From: Michael Altizer (mialtize) Date: Sat, 10 Oct 2020 04:02:57 +0000 (+0000) Subject: Merge pull request #2281 in SNORT/snort3 from ~SUNIMUKH/snort3:vrf to master X-Git-Tag: 3.0.3-3~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1f2cbafb4a0bdf1b17b90f2133e6c169e8753c6;p=thirdparty%2Fsnort3.git Merge pull request #2281 in SNORT/snort3 from ~SUNIMUKH/snort3:vrf to master Squashed commit of the following: commit 63ed78206af167a874dbfd549c438758a7745e33 Author: Sunirmal Mukherjee Date: Tue Sep 15 08:22:50 2020 -0400 packet_tracer: Added groups in logging based on inter_group_flow flag commit 3efd70273253ac1321493bdce224093ddcd46f8c Author: Sunirmal Mukherjee Date: Mon Sep 7 16:29:56 2020 -0400 build: Updates for libdaq changes introduced inter_group_flow in flow stats commit 43d306ac769ff4f5eb798e70f7afc4f754a3c16d Author: Sunirmal Mukherjee Date: Mon May 4 13:56:38 2020 -0400 flow: Added source/dest group id in flow key to identify a session uniquely --- diff --git a/daqs/daq_hext.c b/daqs/daq_hext.c index 507ebf896..978998267 100644 --- a/daqs/daq_hext.c +++ b/daqs/daq_hext.c @@ -262,8 +262,9 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des "%" SCNu32 " " /* eof_timestamp.tv_sec */ \ "%" SCNu16 " " /* vlan_tag */ \ "%" SCNu16 " " /* address_space_id */ \ - "%" SCNu8 /* protocol */ -#define FLOWSTATS_ITEMS 21 + "%" SCNu8 " " /* protocol */ \ + "%" SCNu8 /* flags */ +#define FLOWSTATS_ITEMS 22 Flow_Stats_t* f = &desc->flowstats; char srcaddr[INET6_ADDRSTRLEN], dstaddr[INET6_ADDRSTRLEN]; uint32_t sof_sec, eof_sec; @@ -272,7 +273,7 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des &f->initiatorPkts, &f->responderPkts, &f->initiatorPktsDropped, &f->responderPktsDropped, &f->initiatorBytesDropped, &f->responderBytesDropped, &f->isQoSAppliedOnSrcIntf, &sof_sec, &eof_sec, &f->vlan_tag, &f->address_space_id, - &f->protocol); + &f->protocol, &f->flags); if (rval != FLOWSTATS_ITEMS) return false; diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index f8a5ff544..ea301b849 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -146,12 +146,11 @@ ExpectNode* ExpectCache::find_node_by_packet(Packet* p, FlowKey &key) const SfIp* dstIP = p->ptrs.ip_api.get_dst(); uint16_t vlanId = (p->proto_bits & PROTO_BIT__VLAN) ? layer::get_vlan_layer(p)->vid() : 0; uint32_t mplsId = (p->proto_bits & PROTO_BIT__MPLS) ? p->ptrs.mplsHdr.label : 0; - uint16_t addressSpaceId = p->pkth->address_space_id; PktType type = p->type(); IpProtocol ip_proto = p->get_ip_proto_next(); bool reversed_key = key.init(p->context->conf, type, ip_proto, dstIP, p->ptrs.dp, - srcIP, p->ptrs.sp, vlanId, mplsId, addressSpaceId); + srcIP, p->ptrs.sp, vlanId, mplsId, *p->pkth); /* Lookup order: @@ -323,11 +322,10 @@ int ExpectCache::add_flow(const Packet *ctrlPkt, PktType type, IpProtocol ip_pro control packet until we have a use case for not doing so. */ uint16_t vlanId = (ctrlPkt->proto_bits & PROTO_BIT__VLAN) ? layer::get_vlan_layer(ctrlPkt)->vid() : 0; uint32_t mplsId = (ctrlPkt->proto_bits & PROTO_BIT__MPLS) ? ctrlPkt->ptrs.mplsHdr.label : 0; - uint16_t addressSpaceId = ctrlPkt->pkth->address_space_id; - FlowKey key; + bool reversed_key = key.init(ctrlPkt->context->conf, type, ip_proto, cliIP, cliPort, - srvIP, srvPort, vlanId, mplsId, addressSpaceId); + srvIP, srvPort, vlanId, mplsId, *ctrlPkt->pkth); bool new_node = false; ExpectNode* node = static_cast ( hash_table->get_user_data(&key) ); diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index dd573692b..5d25aa03d 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -158,7 +158,6 @@ void FlowControl::set_key(FlowKey* key, Packet* p) const ip::IpApi& ip_api = p->ptrs.ip_api; uint32_t mplsId; uint16_t vlanId; - uint16_t addressSpaceId; PktType type = p->type(); IpProtocol ip_proto = p->get_ip_proto_next(); @@ -172,22 +171,20 @@ void FlowControl::set_key(FlowKey* key, Packet* p) else mplsId = 0; - addressSpaceId = p->pkth->address_space_id; - if ( (p->ptrs.decode_flags & DECODE_FRAG) ) { key->init(p->context->conf, type, ip_proto, ip_api.get_src(), - ip_api.get_dst(), ip_api.id(), vlanId, mplsId, addressSpaceId); + ip_api.get_dst(), ip_api.id(), vlanId, mplsId, *p->pkth); } else if ( type == PktType::ICMP ) { key->init(p->context->conf, type, ip_proto, ip_api.get_src(), p->ptrs.icmph->type, - ip_api.get_dst(), 0, vlanId, mplsId, addressSpaceId); + ip_api.get_dst(), 0, vlanId, mplsId, *p->pkth); } else { key->init(p->context->conf, type, ip_proto, ip_api.get_src(), p->ptrs.sp, - ip_api.get_dst(), p->ptrs.dp, vlanId, mplsId, addressSpaceId); + ip_api.get_dst(), p->ptrs.dp, vlanId, mplsId, *p->pkth); } } diff --git a/src/flow/flow_key.cc b/src/flow/flow_key.cc index 9fe4ee2d4..3251a7392 100644 --- a/src/flow/flow_key.cc +++ b/src/flow/flow_key.cc @@ -217,6 +217,25 @@ void FlowKey::init_address_space(const SnortConfig* sc, uint16_t addrSpaceId) addressSpaceId = 0; } +void FlowKey::init_groups(int16_t ingress_group, int16_t egress_group, bool rev) +{ + if (flags.group_used) + { + if (rev) + { + group_l = egress_group; + group_h = ingress_group; + } + else + { + group_l = ingress_group; + group_h = egress_group; + } + } + else + group_l = group_h = DAQ_PKTHDR_UNKNOWN; +} + void FlowKey::init_mpls(const SnortConfig* sc, uint32_t mplsId) { if (sc->mpls_overlapping_ip()) @@ -230,7 +249,9 @@ bool FlowKey::init( PktType type, IpProtocol ip_proto, const SfIp *srcIP, uint16_t srcPort, const SfIp *dstIP, uint16_t dstPort, - uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId) + uint16_t vlanId, uint32_t mplsId, + uint16_t addrSpaceId, int16_t ingress_group, + int16_t egress_group) { bool reversed; @@ -256,7 +277,55 @@ bool FlowKey::init( init_vlan(sc, vlanId); init_address_space(sc, addrSpaceId); - padding = 0; + + if (ingress_group == DAQ_PKTHDR_UNKNOWN or egress_group == DAQ_PKTHDR_UNKNOWN) + flags.group_used = 0; + else + flags.group_used = 1; + + init_groups(ingress_group, egress_group, reversed); + + flags.ubits = 0; + return reversed; +} + +bool FlowKey::init( + const SnortConfig* sc, + PktType type, IpProtocol ip_proto, + const SfIp *srcIP, uint16_t srcPort, + const SfIp *dstIP, uint16_t dstPort, + uint16_t vlanId, uint32_t mplsId, + const DAQ_PktHdr_t& pkt_hdr) +{ + bool reversed; + + /* Because the key is going to be used for hash lookups, + * the key fields will be normalized such that the lower + * of the IP addresses is stored in ip_l and the port for + * that IP is stored in port_l. + */ + + if (srcIP->is_ip4() && dstIP->is_ip4()) + { + version = 4; + reversed = init4(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId); + } + else + { + version = 6; + reversed = init6(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId); + } + + pkt_type = type; + ip_protocol = (uint8_t)ip_proto; + + init_vlan(sc, vlanId); + init_address_space(sc, pkt_hdr.address_space_id); + + flags.group_used = ((pkt_hdr.flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS) != 0); + init_groups(pkt_hdr.ingress_group, pkt_hdr.egress_group, reversed); + + flags.ubits = 0; return reversed; } @@ -266,23 +335,26 @@ bool FlowKey::init( PktType type, IpProtocol ip_proto, const SfIp *srcIP, const SfIp *dstIP, uint32_t id, uint16_t vlanId, - uint32_t mplsId, uint16_t addrSpaceId) + uint32_t mplsId, uint16_t addrSpaceId, + int16_t ingress_group, int16_t egress_group) { // to avoid confusing 2 different datagrams or confusing a datagram // with a session, we don't order the addresses and we set version + uint16_t srcPort = id & 0xFFFF; uint16_t dstPort = id >> 16; + bool reversed; if (srcIP->is_ip4() && dstIP->is_ip4()) { version = 4; - init4(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); + reversed = init4(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); ip_protocol = (uint8_t)ip_proto; } else { version = 6; - init6(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); + reversed = init6(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); ip_protocol = 0; } @@ -290,11 +362,60 @@ bool FlowKey::init( init_vlan(sc, vlanId); init_address_space(sc, addrSpaceId); - padding = 0; + + if (ingress_group == DAQ_PKTHDR_UNKNOWN or egress_group == DAQ_PKTHDR_UNKNOWN) + flags.group_used = 0; + else + flags.group_used = 1; + + init_groups(ingress_group, egress_group, reversed); + + flags.ubits = 0; + + return false; +} + +bool FlowKey::init( + const SnortConfig* sc, + PktType type, IpProtocol ip_proto, + const SfIp *srcIP, const SfIp *dstIP, + uint32_t id, uint16_t vlanId, + uint32_t mplsId, const DAQ_PktHdr_t& pkt_hdr) +{ + // to avoid confusing 2 different datagrams or confusing a datagram + // with a session, we don't order the addresses and we set version + + uint16_t srcPort = id & 0xFFFF; + uint16_t dstPort = id >> 16; + bool reversed; + + if (srcIP->is_ip4() && dstIP->is_ip4()) + { + version = 4; + reversed = init4(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); + ip_protocol = (uint8_t)ip_proto; + } + else + { + version = 6; + reversed = init6(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); + ip_protocol = 0; + } + + pkt_type = type; + + init_vlan(sc, vlanId); + init_address_space(sc, pkt_hdr.address_space_id); + + flags.group_used = ((pkt_hdr.flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS) != 0); + init_groups(pkt_hdr.ingress_group, pkt_hdr.egress_group, reversed); + + flags.ubits = 0; return false; } +//------------------------------------------------------------------------- //------------------------------------------------------------------------- // hash foo //------------------------------------------------------------------------- @@ -303,6 +424,9 @@ bool FlowKey::is_equal(const void* s1, const void* s2, size_t) { const uint64_t* a = (const uint64_t*)s1; const uint64_t* b = (const uint64_t*)s2; + const uint32_t* c; + const uint32_t* d; + if (*a - *b) return false; /* Compares IPv4 lo/hi Compares IPv6 low[0,1] */ @@ -331,7 +455,12 @@ bool FlowKey::is_equal(const void* s1, const void* s2, size_t) a++; b++; if (*a - *b) - return false; /* Compares vlan,AddressSpace ID,ip_proto,type,version,8 bit pad */ + return false; /* Compares group lo/hi, addressSpaceId, vlan */ + + c = (const uint32_t*)(++a); + d = (const uint32_t*)(++b); + if (*c - *d) + return false; /* ip_proto, type, version, 8 bit pad */ return true; } @@ -362,8 +491,12 @@ unsigned FlowHashKeyOps::do_hash(const unsigned char* k, int) mix(a, b, c); a += d[9]; // port lo & port hi - b += d[10]; // vlan tag, address space id - c += d[11]; // ip_proto, pkt_type, version, and 8 bits of zeroed pad + b += d[10]; // group lo & group hi + c += d[11]; // addressSpaceId, vlan + + mix(a, b, c); + + a += d[12]; // ip_proto, pkt_type, version, 8 bits of zeroed pad finalize(a, b, c); diff --git a/src/flow/flow_key.h b/src/flow/flow_key.h index 1333d174c..1db84829e 100644 --- a/src/flow/flow_key.h +++ b/src/flow/flow_key.h @@ -25,6 +25,8 @@ #include +#include + #include "framework/decode_data.h" #include "hash/hash_key_operations.h" #include "utils/cpp_macros.h" @@ -56,12 +58,17 @@ struct SO_PUBLIC FlowKey uint32_t mplsLabel; uint16_t port_l; /* Low Port - 0 if ICMP */ uint16_t port_h; /* High Port - 0 if ICMP */ - uint16_t vlan_tag; + int16_t group_l; + int16_t group_h; uint16_t addressSpaceId; + uint16_t vlan_tag; uint8_t ip_protocol; PktType pkt_type; uint8_t version; - uint8_t padding; + struct { + uint8_t group_used:1; // Is group being used to build key. + uint8_t ubits:7; + } flags; /* The init() functions return true if the key IP/port fields were actively normalized, reversing the source and destination addresses internally. @@ -71,17 +78,31 @@ struct SO_PUBLIC FlowKey const SnortConfig*, PktType, IpProtocol, const snort::SfIp *srcIP, uint16_t srcPort, const snort::SfIp *dstIP, uint16_t dstPort, - uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId); - + uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, + int16_t group_h = DAQ_PKTHDR_UNKNOWN, int16_t group_l = DAQ_PKTHDR_UNKNOWN); + bool init( const SnortConfig*, PktType, IpProtocol, const snort::SfIp *srcIP, const snort::SfIp *dstIP, uint32_t id, uint16_t vlanId, - uint32_t mplsId, uint16_t addrSpaceId); + uint32_t mplsId, uint16_t addrSpaceId, + int16_t group_h = DAQ_PKTHDR_UNKNOWN, int16_t group_l = DAQ_PKTHDR_UNKNOWN); + + bool init( + const SnortConfig*, PktType, IpProtocol, + const snort::SfIp *srcIP, uint16_t srcPort, + const snort::SfIp *dstIP, uint16_t dstPort, + uint16_t vlanId, uint32_t mplsId, const DAQ_PktHdr_t&); + + bool init( + const SnortConfig*, PktType, IpProtocol, + const snort::SfIp *srcIP, const snort::SfIp *dstIP, + uint32_t id, uint16_t vlanId, uint32_t mplsId, const DAQ_PktHdr_t&); void init_mpls(const SnortConfig*, uint32_t); void init_vlan(const SnortConfig*, uint16_t); void init_address_space(const SnortConfig*, uint16_t); + void init_groups(int16_t, int16_t, bool); // If this data structure changes size, compare must be updated! static bool is_equal(const void* k1, const void* k2, size_t); diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index 16366de55..0fcd8eff2 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -121,17 +121,39 @@ bool FlowKey::init( PktType, IpProtocol, const SfIp*, uint16_t, const SfIp*, uint16_t, - uint16_t, uint32_t, uint16_t) + uint16_t, uint32_t, + uint16_t, int16_t, int16_t) { return true; } +bool FlowKey::init( + const SnortConfig*, + PktType, IpProtocol, + const SfIp*, uint16_t, + const SfIp*, uint16_t, + uint16_t, uint32_t, const DAQ_PktHdr_t&) +{ + return true; +} + +bool FlowKey::init( + const SnortConfig*, + PktType, IpProtocol, + const SfIp*, const SfIp*, + uint32_t, uint16_t, + uint32_t, uint16_t, int16_t, + int16_t) +{ + return true; +} + bool FlowKey::init( const SnortConfig*, PktType, IpProtocol, const SfIp*, const SfIp*, uint32_t, uint16_t, - uint32_t, uint16_t) + uint32_t, const DAQ_PktHdr_t&) { return true; } diff --git a/src/flow/test/ha_test.cc b/src/flow/test/ha_test.cc index da76fc1bd..8fd5de850 100644 --- a/src/flow/test/ha_test.cc +++ b/src/flow/test/ha_test.cc @@ -42,12 +42,14 @@ static const FlowKey s_test_key = 9, 10, 11, + 0, + 0, + 0, 12, - 13, 14, PktType::TCP, 14, - 0, + 0 }; static struct __attribute__((__packed__)) TestDeleteMessage { @@ -58,7 +60,7 @@ static struct __attribute__((__packed__)) TestDeleteMessage { { HA_DELETE_EVENT, HA_MESSAGE_VERSION, - 0x35, + 0x39, KEY_TYPE_IP6 }, s_test_key @@ -74,7 +76,7 @@ static struct __attribute__((__packed__)) TestUpdateMessage { { HA_UPDATE_EVENT, HA_MESSAGE_VERSION, - 0x41, + 0x45, KEY_TYPE_IP6 }, s_test_key, diff --git a/src/network_inspectors/packet_tracer/packet_tracer.cc b/src/network_inspectors/packet_tracer/packet_tracer.cc index 983e68d8b..9e0f46f9e 100644 --- a/src/network_inspectors/packet_tracer/packet_tracer.cc +++ b/src/network_inspectors/packet_tracer/packet_tracer.cc @@ -278,19 +278,24 @@ void PacketTracer::add_ip_header_info(const Packet& p) actual_sip->ntop(sipstr, sizeof(sipstr)); actual_dip->ntop(dipstr, sizeof(dipstr)); + char gr_buf[32] = {0}; + if (p.is_inter_group_flow()) + snprintf(gr_buf, sizeof(gr_buf), " GR=%hd-%hd", p.pkth->ingress_group, + p.pkth->egress_group); + if (shell_enabled) { PacketTracer::log("\n"); - snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%hu ID=%u ", + snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%hu ID=%u%s ", sipstr, sport, dipstr, dport, static_cast(proto), - p.pkth->address_space_id, get_instance_id()); + p.pkth->address_space_id, get_instance_id(), gr_buf); } else { add_eth_header_info(p); - PacketTracer::log("%s:%hu -> %s:%hu proto %u AS=%hu ID=%u\n", + PacketTracer::log("%s:%hu -> %s:%hu proto %u AS=%hu ID=%u%s\n", sipstr, sport, dipstr, dport, static_cast(proto), - p.pkth->address_space_id, get_instance_id()); + p.pkth->address_space_id, get_instance_id(), gr_buf); } add_packet_type_info(p); } diff --git a/src/network_inspectors/packet_tracer/packet_tracer.h b/src/network_inspectors/packet_tracer/packet_tracer.h index 8aae7a041..1477e798d 100644 --- a/src/network_inspectors/packet_tracer/packet_tracer.h +++ b/src/network_inspectors/packet_tracer/packet_tracer.h @@ -33,9 +33,9 @@ #include "protocols/protocol_ids.h" #include "sfip/sf_ip.h" -// %s %u -> %s %u %u AS=%u ID=%u -// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum -#define PT_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10)+1) +// %s %u -> %s %u %u AS=%u ID=%u GR=%hd-%hd +// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum GR=SrcGroupNum-DstGroupNum +#define PT_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10+32)+1) namespace snort { diff --git a/src/protocols/packet.h b/src/protocols/packet.h index 60eb4ab9a..2ce539704 100644 --- a/src/protocols/packet.h +++ b/src/protocols/packet.h @@ -315,6 +315,9 @@ struct SO_PUBLIC Packet bool is_detection_enabled(bool to_server); + bool is_inter_group_flow() const + { return (pkth->flags & DAQ_PKT_FLAG_SIGNIFICANT_GROUPS) != 0; } + bool test_session_flags(uint32_t); SnortProtocolId get_snort_protocol_id(); diff --git a/src/service_inspectors/http_inspect/test/http_transaction_test.cc b/src/service_inspectors/http_inspect/test/http_transaction_test.cc index 89eda0bcb..85ae1e600 100644 --- a/src/service_inspectors/http_inspect/test/http_transaction_test.cc +++ b/src/service_inspectors/http_inspect/test/http_transaction_test.cc @@ -45,7 +45,7 @@ FlowData::FlowData(unsigned, Inspector*) {} FlowData::~FlowData() = default; int DetectionEngine::queue_event(unsigned int, unsigned int, Actions::Type) { return 0; } fd_status_t File_Decomp_StopFree(fd_session_t*) { return File_Decomp_OK; } -size_t str_to_hash(unsigned char const*, size_t) { return 0; } +uint32_t str_to_hash(const uint8_t *, size_t) { return 0; } } THREAD_LOCAL PegCount HttpModule::peg_counts[PEG_COUNT_MAX] = { }; diff --git a/src/service_inspectors/sip/sip_dialog.cc b/src/service_inspectors/sip/sip_dialog.cc index d8ab5d0a8..5a49c14ed 100644 --- a/src/service_inspectors/sip/sip_dialog.cc +++ b/src/service_inspectors/sip/sip_dialog.cc @@ -401,7 +401,7 @@ static int SIP_ignoreChannels(SIP_DialogData* dialog, Packet* p, SIP_PROTO_CONF* mdataA->mport, &mdataB->maddress, mdataB->mport, (p->proto_bits & PROTO_BIT__VLAN) ? layer::get_vlan_layer(p)->vid() : 0, (p->proto_bits & PROTO_BIT__MPLS) ? p->ptrs.mplsHdr.label : 0, - p->pkth->address_space_id); + *p->pkth); if (ssn) { ssn->set_ignore_direction(SSN_DIR_BOTH); diff --git a/src/stream/icmp/icmp_session.cc b/src/stream/icmp/icmp_session.cc index 2221afe8b..bf231546e 100644 --- a/src/stream/icmp/icmp_session.cc +++ b/src/stream/icmp/icmp_session.cc @@ -71,6 +71,7 @@ static int ProcessIcmpUnreach(Packet* p) const SfIp* src; const SfIp* dst; ip::IpApi iph; + bool reversed = false; /* Set the Ip API to the embedded IP Header. */ if (!layer::set_api_ip_embed_icmp(p, iph)) @@ -85,7 +86,6 @@ static int ProcessIcmpUnreach(Packet* p) skey.pkt_type = p->type(); skey.version = src->is_ip4() ? 4 : 6; skey.ip_protocol = (uint8_t)p->get_ip_proto_next(); - skey.padding = 0; if (p->proto_bits & PROTO_BIT__TCP_EMBED_ICMP) { @@ -126,6 +126,7 @@ static int ProcessIcmpUnreach(Packet* p) { skey.port_l = dport; skey.port_h = sport; + reversed = true; } } else @@ -134,6 +135,7 @@ static int ProcessIcmpUnreach(Packet* p) COPY4(skey.ip_h, src->get_ip6_ptr()); skey.port_l = dport; skey.port_h = sport; + reversed = true; } uint16_t vlan = (p->proto_bits & PROTO_BIT__VLAN) ? @@ -145,6 +147,8 @@ static int ProcessIcmpUnreach(Packet* p) skey.init_vlan(sc, vlan); skey.init_address_space(sc, 0); skey.init_mpls(sc, 0); + skey.flags.group_used = p->is_inter_group_flow(); + skey.init_groups(p->pkth->ingress_group, p->pkth->egress_group, reversed); switch (p->type()) { diff --git a/src/stream/stream.cc b/src/stream/stream.cc index eb58070db..a8db60d72 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -89,11 +89,28 @@ Flow* Stream::get_flow( PktType type, IpProtocol proto, const SfIp* srcIP, uint16_t srcPort, const SfIp* dstIP, uint16_t dstPort, - uint16_t vlan, uint32_t mplsId, uint16_t addressSpaceId) + uint16_t vlan, uint32_t mplsId, uint16_t addressSpaceId, + int16_t ingress_group, int16_t egress_group) { FlowKey key; const SnortConfig* sc = SnortConfig::get_conf(); - key.init(sc, type, proto, srcIP, srcPort, dstIP, dstPort, vlan, mplsId, addressSpaceId); + + key.init(sc, type, proto, srcIP, srcPort, dstIP, dstPort, vlan, mplsId, + addressSpaceId, ingress_group, egress_group); + return get_flow(&key); +} + +Flow* Stream::get_flow( + PktType type, IpProtocol proto, + const SfIp* srcIP, uint16_t srcPort, + const SfIp* dstIP, uint16_t dstPort, + uint16_t vlan, uint32_t mplsId, const DAQ_PktHdr_t& pkth) +{ + FlowKey key; + const SnortConfig* sc = SnortConfig::get_conf(); + + key.init(sc, type, proto, srcIP, srcPort, dstIP, dstPort, vlan, mplsId, + pkth); return get_flow(&key); } @@ -110,7 +127,7 @@ void Stream::populate_flow_key(Packet* p, FlowKey* key) // if the vlan protocol bit is defined, vlan layer guaranteed to exist (p->proto_bits & PROTO_BIT__VLAN) ? layer::get_vlan_layer(p)->vid() : 0, (p->proto_bits & PROTO_BIT__MPLS) ? p->ptrs.mplsHdr.label : 0, - p->pkth->address_space_id); + *p->pkth); } FlowKey* Stream::get_flow_key(Packet* p) @@ -138,12 +155,13 @@ FlowData* Stream::get_flow_data( const SfIp* srcIP, uint16_t srcPort, const SfIp* dstIP, uint16_t dstPort, uint16_t vlan, uint32_t mplsId, - uint16_t addressSpaceID, unsigned flowdata_id) + uint16_t addressSpaceID, unsigned flowdata_id, + int16_t ingress_group, int16_t egress_group) { Flow* flow = get_flow( - type, proto, - srcIP, srcPort, dstIP, dstPort, - vlan, mplsId, addressSpaceID); + type, proto, srcIP, srcPort, dstIP, dstPort, + vlan, mplsId, addressSpaceID, ingress_group, + egress_group); if (!flow) return nullptr; @@ -151,6 +169,24 @@ FlowData* Stream::get_flow_data( return flow->get_flow_data(flowdata_id); } +FlowData* Stream::get_flow_data( + PktType type, IpProtocol proto, + const SfIp* srcIP, uint16_t srcPort, + const SfIp* dstIP, uint16_t dstPort, + uint16_t vlan, uint32_t mplsId, + unsigned flowdata_id, const DAQ_PktHdr_t& pkth) +{ + Flow* flow = get_flow( + type, proto, srcIP, srcPort, dstIP, dstPort, + vlan, mplsId, pkth); + + if (!flow) + return nullptr; + + return flow->get_flow_data(flowdata_id); +} + +//------------------------------------------------------------------------- //------------------------------------------------------------------------- // session status //------------------------------------------------------------------------- diff --git a/src/stream/stream.h b/src/stream/stream.h index bf0562bf6..749fda2c5 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -26,6 +26,8 @@ #include +#include + #include "flow/flow.h" class HostAttributesDescriptor; @@ -185,7 +187,13 @@ public: static FlowData* get_flow_data( PktType type, IpProtocol proto, const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2, - uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, unsigned flowdata_id); + uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, unsigned flowdata_id, + int16_t ingress_group = DAQ_PKTHDR_UNKNOWN, int16_t egress_group = DAQ_PKTHDR_UNKNOWN); + + static FlowData* get_flow_data( + PktType type, IpProtocol proto, + const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2, + uint16_t vlanId, uint32_t mplsId, unsigned flowdata_id, const DAQ_PktHdr_t&); // Get pointer to application data for a flow using the FlowKey as the lookup criteria static FlowData* get_flow_data(const FlowKey*, unsigned flowdata_id); @@ -195,7 +203,13 @@ public: static Flow* get_flow( PktType type, IpProtocol proto, const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2, - uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId); + uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId, + int16_t ingress_group = DAQ_PKTHDR_UNKNOWN, int16_t egress_group = DAQ_PKTHDR_UNKNOWN); + + static Flow* get_flow( + PktType type, IpProtocol proto, + const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2, + uint16_t vlanId, uint32_t mplsId, const DAQ_PktHdr_t&); // Delete the session if it is in the closed session state. // Handle session block pending state