From: Victor Julien Date: Fri, 26 Jan 2024 14:11:30 +0000 (+0100) Subject: detect/frames: inspect frames only in correct direction X-Git-Tag: suricata-8.0.0-beta1~1201 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9dd1572d48efaaabb5f72fa066dc19cef4a07c2;p=thirdparty%2Fsuricata.git detect/frames: inspect frames only in correct direction Inspect frames in the correct direction after they have been created. --- diff --git a/src/flow-worker.c b/src/flow-worker.c index 1f219c83ad..9af47ac7c8 100644 --- a/src/flow-worker.c +++ b/src/flow-worker.c @@ -524,19 +524,23 @@ static void PacketAppUpdate2FlowFlags(Packet *p) case UPDATE_DIR_BOTH: if (PKT_IS_TOSERVER(p)) { p->flow->flags |= FLOW_TS_APP_UPDATED | FLOW_TC_APP_UPDATE_NEXT; - SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED set", p->pcap_cnt); + SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED|FLOW_TC_APP_UPDATE_NEXT set", + p->pcap_cnt); } else { p->flow->flags |= FLOW_TC_APP_UPDATED | FLOW_TS_APP_UPDATE_NEXT; - SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED set", p->pcap_cnt); + SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED|FLOW_TS_APP_UPDATE_NEXT set", + p->pcap_cnt); } /* fall through */ case UPDATE_DIR_OPPOSING: if (PKT_IS_TOSERVER(p)) { p->flow->flags |= FLOW_TC_APP_UPDATED | FLOW_TS_APP_UPDATE_NEXT; - SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED set", p->pcap_cnt); + SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED|FLOW_TS_APP_UPDATE_NEXT set", + p->pcap_cnt); } else { p->flow->flags |= FLOW_TS_APP_UPDATED | FLOW_TC_APP_UPDATE_NEXT; - SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED set", p->pcap_cnt); + SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED|FLOW_TC_APP_UPDATE_NEXT set", + p->pcap_cnt); } break; } @@ -583,12 +587,15 @@ static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data) /* handle TCP and app layer */ if (p->flow) { + /* see if need to consider flags set by prev packets */ if (PKT_IS_TOSERVER(p) && (p->flow->flags & FLOW_TS_APP_UPDATE_NEXT)) { p->flow->flags |= FLOW_TS_APP_UPDATED; p->flow->flags &= ~FLOW_TS_APP_UPDATE_NEXT; + SCLogDebug("FLOW_TS_APP_UPDATED"); } else if (PKT_IS_TOCLIENT(p) && (p->flow->flags & FLOW_TC_APP_UPDATE_NEXT)) { p->flow->flags |= FLOW_TC_APP_UPDATED; p->flow->flags &= ~FLOW_TC_APP_UPDATE_NEXT; + SCLogDebug("FLOW_TC_APP_UPDATED"); } if (PacketIsTCP(p)) { @@ -640,7 +647,11 @@ static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data) StreamTcpSessionCleanup(p->flow->protoctx); } } else if (p->proto == IPPROTO_TCP && p->flow->protoctx && p->flags & PKT_STREAM_EST) { - FramesPrune(p->flow, p); + if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) { + FramesPrune(p->flow, p); + } else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) { + FramesPrune(p->flow, p); + } FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_TCPPRUNE); StreamTcpPruneSession(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? STREAM_TOSERVER : STREAM_TOCLIENT); diff --git a/src/output-json-frame.c b/src/output-json-frame.c index 4e0ec5b2b2..4f761e7ca1 100644 --- a/src/output-json-frame.c +++ b/src/output-json-frame.c @@ -409,6 +409,16 @@ static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packe return false; if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) { + if (p->proto == IPPROTO_TCP) { + if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) { + // fallthrough + } else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) { + // fallthrough + } else { + return false; + } + } + FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow); if (frames_container == NULL) return false;