From: Michael Altizer (mialtize) Date: Fri, 14 Sep 2018 17:38:09 +0000 (-0400) Subject: Merge pull request #1344 in SNORT/snort3 from offload_active to master X-Git-Tag: 3.0.0-248~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d24f41e490c566167ff4944d1459c5e33e254592;p=thirdparty%2Fsnort3.git Merge pull request #1344 in SNORT/snort3 from offload_active to master Squashed commit of the following: commit 9f8c35fd54dcd56b3212f025b6b8bf31b5359654 Author: Carter Waxman Date: Mon Aug 27 13:37:58 2018 -0400 DetectionEngine: run active actions at onload --- diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 10606d65d..53fae34df 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -76,13 +76,10 @@ DetectionEngine::DetectionEngine() DetectionEngine::~DetectionEngine() { - ContextSwitcher* sw = Snort::get_switcher(); - - if ( context == sw->get_context() ) + if ( context == Snort::get_switcher()->get_context() ) { + // finish_packet is called here so that we clear wire packets at the right time finish_packet(context->packet); - sw->complete(); - context->post_detection(); } } @@ -132,6 +129,36 @@ Packet* DetectionEngine::set_next_packet(Packet* parent) return p; } +void DetectionEngine::finish_inspect_with_latency(Packet* p) +{ + DetectionEngine::set_check_tags(); + + // By checking tagging here, we make sure that we log the + // tagged packet whether it generates an alert or not. + + if ( p->has_ip() ) + check_tags(p); + + InspectorManager::probe(p); +} + +void DetectionEngine::finish_inspect(Packet* p, bool inspected) +{ + log_events(p); + + Active::apply_delayed_action(p); + + // clear closed sessions here after inspection since non-stream + // inspectors may depend on flow information + // this also handles block pending state + Stream::check_flow_closed(p); + + if ( inspected ) + InspectorManager::clear(p); + + clear_events(p); +} + void DetectionEngine::finish_packet(Packet* p) { log_events(p); @@ -141,6 +168,9 @@ void DetectionEngine::finish_packet(Packet* p) // clean up any failed rebuilds const IpsContext* c = Snort::get_switcher()->get_next(); c->packet->release_helpers(); + + p->context->post_detection(); + Snort::get_switcher()->complete(); } uint8_t* DetectionEngine::get_buffer(unsigned& max) @@ -304,11 +334,9 @@ void DetectionEngine::onload() sw->resume(id); fp_onload(p); + finish_inspect_with_latency(p); // FIXIT-L should latency be evaluated here? + finish_inspect(p, true); finish_packet(p); - - InspectorManager::clear(p); - sw->complete(); - c->post_detection(); } bool DetectionEngine::offload(Packet* p) @@ -411,29 +439,9 @@ void DetectionEngine::inspect(Packet* p) return; // don't finish out offloaded packets } } - DetectionEngine::set_check_tags(); - - // By checking tagging here, we make sure that we log the - // tagged packet whether it generates an alert or not. - - if ( p->has_ip() ) - check_tags(p); - - InspectorManager::probe(p); + finish_inspect_with_latency(p); } - - log_events(p); - Active::apply_delayed_action(p); - - // clear closed sessions here after inspection since non-stream - // inspectors may depend on flow information - // this also handles block pending state - Stream::check_flow_closed(p); - - if ( inspected ) - InspectorManager::clear(p); - - clear_events(p); + finish_inspect(p, inspected); } //-------------------------------------------------------------------------- diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h index e6015ab41..4f5af57cf 100644 --- a/src/detection/detection_engine.h +++ b/src/detection/detection_engine.h @@ -107,6 +107,8 @@ private: static int log_events(Packet*); static void clear_events(Packet*); + static void finish_inspect_with_latency(Packet*); + static void finish_inspect(Packet*, bool inspected); static void finish_packet(Packet*); private: