From: Ron Dempster (rdempste) Date: Fri, 30 Oct 2020 20:57:47 +0000 (+0000) Subject: Merge pull request #2591 in SNORT/snort3 from ~RDEMPSTE/snort3:client_initiated to... X-Git-Tag: 3.0.3-5~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9adadbec05957581eddd4f1053e966d65732c99;p=thirdparty%2Fsnort3.git Merge pull request #2591 in SNORT/snort3 from ~RDEMPSTE/snort3:client_initiated to master Squashed commit of the following: commit b7963787f1eef302a1641d66054620152e73bf67 Author: Ron Dempster (rdempste) Date: Fri Oct 30 11:20:16 2020 -0400 flow: Set client initiated flag based on DAQ reverse flow flag, track on syn config, and syn-ack packet --- diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 9157b03f4..7bd3545d2 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -467,10 +467,19 @@ unsigned FlowControl::process(Flow* flow, Packet* p) ++news; flow->flowstats.start_time = p->pkth->ts; - // Set the flag if the flow direction matches the DAQ direction - flow->flags.client_initiated = - (p->is_from_server() == - (DAQ_PKT_FLAG_REV_FLOW == (p->packet_flags & DAQ_PKT_FLAG_REV_FLOW))); + // If DAQ specifies reverse flow, client initiated follows from server + if (p->pkth->flags & DAQ_PKT_FLAG_REV_FLOW) + flow->flags.client_initiated = p->is_from_server(); + // If we are tracking on syn, client initiated follows from client + else if (p->context->conf->track_on_syn()) + flow->flags.client_initiated = p->is_from_client(); + // If not tracking on SYN and the packet is a SYN-ACK, assume the SYN did not create a + // session and client initiated follows from server + else if (p->is_tcp() && p->ptrs.tcph->is_syn_ack()) + flow->flags.client_initiated = p->is_from_server(); + // Otherwise, client initiated follows from client + else + flow->flags.client_initiated = p->is_from_client(); } // This requires the packet direction to be set