From: Tom Peters (thopeter) Date: Thu, 10 Jan 2019 16:13:56 +0000 (-0500) Subject: Merge pull request #1480 in SNORT/snort3 from ~MDAGON/snort3:reload_stream_inspectors... X-Git-Tag: 3.0.0-251~72 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abac1e2326fd0f48e2e00ccaa37b5d86cfcb49af;p=thirdparty%2Fsnort3.git Merge pull request #1480 in SNORT/snort3 from ~MDAGON/snort3:reload_stream_inspectors to master Squashed commit of the following: commit cf95a4564e84c4da975a2e9643271678efb91afa Author: Maya Dagon Date: Mon Dec 10 19:17:00 2018 -0500 reload: fail reload if stream is in the original config and stream_* is added/removed --- diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc index 0c96c203a..ade3ac59f 100644 --- a/src/file_api/file_service.cc +++ b/src/file_api/file_service.cc @@ -87,14 +87,14 @@ void FileService::verify_reload(SnortConfig* sc) return; if (max_files_cached != conf->max_files_cached) - ParseError("Changing max_files_cached requires a restart\n"); + ParseError("Changing file_id:max_files_cached requires a restart\n"); if (file_capture_enabled) { if (capture_memcap != conf->capture_memcap) - ParseError("Changing capture_memcap requires a restart\n"); + ParseError("Changing file_id:capture_memcap requires a restart\n"); if (capture_block_size != conf->capture_block_size) - ParseError("Changing capture_block_size requires a restart\n"); + ParseError("Changing file_id:capture_block_size requires a restart\n"); } } diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index 8f48625fa..74065aa15 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -194,7 +194,7 @@ void SnortConfig::init(const SnortConfig* const other_conf, ProtocolReference* p InspectorManager::new_config(this); num_slots = ThreadConfig::get_instance_max(); - state = new std::vector[num_slots]; + state = new std::vector[num_slots]; profiler = new ProfilerConfig; latency = new LatencyConfig(); @@ -290,7 +290,7 @@ SnortConfig::~SnortConfig() MpseManager::stop_search_engine(fast_pattern_config->get_search_api()); } delete fast_pattern_config; - + flowbits_gterm(this); delete policy_map; @@ -398,7 +398,7 @@ void SnortConfig::merge(SnortConfig* cmd_line) int cl_chk = cmd_line->policy_map->get_network_policy()->checksum_eval; int cl_drop = cmd_line->policy_map->get_network_policy()->checksum_drop; - + NetworkPolicy* nw_policy = nullptr; for ( unsigned idx = 0; idx < policy_map->network_policy_count(); ++idx ) @@ -493,7 +493,50 @@ void SnortConfig::merge(SnortConfig* cmd_line) delete[] state; num_slots = ThreadConfig::get_instance_max(); - state = new std::vector[num_slots]; + state = new std::vector[num_slots]; +} + +// FIXIT-L this is a work around till snort supports adding/removing +// stream cache during reload +bool SnortConfig::verify_stream_inspectors() +{ + const std::vector inspector_names + { "stream_file", "stream_icmp", "stream_ip", "stream_tcp", "stream_udp", "stream_user" }; + static std::map orig_inspectors; + + // If wasn't initialized before try to initialize from current config + if (orig_inspectors.empty()) + { + const Inspector* const ptr = InspectorManager::get_inspector("stream", true); + if (ptr != nullptr) + { + for (auto name: inspector_names) + { + const bool in_orig = InspectorManager::inspector_exists_in_any_policy(name, get_conf()); + orig_inspectors[name] = in_orig; + } + } + } + + // If now available - compare + if (!orig_inspectors.empty()) + { + const Inspector* const ptr = InspectorManager::get_inspector("stream", true, this); + if (ptr != nullptr) + { + for (auto name: inspector_names) + { + const bool in_new = InspectorManager::inspector_exists_in_any_policy(name, this); + if (orig_inspectors[name] != in_new) + { + ErrorMessage("Snort Reload: Adding/removing %s requires a restart.\n", name); + return false; + } + } + } + } + + return true; } bool SnortConfig::verify() @@ -609,7 +652,7 @@ bool SnortConfig::verify() return false; } - return true; + return verify_stream_inspectors(); } void SnortConfig::set_alert_before_pass(bool enabled) @@ -741,7 +784,7 @@ void SnortConfig::set_no_logging_timestamps(bool enabled) void SnortConfig::set_obfuscation_mask(const char* mask) { - if (!mask) + if (!mask) return; output_flags |= OUTPUT_FLAG__OBFUSCATE; @@ -775,7 +818,7 @@ void SnortConfig::set_gid(const char* args) return; } else - gr = getgrgid((gid_t) target_gid); // main thread only + gr = getgrgid((gid_t)target_gid); // main thread only if (!gr) { @@ -785,7 +828,7 @@ void SnortConfig::set_gid(const char* args) /* If we're already running as the desired group ID, don't bother to try changing it later. */ if (gr->gr_gid != getgid()) - group_id = (int) gr->gr_gid; + group_id = (int)gr->gr_gid; } void SnortConfig::set_uid(const char* args) @@ -806,7 +849,7 @@ void SnortConfig::set_uid(const char* args) return; } else - pw = getpwuid((uid_t) target_uid); // main thread only + pw = getpwuid((uid_t)target_uid); // main thread only if (!pw) { @@ -818,11 +861,10 @@ void SnortConfig::set_uid(const char* args) If we're already running as the desired user and/or group ID, don't bother to try changing it later. */ if (pw->pw_uid != getuid()) - user_id = (int) pw->pw_uid; + user_id = (int)pw->pw_uid; if (group_id == -1 && pw->pw_gid != getgid()) - group_id = (int) pw->pw_gid; - + group_id = (int)pw->pw_gid; } void SnortConfig::set_show_year(bool enabled) @@ -999,7 +1041,7 @@ void SnortConfig::set_log_mode(const char* val) void SnortConfig::enable_syslog() { - static bool syslog_configured = false; + static bool syslog_configured = false; if (syslog_configured) return; diff --git a/src/main/snort_config.h b/src/main/snort_config.h index b3de65322..b0413f78e 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -154,6 +154,7 @@ struct SnortConfig { private: void init(const SnortConfig* const, ProtocolReference*); + bool verify_stream_inspectors(); public: SnortConfig(const SnortConfig* const other_conf = nullptr); diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 497020e7a..c587456bb 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -507,6 +507,29 @@ Binder* InspectorManager::get_binder() return (Binder*)pi->framework_policy->binder; } +bool InspectorManager::inspector_exists_in_any_policy(const char* key, SnortConfig* sc) +{ + PolicyMap* pm = sc->policy_map; + + if (pm == nullptr) + return false; + + for (unsigned i=0; iinspection_policy_count(); i++) + { + const InspectionPolicy* const pi = pm->get_inspection_policy(i); + + if ( !pi || !pi->framework_policy ) + continue; + + const PHInstance* const p = get_instance(pi->framework_policy, key); + + if ( p ) + return true; + } + + return false; +} + // FIXIT-P cache get_inspector() returns or provide indexed lookup Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, SnortConfig* sc) { diff --git a/src/managers/inspector_manager.h b/src/managers/inspector_manager.h index 831e4e46c..9051edacf 100644 --- a/src/managers/inspector_manager.h +++ b/src/managers/inspector_manager.h @@ -83,6 +83,7 @@ public: static void clear(Packet*); static void empty_trash(); + static bool inspector_exists_in_any_policy(const char* key, SnortConfig* sc); #ifdef PIGLET static Inspector* instantiate(const char*, Module*, SnortConfig*);