From: Masud Hasan (mashasan) Date: Fri, 2 Apr 2021 19:35:34 +0000 (+0000) Subject: Merge pull request #2822 in SNORT/snort3 from ~MASHASAN/snort3:iprep_reload to master X-Git-Tag: 3.1.4.0~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd229e5c07e3e33fba1888293fc5c5ba1a228f0a;p=thirdparty%2Fsnort3.git Merge pull request #2822 in SNORT/snort3 from ~MASHASAN/snort3:iprep_reload to master Squashed commit of the following: commit 7f1303b3e1e50a8986acd72989e37bb0d8f9461e Author: Masud Hasan Date: Tue Mar 30 20:35:41 2021 -0400 reputation: Registering inspector to the IT_FIRST type commit df1ace6dae83f3959acd3a226de38e54f8940957 Author: Masud Hasan Date: Tue Mar 30 20:11:08 2021 -0400 framework: Adding IT_FIRST inspector type to analyze the first packet of a flow commit 4be59cff4ad586e556306aa5dba3914d0ccab076 Author: Masud Hasan Date: Tue Mar 30 15:45:45 2021 -0400 main: Adding reload id to track config/module/policy reloads --- diff --git a/src/flow/flow.h b/src/flow/flow.h index a34540392..6005154d5 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -439,7 +439,7 @@ public: // FIXIT-M privatize if possible unsigned inspection_policy_id; unsigned ips_policy_id; unsigned network_policy_id; - unsigned reputation_id; + unsigned reload_id; uint32_t default_session_timeout; diff --git a/src/framework/inspector.cc b/src/framework/inspector.cc index 34d58cc13..3e232707e 100644 --- a/src/framework/inspector.cc +++ b/src/framework/inspector.cc @@ -128,6 +128,7 @@ static const char* InspectorTypeNames[IT_MAX] = "wizard", "packet", "stream", + "first", "network", "service", "control", diff --git a/src/framework/inspector.h b/src/framework/inspector.h index ef85cfb74..86091ab46 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -189,7 +189,8 @@ enum InspectorType IT_WIZARD, // guesses service inspector IT_PACKET, // processes raw packets only (eg normalize, capture) IT_STREAM, // flow tracking and reassembly (eg ip, tcp, udp) - IT_NETWORK, // process packets w/o service (eg arp, bo, rep) + IT_FIRST, // analyze 1st pkt of new flow and 1st pkt after reload of ongoing flow (eg rep) + IT_NETWORK, // process packets w/o service (eg arp, bo) IT_SERVICE, // extract and analyze service PDUs (eg dce, http, ssl) IT_CONTROL, // process all packets before detection (eg appid) IT_PROBE, // process all packets after detection (eg perf_monitor, port_scan) diff --git a/src/main.cc b/src/main.cc index f63f652a5..3c26a0a1d 100644 --- a/src/main.cc +++ b/src/main.cc @@ -393,6 +393,7 @@ int main_reload_config(lua_State* L) } PluginManager::reload_so_plugins_cleanup(sc); + sc->update_reload_id(); SnortConfig::set_conf(sc); TraceApi::thread_reinit(sc->trace_config); proc_stats.conf_reloads++; @@ -435,6 +436,7 @@ int main_reload_policy(lua_State* L) current_request->respond("== reload failed\n"); return 0; } + sc->update_reload_id(); SnortConfig::set_conf(sc); proc_stats.policy_reloads++; @@ -476,6 +478,7 @@ int main_reload_module(lua_State* L) current_request->respond("== reload failed\n"); return 0; } + sc->update_reload_id(); SnortConfig::set_conf(sc); proc_stats.policy_reloads++; diff --git a/src/main/snort.cc b/src/main/snort.cc index 6e8048ebb..713a98252 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -213,6 +213,7 @@ void Snort::init(int argc, char** argv) IpsManager::global_init(sc); sc->post_setup(); + sc->update_reload_id(); const MpseApi* search_api = sc->fast_pattern_config->get_search_api(); const MpseApi* offload_search_api = sc->fast_pattern_config->get_offload_search_api(); diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index 615127e8e..2f6298a93 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -984,6 +984,12 @@ void SnortConfig::clear_reload_resource_tuner_list() reload_tuners.clear(); } +void SnortConfig::update_reload_id() +{ + static unsigned reload_id_tracker = 0; + reload_id = ++reload_id_tracker; +} + void SnortConfig::cleanup_fatal_error() { // FIXIT-L need a generic way to manage type other threads diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 8070ab104..6569c66f4 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -425,6 +425,7 @@ public: bool cloned = false; Plugins* plugins = nullptr; SoRules* so_rules = nullptr; + unsigned reload_id = 0; DumpConfigType dump_config_type = DUMP_CONFIG_NONE; private: @@ -664,6 +665,8 @@ public: void clear_reload_resource_tuner_list(); + void update_reload_id(); + bool get_default_rule_state() const; ConfigOutput* create_config_output() const; diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 62f3eae46..0736cf176 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -222,6 +222,7 @@ struct FrameworkPolicy PHVector passive; PHVector packet; + PHVector first; PHVector network; PHVector session; PHVector service; @@ -279,6 +280,7 @@ void FrameworkPolicy::vectorize(SnortConfig* sc) { passive.alloc(ilist.size()); packet.alloc(ilist.size()); + first.alloc(ilist.size()); network.alloc(ilist.size()); session.alloc(ilist.size()); service.alloc(ilist.size()); @@ -300,6 +302,10 @@ void FrameworkPolicy::vectorize(SnortConfig* sc) packet.add(p); break; + case IT_FIRST: + first.add(p); + break; + case IT_NETWORK: network.add(p); break; @@ -1251,6 +1257,13 @@ void InspectorManager::internal_execute(Packet* p) if ( !p->flow ) { + if ( fp_dft != fp ) + ::execute(p, fp_dft->first.vec, fp_dft->first.num); + ::execute(p, fp->first.vec, fp->first.num); + + if ( p->disable_inspect ) + return; + if (fp_dft != fp) ::execute(p, fp_dft->network.vec, fp_dft->network.num); ::execute(p, fp->network.vec, fp->network.num); @@ -1265,6 +1278,17 @@ void InspectorManager::internal_execute(Packet* p) if ( !p->has_paf_payload() and p->flow->flow_state == Flow::FlowState::INSPECT ) p->flow->session->process(p); + if ( p->flow->reload_id != sc->reload_id ) + { + if ( fp_dft != fp ) + ::execute(p, fp_dft->first.vec, fp_dft->first.num); + ::execute(p, fp->first.vec, fp->first.num); + + p->flow->reload_id = sc->reload_id; + if ( p->disable_inspect ) + return; + } + if ( !p->flow->service ) { if (fp_dft != fp) diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index df994d7ac..5a9214c4b 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -312,14 +312,6 @@ static void snort_reputation(ReputationConfig* config, Packet* p) } } -static unsigned create_reputation_id() -{ - static unsigned reputation_id_tracker = 0; - if (++reputation_id_tracker == 0) - ++reputation_id_tracker; - return reputation_id_tracker; -} - static const char* to_string(NestedIP nip) { switch (nip) @@ -385,7 +377,6 @@ static const char* to_string(IPdecision ipd) Reputation::Reputation(ReputationConfig* pc) { - reputation_id = create_reputation_id(); config = *pc; ReputationConfig* conf = &config; if (!config.list_dir.empty()) @@ -426,14 +417,6 @@ void Reputation::eval(Packet* p) if (p->is_rebuilt()) return; - if (p->flow) - { - if (p->flow->reputation_id == reputation_id) // reputation previously checked - return; - else - p->flow->reputation_id = reputation_id; // disable future reputation checking - } - snort_reputation(&config, p); ++reputationstats.packets; } @@ -475,7 +458,7 @@ const InspectApi reputation_api = mod_ctor, mod_dtor }, - IT_NETWORK, + IT_FIRST, PROTO_BIT__ANY_IP, nullptr, // buffers nullptr, // service diff --git a/src/network_inspectors/reputation/reputation_inspect.h b/src/network_inspectors/reputation/reputation_inspect.h index b82fc52bf..52ef957f3 100644 --- a/src/network_inspectors/reputation/reputation_inspect.h +++ b/src/network_inspectors/reputation/reputation_inspect.h @@ -33,7 +33,6 @@ public: private: ReputationConfig config; - unsigned reputation_id; }; #endif