From: Russ Combs (rucombs) Date: Thu, 18 Apr 2019 00:12:37 +0000 (-0400) Subject: Merge pull request #1579 in SNORT/snort3 from ~MIALTIZE/snort3:misc_fixes to master X-Git-Tag: 3.0.0-254~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3096be3173a455a3386fc268ce20d5293931e96;p=thirdparty%2Fsnort3.git Merge pull request #1579 in SNORT/snort3 from ~MIALTIZE/snort3:misc_fixes to master Squashed commit of the following: commit d7a95b1ffbc9d5624eec6487b4190aca2eb870ab Author: Michael Altizer Date: Wed Apr 17 16:17:41 2019 -0400 build: Remove perpetually stale reference to lua_plugffi.h commit 57d3b9bbec7694a892616c81221f4733e6592114 Author: Michael Altizer Date: Tue Oct 16 01:35:50 2018 -0400 log_pcap, packet_capture: Don't try to use a DAQ pkthdr as a PCAP pkthdr This is not forward-compatible and generally bad practice. Build the PCAP pkthdr manually instead. commit bae93a9ced6e132a0c4bbd8eb078ef39d7dc40cf Author: Michael Altizer Date: Tue Apr 16 18:31:03 2019 -0400 analyzer: Print pause indicator from analyzer threads commit a82a42d59d9058be8202f1b567e2174073e9ef6e Author: Michael Altizer Date: Tue Apr 9 14:56:27 2019 -0400 stream_tcp: Try to work with a cleaner Packet when purging at shutdown --- diff --git a/src/loggers/log_pcap.cc b/src/loggers/log_pcap.cc index ec4d3c8bd..9ad6f8075 100644 --- a/src/loggers/log_pcap.cc +++ b/src/loggers/log_pcap.cc @@ -132,7 +132,11 @@ static void LogTcpdumpSingle( if ( data->limit && (context.size + dumpSize > data->limit) ) TcpdumpRollLogFile(data); - pcap_dump((uint8_t*)context.dumpd, reinterpret_cast(p->pkth), p->pkt); + struct pcap_pkthdr pcaphdr; + pcaphdr.ts = p->pkth->ts; + pcaphdr.caplen = p->pkth->caplen; + pcaphdr.len = p->pkth->pktlen; + pcap_dump((uint8_t*)context.dumpd, &pcaphdr, p->pkt); context.size += dumpSize; if (!SnortConfig::line_buffered_logging()) // FIXIT-L misnomer diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index 0c6826179..ebda8a2d1 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -208,7 +208,10 @@ void Analyzer::stop() void Analyzer::pause() { if (state == State::RUNNING) + { set_state(State::PAUSED); + LogMessage("== [%u] paused\n", id); + } else ErrorMessage("Analyzer: Received PAUSE command while in state %s\n", get_state_string()); diff --git a/src/managers/CMakeLists.txt b/src/managers/CMakeLists.txt index 4a208dec1..b52dae63b 100644 --- a/src/managers/CMakeLists.txt +++ b/src/managers/CMakeLists.txt @@ -7,7 +7,6 @@ set (LUA_INCLUDES ) set (CPP_INCLUDES - ${CMAKE_CURRENT_BINARY_DIR}/lua_plugffi.h ${CMAKE_CURRENT_BINARY_DIR}/lua_bootstrap.h ${CMAKE_CURRENT_BINARY_DIR}/lua_coreinit.h ) @@ -18,6 +17,7 @@ set( MANAGERS_INCLUDES ) add_library( managers OBJECT + ${LUA_INCLUDES} ${MANAGERS_INCLUDES} ${CPP_INCLUDES} action_manager.h @@ -44,7 +44,7 @@ add_library( managers OBJECT ) add_custom_command ( - OUTPUT lua_plugffi.h snort_plugin.lua + OUTPUT plugffi.lua snort_plugin.lua COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/ffi_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR}/lua_plugin_defs.h > plugffi.lua COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/plugffi.lua ${CMAKE_CURRENT_BINARY_DIR}/snort_plugin.lua ) diff --git a/src/network_inspectors/packet_capture/packet_capture.cc b/src/network_inspectors/packet_capture/packet_capture.cc index 8737318fa..68248a54d 100644 --- a/src/network_inspectors/packet_capture/packet_capture.cc +++ b/src/network_inspectors/packet_capture/packet_capture.cc @@ -219,8 +219,11 @@ void PacketCapture::eval(Packet* p) void PacketCapture::write_packet(Packet* p) { - //DAQ_PktHdr_t is compatible with pcap_pkthdr - pcap_dump((unsigned char*)dumper, (const pcap_pkthdr*)p->pkth, p->pkt); + struct pcap_pkthdr pcaphdr; + pcaphdr.ts = p->pkth->ts; + pcaphdr.caplen = p->pkth->caplen; + pcaphdr.len = p->pkth->pktlen; + pcap_dump((unsigned char*)dumper, &pcaphdr, p->pkt); pcap_dump_flush(dumper); } diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index 7cf2510ac..63f557605 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -524,9 +524,10 @@ Packet* TcpReassembler::initialize_pdu( trs.sos.session->GetPacketHeaderFoo(&pkth, pkt_flags); PacketManager::format_tcp(enc_flags, p, pdu, PSEUDO_PKT_TCP, &pkth, pkth.opaque); prep_pdu(trs, trs.sos.session->flow, p, pkt_flags, pdu); - (const_cast(pdu->pkth))->ts = tv; + assert(pdu->pkth == pdu->context->pkth); + pdu->context->pkth->ts = tv; // FIXIT-M: This hack will go away with daqng - (const_cast(pdu->pkth))->priv_ptr = p->pkth->priv_ptr; + pdu->context->pkth->priv_ptr = p->pkth->priv_ptr; pdu->dsize = 0; pdu->data = nullptr; return pdu; @@ -811,13 +812,21 @@ void TcpReassembler::final_flush(TcpReassemblerState& trs, Packet* p, uint32_t d static Packet* set_packet(Flow* flow, uint32_t flags, bool c2s) { + // FIXIT-M this implicitly relies on a fresh packet/context being pushed by Flow::reset() + // calling DetectionEngine::set_next_packet() while passing a null Packet through the + // cleanup routines, which is super hinky, but also why we don't need to call p->reset(). + // The end result is a skeleton of a TCP PDU packet with no data and the IPs/ports/flow set. + // We should probably be clearing more Packet fields. Packet* p = DetectionEngine::get_current_packet(); - p->reset(); - DAQ_PktHdr_t* ph = const_cast(p->pkth); + assert(p->pkth == p->context->pkth); + DAQ_PktHdr_t* ph = p->context->pkth; memset(ph, 0, sizeof(*ph)); packet_gettimeofday(&ph->ts); + p->data = nullptr; + p->dsize = 0; + p->ptrs.set_pkt_type(PktType::PDU); p->proto_bits |= PROTO_BIT__TCP; p->flow = flow;