From: Masud Hasan (mashasan) Date: Fri, 18 Mar 2022 22:49:57 +0000 (+0000) Subject: Pull request #3307: analyzer: avoid distilling sticky verdicts X-Git-Tag: 3.1.26.0~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0078262f780c60edc0ffa580b98f55ae3a1274e;p=thirdparty%2Fsnort3.git Pull request #3307: analyzer: avoid distilling sticky verdicts Merge in SNORT/snort3 from ~MASHASAN/snort3:sticky_verdict to master Squashed commit of the following: commit 3bac1487b51334c6ed6caf9549d3efb991f03f68 Author: Masud Hasan Date: Fri Mar 11 12:53:49 2022 -0500 analyzer: avoid distilling sticky verdicts --- diff --git a/src/flow/flow.h b/src/flow/flow.h index 356d188bb..bce283bb3 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -27,6 +27,7 @@ // state. Inspector state is stored in FlowData, and Flow manages a list // of FlowData items. +#include #include #include "detection/ips_context_chain.h" @@ -496,6 +497,8 @@ public: // FIXIT-M privatize if possible FilteringState filtering_state; + DAQ_Verdict last_verdict = MAX_DAQ_VERDICT; + private: void clean(); }; diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index 05d390286..3feca6d4a 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -209,9 +209,18 @@ static bool process_packet(Packet* p) return true; } +static inline bool is_sticky_verdict(const DAQ_Verdict verdict) +{ + return verdict == DAQ_VERDICT_WHITELIST or verdict == DAQ_VERDICT_BLACKLIST + or verdict == DAQ_VERDICT_IGNORE; +} + // Finalize DAQ message verdict static DAQ_Verdict distill_verdict(Packet* p) { + if ( p->flow and is_sticky_verdict(p->flow->last_verdict) ) + return p->flow->last_verdict; + DAQ_Verdict verdict = DAQ_VERDICT_PASS; Active* act = p->active; @@ -281,6 +290,10 @@ static DAQ_Verdict distill_verdict(Packet* p) daq_stats.internal_whitelist++; } } + + if ( p->flow ) + p->flow->last_verdict = verdict; + return verdict; }