_FROM_RESPONDER) ? true : false; AppIdSession* fp = AppIdSession::create_future_session(pkt, cliIp, cliPort, srvIp, srvPort, - protocol, ftp_data_snort_protocol_id, swap_flow_app_direction); + protocol, asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA], swap_flow_app_direction); if (fp) // initialize data session { diff --git a/src/network_inspectors/appid/service_plugins/service_rexec.cc b/src/network_inspectors/appid/service_plugins/service_rexec.cc index c3ed30e01..20a2bbdaa 100644 --- a/src/network_inspectors/appid/service_plugins/service_rexec.cc +++ b/src/network_inspectors/appid/service_plugins/service_rexec.cc @@ -123,8 +123,6 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args) uint32_t port = 0; const uint8_t* data = args.data; uint16_t size = args.size; - // FIXIT-M - Avoid thread locals - static THREAD_LOCAL SnortProtocolId rexec_snort_protocol_id = UNKNOWN_PROTOCOL_ID; ServiceREXECData* rd = (ServiceREXECData*)data_get(args.asd); if (!rd) @@ -141,9 +139,6 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args) switch (rd->state) { case REXEC_STATE_PORT: - if(rexec_snort_protocol_id == UNKNOWN_PROTOCOL_ID) - rexec_snort_protocol_id = args.pkt->context->conf->proto_ref->find("rexec"); - if (args.dir != APP_ID_FROM_INITIATOR) goto bail; if (size > REXEC_MAX_PORT_PACKET) @@ -167,8 +162,10 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args) dip = args.pkt->ptrs.ip_api.get_dst(); sip = args.pkt->ptrs.ip_api.get_src(); - AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, (uint16_t)port, - IpProtocol::TCP, rexec_snort_protocol_id); + AppIdSession* pf = AppIdSession::create_future_session(args.pkt, + dip, 0, sip,(uint16_t)port, IpProtocol::TCP, + args.asd.config.snort_proto_ids[PROTO_INDEX_REXEC]); + if (pf) { ServiceREXECData* tmp_rd = (ServiceREXECData*)snort_calloc( diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc index 2107c3144..31cd6bc07 100644 --- a/src/network_inspectors/appid/service_plugins/service_rpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc @@ -402,19 +402,15 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi pmr = (const ServiceRPCPortmapReply*)data; if (pmr->port) { - // FIXIT-M - Avoid thread locals - static THREAD_LOCAL SnortProtocolId sunrpc_snort_protocol_id = UNKNOWN_PROTOCOL_ID; - - if(sunrpc_snort_protocol_id == UNKNOWN_PROTOCOL_ID) - sunrpc_snort_protocol_id = pkt->context->conf->proto_ref->find("sunrpc"); - const SfIp* dip = pkt->ptrs.ip_api.get_dst(); const SfIp* sip = pkt->ptrs.ip_api.get_src(); tmp = ntohl(pmr->port); AppIdSession* pf = AppIdSession::create_future_session( pkt, dip, 0, sip, (uint16_t)tmp, - (IpProtocol)ntohl((uint32_t)rd->proto), sunrpc_snort_protocol_id); + (IpProtocol)ntohl((uint32_t)rd->proto), + asd.config.snort_proto_ids[PROTO_INDEX_SUNRPC]); + if (pf) { pf->add_flow_data_id((uint16_t)tmp, this); diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index 0f14d8798..6d375cdba 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -118,8 +118,6 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args) uint32_t port = 0; const uint8_t* data = args.data; uint16_t size = args.size; - //FIXIT-M - Avoid thread locals - static THREAD_LOCAL SnortProtocolId rsh_error_snort_protocol_id = UNKNOWN_PROTOCOL_ID; ServiceRSHELLData* rd = (ServiceRSHELLData*)data_get(args.asd); if (!rd) @@ -155,13 +153,12 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args) goto bail; if (port) { - if(rsh_error_snort_protocol_id == UNKNOWN_PROTOCOL_ID) - rsh_error_snort_protocol_id = args.pkt->context->conf->proto_ref->find("rsh-error"); - const SfIp* dip = args.pkt->ptrs.ip_api.get_dst(); const SfIp* sip = args.pkt->ptrs.ip_api.get_src(); - AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, - (uint16_t)port, IpProtocol::TCP, rsh_error_snort_protocol_id); + AppIdSession* pf = AppIdSession::create_future_session(args.pkt, + dip, 0, sip, (uint16_t)port, IpProtocol::TCP, + args.asd.config.snort_proto_ids[PROTO_INDEX_RSH_ERROR]); + if (pf) { ServiceRSHELLData* tmp_rd = (ServiceRSHELLData*)snort_calloc( diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index c4778bbfa..8cfd50937 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -395,8 +395,6 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) const char* version_str = nullptr; const uint8_t* data = args.data; uint16_t size = args.size; - //FIXIT-M - Avoid thread locals - static THREAD_LOCAL SnortProtocolId snmp_snort_protocol_id = UNKNOWN_PROTOCOL_ID; if (!size) goto inprocess; @@ -465,13 +463,12 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) sd->state = SNMP_STATE_RESPONSE; /*adding expected connection in case the server doesn't send from 161*/ - if(snmp_snort_protocol_id == UNKNOWN_PROTOCOL_ID) - snmp_snort_protocol_id = args.pkt->context->conf->proto_ref->find("snmp"); - const SfIp* dip = args.pkt->ptrs.ip_api.get_dst(); const SfIp* sip = args.pkt->ptrs.ip_api.get_src(); - AppIdSession* pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, - args.pkt->ptrs.sp, args.asd.protocol, snmp_snort_protocol_id); + AppIdSession* pf = AppIdSession::create_future_session(args.pkt, + dip, 0, sip, args.pkt->ptrs.sp, args.asd.protocol, + args.asd.config.snort_proto_ids[PROTO_INDEX_SNMP]); + if (pf) { tmp_sd = (ServiceSNMPData*)snort_calloc(sizeof(ServiceSNMPData)); diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index a88699912..d6193014a 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -133,8 +133,6 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) AppIdSession* pf = nullptr; const uint8_t* data = args.data; uint16_t size = args.size; - //FIXIT-M - Avoid thread locals - static THREAD_LOCAL SnortProtocolId tftp_snort_protocol_id = UNKNOWN_PROTOCOL_ID; if (!size) goto inprocess; @@ -184,15 +182,15 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) if (strcasecmp((const char*)data, "netascii") && strcasecmp((const char*)data, "octet")) goto bail; - if(tftp_snort_protocol_id == UNKNOWN_PROTOCOL_ID) - tftp_snort_protocol_id = args.pkt->context->conf->proto_ref->find("tftp"); tmp_td = (ServiceTFTPData*)snort_calloc(sizeof(ServiceTFTPData)); tmp_td->state = TFTP_STATE_TRANSFER; dip = args.pkt->ptrs.ip_api.get_dst(); sip = args.pkt->ptrs.ip_api.get_src(); - pf = AppIdSession::create_future_session(args.pkt, dip, 0, sip, - args.pkt->ptrs.sp, args.asd.protocol, tftp_snort_protocol_id); + pf = AppIdSession::create_future_session(args.pkt, + dip, 0, sip, args.pkt->ptrs.sp, args.asd.protocol, + args.asd.config.snort_proto_ids[PROTO_INDEX_TFTP]); + if (pf) { data_add(*pf, tmp_td, &snort_free); diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 780eafc19..d10053ed3 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -352,7 +352,9 @@ TEST(appid_api, is_inspection_needed) { DummyInspector inspector; inspector.set_service(dummy_http2_protocol_id); - dummy_appid_inspector.get_ctxt().config.snortId_for_http2 = dummy_http2_protocol_id; + dummy_appid_inspector.get_ctxt().config.snort_proto_ids[PROTO_INDEX_HTTP2] = + dummy_http2_protocol_id; + CHECK_TRUE(appid_api.is_inspection_needed(inspector)); inspector.set_service(dummy_http2_protocol_id + 1); diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 0056cd2d0..e803b8208 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -716,7 +716,8 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I } if (tp_app_id == APP_ID_SSL && - (Stream::get_snort_protocol_id(p->flow) == asd.config.snortId_for_ftp_data)) + (Stream::get_snort_protocol_id(p->flow) == + asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA])) { // If we see SSL on an FTP data channel set tpAppId back // to APP_ID_NONE so the FTP preprocessor picks up the flow.