From: Steven Baigal (sbaigal) Date: Tue, 28 May 2024 18:13:02 +0000 (+0000) Subject: Pull request #4276: packet_capture: make sure packet_capture executed before detection X-Git-Tag: 3.2.2.0~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aec2a08ccf3fff9bacbe322b4e9bacddd6164d0b;p=thirdparty%2Fsnort3.git Pull request #4276: packet_capture: make sure packet_capture executed before detection Merge in SNORT/snort3 from ~SBAIGAL/snort3:capture_first to master Squashed commit of the following: commit 641e67652632a504ea81c3b7828dd5486df81251 Author: Steven Baigal Date: Fri Apr 5 11:26:37 2024 -0400 packet_capture: make sure packet_capture executed before detection --- diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 163c8e41a..def14a234 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -627,6 +627,7 @@ bool DetectionEngine::inspect(Packet* p) { PacketLatency::Context pkt_latency_ctx { p }; + InspectorManager::probe_first(p); if ( p->ptrs.decode_flags & DECODE_ERR_FLAGS ) { if ( p->context->conf->ips_inline_mode() and diff --git a/src/framework/inspector.cc b/src/framework/inspector.cc index f3eed8427..6807dc3b8 100644 --- a/src/framework/inspector.cc +++ b/src/framework/inspector.cc @@ -164,6 +164,7 @@ static const char* InspectorTypeNames[IT_MAX] = "control", "probe", "file", + "probe_first", }; const char* InspectApi::get_type(InspectorType type) diff --git a/src/framework/inspector.h b/src/framework/inspector.h index b446a2498..81eae929f 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -244,6 +244,7 @@ enum InspectorType IT_CONTROL, // process all packets before detection (eg appid) IT_PROBE, // process all packets after detection (eg perf_monitor, port_scan) IT_FILE, // file identification inspector + IT_PROBE_FIRST, // process all packets before detection (eg packet_capture) IT_MAX }; diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index e07d19a28..be4dbc601 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -631,6 +631,7 @@ struct GlobalInspectorPolicy : public InspectorList { PHVector passive; PHVector probe; + PHVector probe_first; PHVector control; void vectorize(SnortConfig*) override; @@ -641,6 +642,7 @@ void GlobalInspectorPolicy::vectorize(SnortConfig*) { passive.alloc(ilist.size()); probe.alloc(ilist.size()); + probe_first.alloc(ilist.size()); control.alloc(ilist.size()); for ( auto* p : ilist ) { @@ -654,6 +656,10 @@ void GlobalInspectorPolicy::vectorize(SnortConfig*) probe.add(p); break; + case IT_PROBE_FIRST: + probe_first.add(p); + break; + case IT_CONTROL: control.add_control(p); break; @@ -677,6 +683,9 @@ PHInstance* GlobalInspectorPolicy::get_instance_by_type(const char* key, Inspect case IT_PROBE: return get_instance_from_vector(key, probe.vec, probe.total_num); + case IT_PROBE_FIRST: + return get_instance_from_vector(key, probe_first.vec, probe_first.total_num); + case IT_CONTROL: return get_instance_from_vector(key, control.vec, control.total_num); @@ -2102,6 +2111,16 @@ void InspectorManager::probe(Packet* p) } } +void InspectorManager::probe_first(Packet* p) +{ + GlobalInspectorPolicy* pp = p->context->conf->policy_map->get_global_inspector_policy(); + assert(pp); + if ( !trace_enabled(snort_trace, TRACE_INSPECTOR_MANAGER, DEFAULT_TRACE_LOG_LEVEL, p) ) + ::execute(p, pp->probe_first.vec, pp->probe_first.num, true); + else + ::execute(p, pp->probe_first.vec, pp->probe_first.num, true); +} + void InspectorManager::clear(Packet* p) { if ( !p->context->clear_inspectors ) diff --git a/src/managers/inspector_manager.h b/src/managers/inspector_manager.h index 032a6179e..150587e8a 100644 --- a/src/managers/inspector_manager.h +++ b/src/managers/inspector_manager.h @@ -93,6 +93,7 @@ public: static void execute(Packet*); static void probe(Packet*); + static void probe_first(Packet*); static void clear(Packet*); static void empty_trash(); diff --git a/src/network_inspectors/packet_capture/packet_capture.cc b/src/network_inspectors/packet_capture/packet_capture.cc index b546bef4b..ca9197e70 100644 --- a/src/network_inspectors/packet_capture/packet_capture.cc +++ b/src/network_inspectors/packet_capture/packet_capture.cc @@ -84,10 +84,25 @@ static int get_dlt() return dlt; } +static int _pcap_compile_nopcap(int snaplen_arg, int linktype_arg, + struct bpf_program *program, + const char *buf, int optimize, bpf_u_int32 mask) +{ + pcap_t *p; + int ret; + + p = pcap_open_dead(linktype_arg, snaplen_arg); + if (p == NULL) + return (PCAP_ERROR); + ret = pcap_compile(p, program, buf, optimize, mask); + pcap_close(p); + return (ret); +} + static bool bpf_compile_and_validate() { // FIXIT-M This BPF compilation is not thread-safe and should be handled by the main thread - if ( pcap_compile_nopcap(SNAP_LEN, get_dlt(), &bpf, + if ( _pcap_compile_nopcap(SNAP_LEN, get_dlt(), &bpf, config.filter.c_str(), 1, 0) >= 0 ) { if (bpf_validate(bpf.bf_insns, bpf.bf_len)) @@ -301,7 +316,7 @@ static const InspectApi pc_api = mod_ctor, mod_dtor }, - IT_PROBE, + IT_PROBE_FIRST, PROTO_BIT__ANY_IP | PROTO_BIT__ETH, nullptr, // buffers nullptr, // service @@ -333,7 +348,7 @@ const BaseApi* nin_packet_capture[] = static bool bpf_compile_and_validate_test() { - if (pcap_compile_nopcap(SNAP_LEN, DLT_EN10MB, &bpf, + if (_pcap_compile_nopcap(SNAP_LEN, DLT_EN10MB, &bpf, config.filter.c_str(), 1, 0) >= 0) { if (bpf_validate(bpf.bf_insns, bpf.bf_len))