From: Russ Combs Date: Fri, 21 Oct 2016 23:33:54 +0000 (-0400) Subject: continue refactoring to build out DetectionEngine X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d88d3ad057519f9197b3deeeabc297d55982edc0;p=thirdparty%2Fsnort3.git continue refactoring to build out DetectionEngine --- diff --git a/extra/src/inspectors/http_server/hi_main.cc b/extra/src/inspectors/http_server/hi_main.cc index c74315c3d..bdf50aab5 100644 --- a/extra/src/inspectors/http_server/hi_main.cc +++ b/extra/src/inspectors/http_server/hi_main.cc @@ -609,7 +609,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( p->alt_dsize == 0 ) { - DisableDetect(); + DetectionEngine::disable_content(); return 0; } { @@ -898,7 +898,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( !GetHttpBufferMask() && (p->alt_dsize == 0) ) { - DisableDetect(); + DetectionEngine::disable_content(); return 0; } } @@ -915,7 +915,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( !(session->server_conf->inspect_response) && IsLimitedDetect(p) && !p->alt_dsize ) { - DisableDetect(); + DetectionEngine::disable_content(); return 0; } ClearHttpBuffers(); @@ -1089,7 +1089,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( IsLimitedDetect(p) && !GetHttpBufferMask() && (p->alt_dsize == 0) ) { - DisableDetect(); + DetectionEngine::disable_content(); return 0; } } @@ -1107,7 +1107,7 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) */ { Profile exclude(hiPerfStats); - DetectionEngine::process(p); + DetectionEngine::detect(p); } /* @@ -1120,11 +1120,8 @@ int HttpInspectMain(HTTPINSPECT_CONF* conf, Packet* p) if ( iCallDetect == 0 ) { - // DetectionEngine::process called at least once from above pkt processing loop. - // FIXIT-M this throws off nfp rules like this: - // alert tcp any any -> any any ( sid:1; msg:"1"; flags:S; ) - // (check shutdown counts) - DisableInspection(); + // DetectionEngine::detect called at least once from above pkt processing loop. + DetectionEngine::disable_content(); } return 0; diff --git a/src/detection/detect.cc b/src/detection/detect.cc index c4439ddb5..a56fcf751 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -58,87 +58,13 @@ THREAD_LOCAL ProfileStats detectPerfStats; THREAD_LOCAL ProfileStats eventqPerfStats; THREAD_LOCAL ProfileStats rebuiltPacketPerfStats; -THREAD_LOCAL bool do_detect; -THREAD_LOCAL bool do_detect_content; +static THREAD_LOCAL bool check_tags_flag = false; -SO_PUBLIC void DisableDetect() -{ do_detect_content = false; } - -SO_PUBLIC void DisableInspection() -{ do_detect = do_detect_content = false; } - -static THREAD_LOCAL char check_tags_flag; - -static int CheckTagging(Packet*); +void enable_tags() +{ check_tags_flag = true; } void snort_ignore(Packet*) { } -void snort_inspect(Packet* p) -{ - bool inspected = false; - { - PacketLatency::Context pkt_latency_ctx { p }; - - // If the packet has errors, we won't analyze it. - if ( p->ptrs.decode_flags & DECODE_ERR_FLAGS ) - { - DebugFormat(DEBUG_DETECT, - "Packet errors = 0x%x, ignoring traffic!\n", - (p->ptrs.decode_flags & DECODE_ERR_FLAGS)); - - if ( SnortConfig::inline_mode() and - SnortConfig::checksum_drop(p->ptrs.decode_flags & DECODE_ERR_CKSUM_ALL) ) - { - DebugMessage(DEBUG_DECODE, "Dropping bad packet\n"); - Active::drop_packet(p); - } - } - else - { - do_detect = do_detect_content = true; - - /* - ** Reset the appropriate application-layer protocol fields - */ - p->alt_dsize = 0; - - InspectorManager::execute(p); - inspected = true; - - Active::apply_delayed_action(p); - - if ( do_detect ) - DetectionEngine::process(p); - } - - check_tags_flag = 1; - - /* - ** By checking tagging here, we make sure that we log the - ** tagged packet whether it generates an alert or not. - */ - if ( p->has_ip() ) - CheckTagging(p); - - // clear closed sessions here after inspection since non-stream - // inspectors may depend on flow information - // FIXIT-H but this result in double clearing? should normal - // clear_session() calls be deleted from stream? this is a - // performance hit on short-lived flows - Stream::check_flow_closed(p); - } - - Profile profile(eventqPerfStats); - SnortEventqLog(p); - SnortEventqReset(); - - if ( inspected ) - InspectorManager::clear(p); - - // Handle block pending state - Stream::check_flow_block_pending(p); -} - void snort_log(Packet* p) { pc.log_pkts++; @@ -149,7 +75,7 @@ void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg) { event->event_id = event_id | SnortConfig::get_event_log_id(); - check_tags_flag = 0; + check_tags_flag = false; pc.log_pkts++; OutputSet* idx = head ? head->LogList : NULL; @@ -166,7 +92,7 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) event.event_id = event_id | SnortConfig::get_event_log_id(); event.event_reference = event.event_id; - check_tags_flag = 0; + check_tags_flag = false; pc.log_pkts++; OutputSet* idx = head ? head->LogList : NULL; @@ -199,10 +125,6 @@ void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) } /* -** NAME -** CheckTagging:: -*/ -/** ** This is where we check to see if we tag the packet. We only do ** this if we've alerted on a non-pass rule and the packet is not ** rebuilt. @@ -210,14 +132,12 @@ void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) ** We don't log rebuilt packets because the output plugins log the ** individual packets of a rebuilt stream, so we don't want to dup ** tagged packets for rebuilt streams. -** -** @return integer */ -int CheckTagging(Packet* p) +void check_tags(Packet* p) { Event event; - if (check_tags_flag == 1 && !(p->packet_flags & PKT_REBUILT_STREAM)) + if ( check_tags_flag and !(p->packet_flags & PKT_REBUILT_STREAM) ) { void* listhead = NULL; DebugMessage(DEBUG_FLOW, "calling CheckTagList\n"); @@ -233,8 +153,6 @@ int CheckTagging(Packet* p) CallLogFuncs(p, (ListHead*)listhead, &event, "Tagged Packet"); } } - - return 0; } static int CheckAddrPort( diff --git a/src/detection/detect.h b/src/detection/detect.h index 1915d45c5..4fe11ad64 100644 --- a/src/detection/detect.h +++ b/src/detection/detect.h @@ -30,16 +30,12 @@ struct ProfileStats; struct RuleFpList; struct RuleTreeNode; -extern THREAD_LOCAL bool do_detect; -extern THREAD_LOCAL bool do_detect_content; - extern THREAD_LOCAL ProfileStats eventqPerfStats; extern THREAD_LOCAL ProfileStats detectPerfStats; extern THREAD_LOCAL ProfileStats rebuiltPacketPerfStats; // main loop hooks void snort_ignore(Packet*); -void snort_inspect(Packet*); void snort_log(Packet*); // parsing @@ -60,13 +56,8 @@ void CallLogFuncs(Packet*, ListHead*, Event*, const char*); void CallLogFuncs(Packet*, const OptTreeNode*, ListHead*); void CallAlertFuncs(Packet*, const OptTreeNode*, ListHead*); -// don't eval content rules -// non-content rules are still evaluated -SO_PUBLIC void DisableDetect(); - -// don't want to do any detection with rules -// (no content and no non-content) -SO_PUBLIC void DisableInspection(); +void enable_tags(); +void check_tags(Packet*); #endif diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 7b8ba6302..d4abf7677 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -985,7 +985,7 @@ static inline int fpEvalHeaderSW(PortGroup* port_group, Packet* p, p->packet_flags &= ~PKT_IP_RULE; } - if ( do_detect_content ) + if ( DetectionEngine::content_enabled() ) { if ( fp->get_stream_insert() || !(p->packet_flags & PKT_STREAM_INSERT) ) if ( fp_search(port_group, p, check_ports, type, omd) ) @@ -1198,9 +1198,10 @@ static void fpEvalPacketUdp(Packet* p) if (tmp_api.pay_len() > udp::UDP_HEADER_LEN) p->dsize = tmp_api.pay_len() - udp::UDP_HEADER_LEN; - auto save_do_detect_content = do_detect_content; + auto save_detect = DetectionEngine::get_detects(); + if ( p->dsize ) - do_detect_content = true; + DetectionEngine::enable_content(); fpEvalHeaderUdp(p, omd); @@ -1209,8 +1210,8 @@ static void fpEvalPacketUdp(Packet* p) p->ptrs.udph = tmp_udph; p->data = tmp_data; p->dsize = tmp_dsize; - - do_detect_content = save_do_detect_content; + + DetectionEngine::set_detects(save_detect); } /* diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 8fe73fe68..c563fc006 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -448,7 +448,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) if ( news ) Stream::stop_inspection(flow, p, SSN_DIR_BOTH, -1, 0); else - DisableInspection(); + DetectionEngine::disable_all(); p->ptrs.decode_flags |= DECODE_PKT_TRUST; break; @@ -459,7 +459,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) else Active::block_again(); - DisableInspection(); + DetectionEngine::disable_all(); break; case Flow::FlowState::RESET: @@ -469,7 +469,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) Active::reset_again(); Stream::blocked_flow(flow, p); - DisableInspection(); + DetectionEngine::disable_all(); break; } @@ -765,7 +765,7 @@ bool FlowControl::expected_flow(Flow* flow, Packet* p) (p->packet_flags & PKT_FROM_CLIENT) ? "sender" : "responder"); flow->ssn_state.ignore_direction = ignore; - DisableInspection(); + DetectionEngine::disable_all(); } return ignore; diff --git a/src/main/policy.cc b/src/main/policy.cc index 3b0f61b38..41ee87967 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -62,7 +62,7 @@ public: AltPktHandler() { } void handle(DataEvent& e, Flow*) - { DetectionEngine::process((Packet*)e.get_packet()); } // FIXIT-L not const! + { DetectionEngine::detect((Packet*)e.get_packet()); } // FIXIT-L not const! }; InspectionPolicy::InspectionPolicy() diff --git a/src/main/snort.cc b/src/main/snort.cc index 6dc3154fc..e4971c93d 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -737,16 +737,14 @@ void Snort::inspect(Packet* p) Profile detect_profile(detectPerfStats); Profile rebuilt_profile(rebuiltPacketPerfStats); - auto save_do_detect = do_detect; - auto save_do_detect_content = do_detect_content; + auto save_detect = DetectionEngine::get_detects(); DetectionEngine de; main_hook(p); DetectReset(); // FIXIT-H context - do_detect = save_do_detect; - do_detect_content = save_do_detect_content; + DetectionEngine::set_detects(save_detect); } DAQ_Verdict Snort::process_packet( diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 29ff6745e..10019ec00 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -29,6 +29,7 @@ #include "binder/bind_module.h" #include "binder/binder.h" #include "detection/detect.h" +#include "detection/detection_engine.h" #include "flow/flow.h" #include "flow/session.h" #include "log/messages.h" @@ -781,7 +782,7 @@ bool InspectorManager::full_inspection(FrameworkPolicy* fp, Packet* p) return false; else if ( !p->dsize ) - DisableDetect(); + DetectionEngine::disable_content(); else if ( flow->gadget && flow->gadget->likes(p) ) { diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 930323be7..914df8276 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -26,6 +26,7 @@ #include "reputation_inspect.h" #include "detection/detect.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" #include "packet_io/active.h" @@ -299,7 +300,7 @@ static void snort_reputation(ReputationConfig* config, Packet* p) SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST); Active::drop_packet(p, true); // disable all preproc analysis and detection for this packet - DisableInspection(); + DetectionEngine::disable_all(); p->disable_inspect = true; if (p->flow) { @@ -318,7 +319,7 @@ static void snort_reputation(ReputationConfig* config, Packet* p) { SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_WHITELIST); p->packet_flags |= PKT_IGNORE; - DisableInspection(); + DetectionEngine::disable_all(); p->disable_inspect = true; if (p->flow) { diff --git a/src/parser/config_file.cc b/src/parser/config_file.cc index 03d060565..63c825b69 100644 --- a/src/parser/config_file.cc +++ b/src/parser/config_file.cc @@ -28,6 +28,7 @@ #include #include "detection/detect.h" +#include "detection/detection_engine.h" #include "log/messages.h" #include "main/snort.h" #include "main/snort_config.h" @@ -546,7 +547,7 @@ void config_alert_mode(SnortConfig* sc, const char* val) sc->output = val; sc->output_flags |= OUTPUT_FLAG__ALERTS; - Snort::set_main_hook(snort_inspect); + Snort::set_main_hook(DetectionEngine::inspect); } void config_log_mode(SnortConfig* sc, const char* val) @@ -569,7 +570,7 @@ void config_conf(SnortConfig*, const char* val) { lua_conf = val; SetSnortConfDir(lua_conf.c_str()); - Snort::set_main_hook(snort_inspect); + Snort::set_main_hook(DetectionEngine::inspect); } void SetSnortConfDir(const char* file) diff --git a/src/service_inspectors/dce_rpc/dce_common.cc b/src/service_inspectors/dce_rpc/dce_common.cc index 283d0ad60..bca4cd253 100644 --- a/src/service_inspectors/dce_rpc/dce_common.cc +++ b/src/service_inspectors/dce_rpc/dce_common.cc @@ -194,7 +194,7 @@ static void dce2_protocol_detect(DCE2_SsnData* sd, Packet* pkt) // FIXIT-M add HTTP case when these are ported // Same for all other instances of profiling - DetectionEngine::process(pkt); + DetectionEngine::detect(pkt); dce2_detected = 1; } diff --git a/src/service_inspectors/dce_rpc/dce_smb.cc b/src/service_inspectors/dce_rpc/dce_smb.cc index a2232d4b5..573a5e967 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.cc +++ b/src/service_inspectors/dce_rpc/dce_smb.cc @@ -24,7 +24,7 @@ #include "dce_smb.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "file_api/file_service.h" #include "protocols/packet.h" #include "utils/util.h" diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index a38501f00..df5fa9468 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -1990,7 +1990,7 @@ void DCE2_FileDetect() Profile profile(dce2_smb_pstat_smb_file_detect); - DetectionEngine::process(top_pkt); + DetectionEngine::detect(top_pkt); // Reset file data pointer after detecting set_file_data(nullptr, 0); diff --git a/src/service_inspectors/dce_rpc/dce_tcp.cc b/src/service_inspectors/dce_rpc/dce_tcp.cc index 1c0cd646d..f2eff3735 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp.cc @@ -25,7 +25,7 @@ #include "dce_tcp.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "utils/util.h" #include "dce_tcp_module.h" diff --git a/src/service_inspectors/dce_rpc/dce_udp.cc b/src/service_inspectors/dce_rpc/dce_udp.cc index 5271c7640..6d1f89754 100644 --- a/src/service_inspectors/dce_rpc/dce_udp.cc +++ b/src/service_inspectors/dce_rpc/dce_udp.cc @@ -25,7 +25,7 @@ #include "dce_udp.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "utils/util.h" #include "dce_udp_module.h" diff --git a/src/service_inspectors/dnp3/dnp3_reassembly.cc b/src/service_inspectors/dnp3/dnp3_reassembly.cc index a613492e7..d8dc520c5 100644 --- a/src/service_inspectors/dnp3/dnp3_reassembly.cc +++ b/src/service_inspectors/dnp3/dnp3_reassembly.cc @@ -411,7 +411,7 @@ bool dnp3_full_reassembly(dnp3ProtoConf& config, dnp3_session_data_t* session, P { { ProfileExclude profile_exclude(dnp3_perf_stats); - DetectionEngine::process(packet); + DetectionEngine::detect(packet); } /* Since detection was done, reset reassembly state to avoid double alerts diff --git a/src/service_inspectors/ftp_telnet/ft_main.cc b/src/service_inspectors/ftp_telnet/ft_main.cc index 732ae7d99..53cb597a3 100644 --- a/src/service_inspectors/ftp_telnet/ft_main.cc +++ b/src/service_inspectors/ftp_telnet/ft_main.cc @@ -44,7 +44,7 @@ #include "ft_main.h" -#include "detection/detect.h" +#include "detection/detection_engine.h" #include "framework/data_bus.h" #include "log/messages.h" #include "utils/util.h" @@ -193,17 +193,7 @@ int FTPCheckConfigs(SnortConfig* sc, void* pData) void do_detection(Packet* p) { - // If we get here we either had a client or server request/response. - // We do the detection here, because we're starting a new paradigm - // about protocol decoders. - // - // Protocol decoders are now their own detection engine, since we are - // going to be moving protocol field detection from the generic - // detection engine into the protocol module. This idea scales much - // better than having all these Packet struct field checks in the - // main detection engine for each protocol field. get_data_bus().publish(PACKET_EVENT, p); - - DisableInspection(); + DetectionEngine::disable_all(); } diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index d72842401..6e91429a9 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -26,6 +26,7 @@ #include "ssl_inspector.h" #include "detection/detect.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" #include "main/snort_debug.h" @@ -178,7 +179,7 @@ static inline uint32_t SSLPP_process_alert( !(new_flags & SSL_HEARTBEAT_SEEN)) { DebugMessage(DEBUG_SSL, "Disabling detect\n"); - DisableDetect(); + DetectionEngine::disable_content(); } /* Need to negate the application flags from the opposing side. */ @@ -229,7 +230,7 @@ static inline uint32_t SSLPP_process_app(SSL_PROTO_CONF* config, uint32_t ssn_fl } else if (!(new_flags & SSL_HEARTBEAT_SEEN)) { - DisableDetect(); + DetectionEngine::disable_content(); } } @@ -256,7 +257,7 @@ static inline void SSLPP_process_other(SSL_PROTO_CONF* config, SSLData* sd, uint } else if (!(new_flags & SSL_HEARTBEAT_SEEN)) { - DisableDetect(); + DetectionEngine::disable_content(); } } else @@ -337,7 +338,7 @@ static void snort_ssl(SSL_PROTO_CONF* config, Packet* p) if (!(new_flags & SSL_HEARTBEAT_SEEN)) { - DisableDetect(); + DetectionEngine::disable_content(); } sd->ssn_flags |= new_flags; diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index 56b8259a7..a1c54fc5f 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -71,6 +71,7 @@ #include "ip_defrag.h" #include "detection/detect.h" +#include "detection/detection_engine.h" #include "log/messages.h" #include "main/snort.h" #include "main/snort_config.h" @@ -80,6 +81,7 @@ #include "protocols/ipv4_options.h" #include "time/timersub.h" #include "utils/safec.h" +#include "utils/stats.h" #include "utils/util.h" #include "ip_session.h" @@ -1120,7 +1122,7 @@ void Defrag::process(Packet* p, FragTracker* ft) if ((frag_offset != 0)) /* || ((p->get_ip_proto_next() != IpProtocol::UDP) && (p->ptrs.decode_flags & DECODE_MF))) */ { - DisableDetect(); + DetectionEngine::disable_content(); } /* @@ -1179,7 +1181,7 @@ void Defrag::process(Packet* p, FragTracker* ft) //dont forward fragments to engine if some previous fragment was dropped if ( ft->frag_flags & FRAG_DROP_FRAGMENTS ) { - DisableDetect(); + DetectionEngine::disable_content(); Active::daq_drop_packet(p); ip_stats.drops++; } @@ -1263,7 +1265,7 @@ void Defrag::process(Packet* p, FragTracker* ft) { // Need to reset some things here because the rebuilt packet // will have reset the do_detect flag when it hits Inspect. - do_detect_content = do_detect = false; + DetectionEngine::disable_all(); } } diff --git a/src/stream/libtcp/tcp_stream_session.h b/src/stream/libtcp/tcp_stream_session.h index dd8d810a3..48d5f79cc 100644 --- a/src/stream/libtcp/tcp_stream_session.h +++ b/src/stream/libtcp/tcp_stream_session.h @@ -22,7 +22,11 @@ #ifndef TCP_STREAM_SESSION_H_ #define TCP_STREAM_SESSION_H_ -#include "detection/detect.h" +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "detection/detection_engine.h" #include "flow/session.h" #include "stream/libtcp/tcp_stream_tracker.h" #include "stream/tcp/tcp_stream_config.h" @@ -75,7 +79,7 @@ public: virtual void retransmit_process() { // Data has already been analyzed so don't bother looking at it again. - DisableDetect(); + DetectionEngine::disable_content(); } virtual void retransmit_handle(Packet* p) diff --git a/src/stream/stream.cc b/src/stream/stream.cc index fe4f1b41e..db5f4a210 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -244,7 +244,7 @@ void Stream::stop_inspection( /* FIXIT-M handle bytes/response parameters */ - DisableInspection(); + DetectionEngine::disable_all(); flow->set_state(Flow::FlowState::ALLOW); } @@ -630,7 +630,7 @@ bool Stream::blocked_flow(Flow* flow, Packet* p) "Blocking %s packet as session was blocked\n", p->is_from_server() ? "server" : "client"); - DisableDetect(); + DetectionEngine::disable_content(); Active::drop_packet(p); active_response(p, flow); return true; @@ -649,7 +649,7 @@ bool Stream::ignored_flow(Flow* flow, Packet* p) "Stream Ignoring packet from %s. Session marked as ignore\n", p->is_from_client() ? "sender" : "responder"); - DisableInspection(); + DetectionEngine::disable_all(); return true; } diff --git a/src/stream/tcp/ips_stream_reassemble.cc b/src/stream/tcp/ips_stream_reassemble.cc index 03ebe3cc7..7b86e0737 100644 --- a/src/stream/tcp/ips_stream_reassemble.cc +++ b/src/stream/tcp/ips_stream_reassemble.cc @@ -22,6 +22,7 @@ #endif #include "detection/detection_defines.h" +#include "detection/detection_engine.h" #include "framework/ips_option.h" #include "framework/module.h" #include "hash/sfhashfcn.h" @@ -151,7 +152,7 @@ int ReassembleOption::eval(Cursor&, Packet* pkt) { /* Turn off inspection */ lwssn->ssn_state.ignore_direction |= srod.direction; - DisableInspection(); + DetectionEngine::disable_all(); /* TBD: Set TF_FORCE_FLUSH ? */ } diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index 0bd078496..95c90e902 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -25,6 +25,7 @@ #include "tcp_reassembler.h" +#include "detection/detection_engine.h" #include "log/log.h" #include "main/snort.h" #include "profiler/profiler.h" diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index 6541e3ae6..cc2b03f66 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -48,6 +48,7 @@ #include "tcp_session.h" +#include "detection/detection_engine.h" #include "log/log.h" #include "perf_monitor/flow_ip_tracker.h" #include "profiler/profiler.h" @@ -984,7 +985,7 @@ void TcpSession::do_packet_analysis_post_checks(Packet* p) if (pkt_action_mask & ACTION_DISABLE_INSPECTION) { - DisableInspection(); + DetectionEngine::disable_all(); DebugFormat(DEBUG_STREAM_STATE, "Stream Ignoring packet from %s. Session marked as ignore\n",