From: Steven Baigal (sbaigal) Date: Thu, 10 Nov 2022 16:57:28 +0000 (+0000) Subject: Pull request #3657: netflow: implement deferred trust, cleanup X-Git-Tag: 3.1.47.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9fbf999c4a378cccb4b14f907b666de0f240f95;p=thirdparty%2Fsnort3.git Pull request #3657: netflow: implement deferred trust, cleanup Merge in SNORT/snort3 from ~MMATIRKO/snort3:nf_trust to master Squashed commit of the following: commit 8d15aa644c9a00f98c627dfde8815c2d8c5677f1 Author: Michael Matirko Date: Mon Oct 31 15:48:26 2022 -0400 netflow: implement deferred trust, cleanup --- diff --git a/src/service_inspectors/netflow/CMakeLists.txt b/src/service_inspectors/netflow/CMakeLists.txt index 850a4a6d3..97a9cb26f 100644 --- a/src/service_inspectors/netflow/CMakeLists.txt +++ b/src/service_inspectors/netflow/CMakeLists.txt @@ -4,6 +4,7 @@ set ( NETFLOW_INCLUDES netflow_headers.h netflow_module.h netflow_record.h + netflow.h ) set ( FILE_LIST ${NETFLOW_INCLUDES} diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index 1268aaa1a..6722e40f1 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -23,6 +23,8 @@ #include "config.h" #endif +#include "netflow.h" + #include #include #include @@ -32,8 +34,6 @@ #include "log/messages.h" #include "managers/module_manager.h" #include "main/reload_tuner.h" -#include "profiler/profiler.h" -#include "protocols/packet.h" #include "pub_sub/netflow_event.h" #include "src/utils/endian.h" #include "time/packet_time.h" @@ -44,41 +44,6 @@ using namespace snort; -THREAD_LOCAL NetFlowStats netflow_stats; -THREAD_LOCAL ProfileStats netflow_perf_stats; - -// Used to ensure we fully populate the record; can't rely on the actual values being zero -struct RecordStatus -{ - bool src = false; - bool dst = false; - bool first = false; - bool last = false; - bool src_tos = false; - bool dst_tos = false; - bool bytes_sent = false; - bool packets_sent = false; -}; - -// ----------------------------------------------------------------------------- -// static variables -// ----------------------------------------------------------------------------- - -// temporary cache required to dump the output -typedef std::pair IpRecord; -typedef std::vector DumpCache; -static DumpCache* dump_cache = nullptr; - -// compare struct to use with ip sort -struct IpCompare -{ - bool operator()(const IpRecord& a, const IpRecord& b) - { return a.first.less_than(b.first); } -}; - -static std::unordered_map* udp_srv_map = nullptr; -static std::unordered_map* tcp_srv_map = nullptr; - // ----------------------------------------------------------------------------- // static functions // ----------------------------------------------------------------------------- @@ -423,6 +388,9 @@ static bool version_9_record_update(const unsigned char* data, uint32_t unix_sec static bool decode_netflow_v9(const unsigned char* data, uint16_t size, const Packet* p, const NetFlowRules* p_rules) { + // Ensure this flow isn't implicitly trusted + p->flow->set_deferred_trust(NetFlowModule::module_id, true); + NetFlow9Hdr header; const NetFlow9Hdr *pheader; const NetFlow9FlowSet *flowset; @@ -643,6 +611,9 @@ static bool decode_netflow_v9(const unsigned char* data, uint16_t size, static bool decode_netflow_v5(const unsigned char* data, uint16_t size, const Packet* p, const NetFlowRules* p_rules) { + // Ensure this flow isn't implicitly trusted + p->flow->set_deferred_trust(NetFlowModule::module_id, true); + NetFlow5Hdr header; const NetFlow5Hdr *pheader; const NetFlow5RecordHdr *precord; @@ -799,6 +770,9 @@ public: void show(const snort::SnortConfig*) const override; void install_reload_handler(snort::SnortConfig*) override; + bool is_control_channel() const override + { return true; } + private: const NetFlowConfig *config; @@ -1091,6 +1065,11 @@ static Inspector* netflow_ctor(Module* m) static void netflow_dtor(Inspector* p) { delete p; } +static void netflow_inspector_pinit() +{ + NetFlowModule::init(); +} + static const InspectApi netflow_api = { { @@ -1109,7 +1088,7 @@ static const InspectApi netflow_api = PROTO_BIT__UDP, nullptr, // buffers "netflow", // service - nullptr, + netflow_inspector_pinit, nullptr, //pterm nullptr, // pre-config tinit nullptr, // pre-config tterm diff --git a/src/service_inspectors/netflow/netflow.h b/src/service_inspectors/netflow/netflow.h new file mode 100644 index 000000000..ba93dda8e --- /dev/null +++ b/src/service_inspectors/netflow/netflow.h @@ -0,0 +1,65 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// netflow.h author Michael Matirko + +#ifndef NETFLOW_H +#define NETFLOW_H + +#include +#include + +#include "flow/flow_data.h" +#include "profiler/profiler.h" +#include "protocols/packet.h" +#include "utils/util.h" + +#include "netflow_cache.cc" +#include "netflow_record.h" + +THREAD_LOCAL NetFlowStats netflow_stats; +THREAD_LOCAL snort::ProfileStats netflow_perf_stats; + +// Used to ensure we fully populate the record; can't rely on the actual values being zero +struct RecordStatus +{ + bool src = false; + bool dst = false; + bool first = false; + bool last = false; + bool src_tos = false; + bool dst_tos = false; + bool bytes_sent = false; + bool packets_sent = false; +}; + +// temporary cache required to dump the output +typedef std::pair IpRecord; +typedef std::vector DumpCache; +static DumpCache* dump_cache = nullptr; + +struct IpCompare +{ + bool operator()(const IpRecord& a, const IpRecord& b) + { return a.first.less_than(b.first); } +}; + +static std::unordered_map* udp_srv_map = nullptr; +static std::unordered_map* tcp_srv_map = nullptr; + +#endif diff --git a/src/service_inspectors/netflow/netflow_module.cc b/src/service_inspectors/netflow/netflow_module.cc index a73583cfe..785b5d148 100644 --- a/src/service_inspectors/netflow/netflow_module.cc +++ b/src/service_inspectors/netflow/netflow_module.cc @@ -97,6 +97,8 @@ static const PegInfo netflow_pegs[] = { CountType::END, nullptr, nullptr}, }; +unsigned NetFlowModule::module_id = 0; + //------------------------------------------------------------------------- // netflow module //------------------------------------------------------------------------- diff --git a/src/service_inspectors/netflow/netflow_module.h b/src/service_inspectors/netflow/netflow_module.h index 2d90e3693..3cadfc0f0 100644 --- a/src/service_inspectors/netflow/netflow_module.h +++ b/src/service_inspectors/netflow/netflow_module.h @@ -24,6 +24,7 @@ #include +#include "flow/flow_data.h" #include "framework/module.h" #include "hash/lru_cache_local.h" #include "sfip/sf_cidr.h" @@ -167,6 +168,10 @@ public: bool is_bindable() const override { return true; } + static unsigned module_id; + static void init() + { module_id = snort::FlowData::create_flow_data_id(); } + private: NetFlowConfig* conf = nullptr; NetFlowRule rule_cfg = {};