From: Russ Combs (rucombs) Date: Wed, 8 May 2024 21:55:15 +0000 (+0000) Subject: Pull request #4263: Public enemy 1 X-Git-Tag: 3.2.1.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0917e4b44917825bc2fd3c98da607cfe200b318;p=thirdparty%2Fsnort3.git Pull request #4263: Public enemy 1 Merge in SNORT/snort3 from ~RUCOMBS/snort3:public_enemy_1 to master Squashed commit of the following: commit 7f8f2135c33fd2de3495a8edcfd22b5f60de89fd Author: Russ Combs Date: Wed May 8 14:22:49 2024 -0400 build: fix coverity warnings commit 2c700829076b77e7d2773d102a2a62d4d3b531b1 Author: Russ Combs Date: Wed May 8 13:42:06 2024 -0400 build: fix bogus cppcheck warnings commit eb7b28eea14ea6e8c5152945c6204cc37bad8196 Author: Russ Combs Date: Fri Apr 12 10:06:47 2024 -0400 framework: bump api version to 20 commit c9a5baeeb2e3a7954b492179faac32b2696876ab Author: Russ Combs Date: Mon Apr 8 13:37:48 2024 -0400 snort: remove deprecated features: Config: string binder[].when.zones: deprecated alias for groups string binder[].when.src_zone: deprecated alias for src_groups string binder[].when.dst_zone: deprecated alias for dst_groups enum dce_smb.smb_file_inspection: deprecated (not used): file inspection controlled by smb_file_depth { 'off' | 'on' | 'only' } int sip.max_requestName_len = 20: deprecated - use max_request_name_len instead { 0:65535 } Builtins: 129:5 (stream_tcp) bad segment, adjusted size <= 0 (deprecated) commit 641cad2638d6eb1bd0a57982d1354b829ee08147 Author: Russ Combs Date: Thu Apr 4 10:11:54 2024 -0400 pig_pen: use Module::usage directly commit 0a6d7eccebac6e1d0d2b478094f31f296103371e Author: Russ Combs Date: Tue Mar 19 10:21:58 2024 -0400 mpse: add modules for pegs and perf profiling; remove _search commit 818d4709d70430595e73ee6301f35a376f5e8d78 Author: Russ Combs Date: Thu Mar 14 11:20:49 2024 -0400 framework: improve exported header comments commit a53c0249b7047c26328a5bbd14e0bc706df88214 Author: Russ Combs Date: Mon Mar 11 08:39:57 2024 -0400 plugins: add missing error messages when an so fails to load commit 1c7fd7e717d06231565cff00a73e4a5937749638 Author: Russ Combs Date: Wed Mar 6 10:44:29 2024 -0500 flow: move StreamFlowIntf to stream_flow.h commit b4f969f4072a45b12acd3a36808746414af707c0 Author: Russ Combs Date: Wed Mar 6 09:03:10 2024 -0500 framework: generate preprocessor output for validation commit 14e9886e9018a11a8f98ec95d88c127aed2e6f6e Author: Russ Combs Date: Mon Mar 4 09:56:53 2024 -0500 doc: add versioning information to the developer guide commit f1074aaa9c79b9e1a91616f9e0da533e872c8f2b Author: Russ Combs Date: Wed Feb 28 08:46:20 2024 -0500 host_cache: do not install private header commit c8d50a4ba02f527efe6ca89e5ad07991c9bd18c9 Author: Russ Combs Date: Mon Feb 26 09:26:31 2024 -0500 api: refactor base API commit 1c9fe59accaf77c84ba6a627be66072d02f0d87f Author: Russ Combs Date: Thu Feb 15 12:08:06 2024 -0500 inspector: eval override is optional for passive inspectors commit 48859035f007a5bcdc17b2e9be05da11742338d6 Author: Russ Combs Date: Tue Feb 13 16:22:08 2024 -0500 plugins: add warning for invalid plugin types commit ef2b94f2ba3a46efdd3455359bfeba51a4fcd87f Author: Russ Combs Date: Wed Jan 24 04:26:46 2024 -0500 plugins: bump base API and all plugin API version numbers commit 4636922ef31cdf8544ee5a62bba313f9577bfd19 Author: Russ Combs Date: Thu Nov 30 09:47:40 2023 -0500 detection: refactor headers commit b70ee339aa490d7562bab85418a4e2ab89ec6129 Author: Russ Combs Date: Tue Dec 12 12:37:39 2023 -0500 ips: tweak check for offload enable commit 047ec75da346b7d1199ef9122147ad89921468da Author: Russ Combs Date: Mon Nov 27 14:56:29 2023 -0500 build: fix LTO ODR issues with anonymous namespaces commit eb975151c97018a8ede37115df312aa4ac29d66d Author: Russ Combs Date: Mon Nov 13 12:04:34 2023 -0500 inspector: use thread local slot for best perf on Linux commit 0565783cbf6e2ffd65aeb0934040ec57464ce60a Author: Russ Combs Date: Wed Nov 8 14:29:34 2023 -0500 extract: move extract methods to detection/ commit eaae3dc988df37c0312a218259ccdbb1d86a165d Author: Russ Combs Date: Tue Nov 7 11:36:20 2023 -0500 stats: change shutdown Mbits/sec from mebibits to megabits commit ade482affc30c629dac43626d21d92b0488cd4dc Author: Russ Combs Date: Mon Oct 9 11:12:14 2023 -0400 appid: remove cruft left behind by f49fbbef commit 1d36b3fe208ffdee2dd997746f9b6b3c251d3305 Author: Russ Combs Date: Wed Oct 4 10:00:28 2023 -0400 tag: tweak enable toggle commit eebe7edb5f6947b81fc89604c1bf0261a0e070d1 Author: Russ Combs Date: Tue Sep 26 14:09:23 2023 -0400 packet_tracer: eliminate SO_PUBLIC THREAD_LOCALs commit 9ffcfdbebae661f6fc2c8c655996a9f37634cc26 Author: Russ Combs Date: Tue Sep 5 11:43:26 2023 -0400 profiler: eliminate SO_PUBLIC THREAD_LOCALs for _WIN64 This degrades performance so it is done only for Windows where SO_PUBLIC THREAD_LOCALs are not supported. commit eac23069203da078d6deab67e13bad052c8f6731 Author: Russ Combs Date: Tue Aug 8 09:31:33 2023 -0400 style: remove trailing spaces commit 2d6882a33443d50c5f66495a1b62bb75bf4b6bb6 Author: Russ Combs Date: Wed Sep 20 14:45:16 2023 -0400 ssl: support dynamic build of inspector and ips options commit e3dcb79941b03815867bd439885850270f754616 Author: Russ Combs Date: Tue Sep 19 16:16:24 2023 -0400 ips_options: fix dynamic build of some options commit 6991df8ab3e4c8d0d07b23436fa06695c244ca17 Author: Russ Combs Date: Fri Sep 15 12:50:57 2023 -0400 profiler: move implementation class to profiler_impl.h commit c67e74c070809c9eb9571c73637b40b71572ea62 Author: Russ Combs Date: Fri Sep 15 12:50:16 2023 -0400 numa: do not install implementation (private) header commit ec030aa7b77ad940ea1056078555dee9499e2098 Author: Russ Combs Date: Fri Sep 15 12:47:05 2023 -0400 reputation: move private defines out of installed header commit e3c5f4653fae5882d333dcbf12b796e3fc6f191c Author: Russ Combs Date: Thu Sep 14 09:55:34 2023 -0400 thread: move THREAD_LOCAL definition to snort_types.h commit 2759519051f3972de590540f75c84b5ac1b5b3de Author: Russ Combs Date: Wed Sep 13 10:01:15 2023 -0400 utils: refactor out non-public code commit c3145c20f7ea175d046a0f676fa42533f679a469 Author: Russ Combs Date: Tue Sep 12 14:29:14 2023 -0400 stats: stats.h is for internal use only, do not install commit 92dbe63fb04b96264cf67feab80bd100370f99a2 Author: Russ Combs Date: Tue Sep 12 11:47:08 2023 -0400 flow: split ExpectFlow into a separate header commit 1366ef1571ae0cb9729ec75c3c8b81144f53c4eb Author: Russ Combs Date: Mon Sep 11 15:36:59 2023 -0400 src/: relocate packet_tracer, packet_constraints, and file_policy. commit 7e3263c4db9f1b8dabf3c11014d124eff0a43ae9 Author: Russ Combs Date: Mon Sep 11 12:44:57 2023 -0400 rna: refactor headers for better encapsulation commit 39a74682069842d8777720a42be6592d0361aa53 Author: Russ Combs Date: Fri Sep 8 13:47:01 2023 -0400 file: do not install internal headers commit 7c532a3410df1a631fa3494360f06b4d3db008bf Author: Russ Combs Date: Fri Sep 8 10:50:01 2023 -0400 log: refactor out app implementation stuff into log_errors.h commit 274d08bb2b2e6a8701d213d089d670345eb5d15f Author: Russ Combs Date: Thu Sep 7 15:07:56 2023 -0400 active, host_tracker, profiler, stats, stream: refactor installed headers to exclude implementation like counts and perf stats commit 52915f8e0fc136fe52ce42570458e523beba36e9 Author: Russ Combs Date: Wed Sep 6 14:44:07 2023 -0400 detection: refactor detection_util.* Split detection_util.{h,cc} into detection_buf.h and event_trace.{h,cc}. commit 76797daae3fcb788c7aa7e2c53a25456916c0522 Author: Russ Combs Date: Wed Sep 6 11:38:36 2023 -0400 helpers/, utils/: reorganize to meet original intent helpers/: C++ utility classes utils/: C-style functions and defines commit d648be932b8d4c10cc144c5a597c3c9aab157e96 Author: Russ Combs Date: Wed Aug 30 11:59:53 2023 -0400 codecs: PacketManager::max_layers is not THREAD_LOCAL commit 4826653a3bce0fc4043ab0cd4d2e933eae718b06 Author: Russ Combs Date: Wed Aug 30 11:30:31 2023 -0400 inspectors: remove redundant slot variable commit a08cc0edab6893917e3c6d1b2629d5a775ce4086 Author: Russ Combs Date: Tue Aug 29 15:39:50 2023 -0400 build: eliminate SO_PUBLIC THREAD_LOCALs commit 4dd23f34df05dfbd40f23016fbd57185079256ed Author: Russ Combs Date: Mon Aug 28 13:57:31 2023 -0400 event_filter, suppress: keep antiquated dynamic array support private (use std::vector instead) commit 8f65203a02be32128af0be21590b7d69b979889e Author: Russ Combs Date: Mon Aug 28 12:15:21 2023 -0400 stream: delete obsolete / unused methods commit bd5770d0faa26e785180278879105ea05bdee44b Author: Russ Combs Date: Fri Aug 25 15:07:15 2023 -0400 tcp: move SEQ_* macros to tcp header commit 511797508566d0d7c5da7c13afbedda531cdd49b Author: Russ Combs Date: Fri Aug 25 13:22:13 2023 -0400 style: miscellaneous cleanup ... and 18 more commits --- diff --git a/doc/devel/CMakeLists.txt b/doc/devel/CMakeLists.txt index a00ba6e59..23a52d046 100644 --- a/doc/devel/CMakeLists.txt +++ b/doc/devel/CMakeLists.txt @@ -4,6 +4,7 @@ set ( snort_devel.txt extending.txt style.txt + versions.txt ) foreach ( file_name ${UNBUILT_SOURCES} ) diff --git a/doc/devel/snort_devel.txt b/doc/devel/snort_devel.txt index b6d39e802..4ab841100 100644 --- a/doc/devel/snort_devel.txt +++ b/doc/devel/snort_devel.txt @@ -10,6 +10,10 @@ include::version.txt[] toc::[] +== Versions + +include::versions.txt[] + == Extending Snort include::extending.txt[] diff --git a/doc/devel/versions.txt b/doc/devel/versions.txt new file mode 100644 index 000000000..72e38fc9a --- /dev/null +++ b/doc/devel/versions.txt @@ -0,0 +1,67 @@ + +=== Versions + +Snort 3 does not follow semantic versioning (major.minor.patch) because +. + +The Snort 3 version is of the form 3.A.R.B where: + +* 3 is fixed for now. + +* A is bumped when the API changes as defined in framework/snort_api.h. + +* R is bumped for each regular release (nominally every 2 weeks). + +* B is the build number supplied at the time of build and is always zero + for github releases. + +Some background on plugin versions is required to fully explain the +significance of A. + +There are several Snort 3 plugin types defined in these headers: + +* framework/codec.h +* framework/connector.h +* framework/inspector.h +* framework/ips_action.h +* framework/ips_option.h +* framework/logger.h +* framework/mpse.h +* framework/policy_selector.h +* framework/so_rule.h + +Each of the above has its own version number that pertains specifically to the file +in which it is defined. In addition, these plugins have a common part defined in: + +* framework/base_api.h. + +The above file specifies a version number for the common part shared by all plugins +which includes all the other files found in framework/snort_api.h. + +These API version numbers are not included in the Snort 3 version but, if any +of them changes, indicating a change to the plugin API, then A is bumped to +indicate that a new version of the API exists. So A will be bumped for any of +the following: + +* base API version change +* plugin API version change +* DAQ version change + +There are many other exported features apart from those included directly in +framework/snort_api.h and if you use them, you must rebuild your plugins with +each new release. If you just use the snort_api.h includes, you will only need +to rebuild your plugins if A changes. + +For the best security efficacy and stability, there is no requirement to +maintain backward compatibility, so you may need to tweak code when you +rebuild your plugin. Developers will not change the APIs without good reason, +but existing code will be changed as needed and these changes may break your +plugin. + +That said, if you want to reduce the number of times you release plugins, you +can study the change set to see if it affects you. Due to the complexity of +Snort and the API, this is possible but cannot be recommended. + +As of this writing the version is 3.1.85 and this will be merged with the 3.2.0 +release. The significance of the A component prior to 3.2.0 is not well defined. + diff --git a/doc/user/concepts.txt b/doc/user/concepts.txt index e44488786..63d350c24 100644 --- a/doc/user/concepts.txt +++ b/doc/user/concepts.txt @@ -60,8 +60,8 @@ objectives, including: * IpsOption - for detection in Snort rules * IpsAction - for custom actions * Logger - for handling events -* Mpse - for fast pattern matching -* So - for dynamic rules +* MPSE - for fast pattern matching +* SO - for dynamic rules The power of plugins is that they have a very focused purpose and can be created with relative ease. For example, you can extend the rule language diff --git a/doc/user/perf_monitor.txt b/doc/user/perf_monitor.txt index 9b520241d..3501c5adb 100644 --- a/doc/user/perf_monitor.txt +++ b/doc/user/perf_monitor.txt @@ -14,7 +14,7 @@ perf_monitor supports several trackers for monitoring such data: The base tracker is used to gather running statistics about Snort and its running modules. All Snort modules gather, at the very least, counters for the number of packets reaching it. Most supplement these counts with those for -domain specific functions, such as http_inspect’s number of GET requests seen. +domain specific functions, such as the number of GET requests seen by http_inspect. Statistics are gathered live and can be reported at regular intervals. The stats reported correspond only to the interval in question and are reset at the diff --git a/src/actions/CMakeLists.txt b/src/actions/CMakeLists.txt index 7dde1c9f4..ce97ca611 100644 --- a/src/actions/CMakeLists.txt +++ b/src/actions/CMakeLists.txt @@ -1,26 +1,21 @@ -set ( ACTIONS_INCLUDES - actions.h -) - set (IPS_ACTION_SOURCES - actions.cc actions_module.cc actions_module.h ips_actions.cc ips_actions.h +) + +set( PLUGIN_LIST act_alert.cc act_block.cc act_drop.cc act_file_id.cc act_log.cc act_pass.cc + act_react.cc act_reject.cc act_replace.cc -) - -set( PLUGIN_LIST - act_react.cc ) if (STATIC_IPS_ACTIONS) @@ -35,11 +30,15 @@ else (STATIC_IPS_ACTIONS) ${IPS_ACTION_SOURCES} ) + add_dynamic_module(act_alert ips_actions act_alert.cc actions_module.cc) + add_dynamic_module(act_block ips_actions act_block.cc actions_module.cc) + add_dynamic_module(act_drop ips_actions act_drop.cc actions_module.cc) + add_dynamic_module(act_file_id ips_actions act_file_id.cc actions_module.cc) + add_dynamic_module(act_log ips_actions act_log.cc actions_module.cc) + add_dynamic_module(act_pass ips_actions act_pass.cc actions_module.cc) add_dynamic_module(act_react ips_actions act_react.cc actions_module.cc) + add_dynamic_module(act_reject ips_actions act_reject.cc actions_module.cc) + add_dynamic_module(act_replace ips_actions act_replace.cc actions_module.cc) endif (STATIC_IPS_ACTIONS) -install (FILES ${ACTIONS_INCLUDES} - DESTINATION "${INCLUDE_INSTALL_PATH}/actions" -) - diff --git a/src/actions/act_alert.cc b/src/actions/act_alert.cc index d46302d85..90af5eecb 100644 --- a/src/actions/act_alert.cc +++ b/src/actions/act_alert.cc @@ -21,12 +21,11 @@ #include "config.h" #endif -#include "actions/actions_module.h" #include "framework/ips_action.h" #include "framework/module.h" #include "protocols/packet.h" -#include "actions.h" +#include "actions_module.h" using namespace snort; @@ -55,12 +54,12 @@ class AlertAction : public IpsAction public: AlertAction() : IpsAction(action_name, nullptr) { } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; }; -void AlertAction::exec(Packet* p, const OptTreeNode* otn) +void AlertAction::exec(Packet* p, const ActInfo& ai) { - Actions::alert(p, otn); + alert(p, ai); ++alert_stats.alert; } @@ -120,7 +119,11 @@ static ActionApi alert_api alert_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_alert[] = +#endif { &alert_api.base, nullptr diff --git a/src/actions/act_block.cc b/src/actions/act_block.cc index 7e9e0d5df..e341831dc 100644 --- a/src/actions/act_block.cc +++ b/src/actions/act_block.cc @@ -21,13 +21,12 @@ #include "config.h" #endif -#include "actions/actions_module.h" #include "framework/ips_action.h" #include "framework/module.h" #include "packet_io/active.h" #include "protocols/packet.h" -#include "actions.h" +#include "actions_module.h" using namespace snort; @@ -56,16 +55,16 @@ class BlockAction : public IpsAction public: BlockAction() : IpsAction(action_name, nullptr) { } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; bool drops_traffic() override { return true; } }; -void BlockAction::exec(Packet* p, const OptTreeNode* otn) +void BlockAction::exec(Packet* p, const ActInfo& ai) { p->active->block_session(p); p->active->set_drop_reason("ips"); - Actions::alert(p, otn); + alert(p, ai); ++block_stats.block; } @@ -125,7 +124,11 @@ static ActionApi block_api block_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_block[] = +#endif { &block_api.base, nullptr diff --git a/src/actions/act_drop.cc b/src/actions/act_drop.cc index ae69f6e3e..6ab2c2200 100644 --- a/src/actions/act_drop.cc +++ b/src/actions/act_drop.cc @@ -21,13 +21,12 @@ #include "config.h" #endif -#include "actions/actions_module.h" #include "framework/ips_action.h" #include "framework/module.h" #include "packet_io/active.h" #include "protocols/packet.h" -#include "actions.h" +#include "actions_module.h" using namespace snort; @@ -56,16 +55,16 @@ class DropAction : public IpsAction public: DropAction() : IpsAction(action_name, nullptr) { } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; bool drops_traffic() override { return true; } }; -void DropAction::exec(Packet* p, const OptTreeNode* otn) +void DropAction::exec(Packet* p, const ActInfo& ai) { p->active->drop_packet(p); p->active->set_drop_reason("ips"); - Actions::alert(p, otn); + alert(p, ai); ++drop_stats.drop; } @@ -126,7 +125,11 @@ static ActionApi drop_api drop_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_drop[] = +#endif { &drop_api.base, nullptr diff --git a/src/actions/act_file_id.cc b/src/actions/act_file_id.cc index 70386fbee..061332d21 100644 --- a/src/actions/act_file_id.cc +++ b/src/actions/act_file_id.cc @@ -21,14 +21,13 @@ #include "config.h" #endif -#include "actions.h" -#include "actions/actions_module.h" -#include "detection/detect.h" #include "file_api/file_flows.h" -#include "file_api/file_identifier.h" +#include "file_api/file_lib.h" +#include "framework/ips_action.h" #include "managers/action_manager.h" #include "parser/parser.h" -#include "utils/stats.h" + +#include "actions_module.h" using namespace snort; @@ -59,21 +58,25 @@ class File_IdAction : public IpsAction { public: File_IdAction() : IpsAction(action_name, nullptr) { } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; }; -void File_IdAction::exec(Packet* p, const OptTreeNode* otn) +void File_IdAction::exec(Packet* p, const ActInfo& ai) { if (!p->flow) return; + FileFlows* files = FileFlows::get_file_flows(p->flow, false); + if (!files) return; + FileContext* file = files->get_current_file_context(); + if (!file) return; - file->set_file_type(otn->sigInfo.file_id); + file->set_file_type(get_file_id(ai)); ++file_id_stats.file_id; } @@ -134,7 +137,11 @@ static ActionApi file_id_api file_id_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_file_id[] = +#endif { &file_id_api.base, nullptr diff --git a/src/actions/act_log.cc b/src/actions/act_log.cc index 8b6689c75..dc2a20db3 100644 --- a/src/actions/act_log.cc +++ b/src/actions/act_log.cc @@ -21,12 +21,13 @@ #include "config.h" #endif -#include "actions/actions_module.h" +#include + #include "framework/ips_action.h" #include "framework/module.h" #include "protocols/packet.h" -#include "actions.h" +#include "actions_module.h" using namespace snort; @@ -55,14 +56,14 @@ class LogAction : public IpsAction public: LogAction() : IpsAction(action_name, nullptr) { } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; }; -void LogAction::exec(Packet* p, const OptTreeNode* otn) +void LogAction::exec(Packet* p, const ActInfo& ai) { - if ( otn ) + if ( log_it(ai) ) { - Actions::log(p, otn); + log(p, ai); ++log_stats.log; } } @@ -124,7 +125,11 @@ static ActionApi log_api log_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_log[] = +#endif { &log_api.base, nullptr diff --git a/src/actions/act_pass.cc b/src/actions/act_pass.cc index 15987dbce..94facf401 100644 --- a/src/actions/act_pass.cc +++ b/src/actions/act_pass.cc @@ -21,12 +21,13 @@ #include "config.h" #endif -#include "actions/actions_module.h" +#include + #include "framework/ips_action.h" #include "framework/module.h" #include "protocols/packet.h" -#include "actions.h" +#include "actions_module.h" using namespace snort; @@ -55,14 +56,14 @@ class PassAction : public IpsAction public: PassAction() : IpsAction(action_name, nullptr) { } - void exec(Packet*, const OptTreeNode*) override; + void exec(Packet*, const ActInfo&) override; }; -void PassAction::exec(Packet* p, const OptTreeNode* otn) +void PassAction::exec(Packet* p, const ActInfo& ai) { - if ( otn ) + if ( log_it(ai) ) { - Actions::pass(); + pass(); p->packet_flags |= PKT_PASS_RULE; ++pass_stats.pass; } @@ -125,7 +126,11 @@ static ActionApi pass_api pass_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_pass[] = +#endif { &pass_api.base, nullptr diff --git a/src/actions/act_react.cc b/src/actions/act_react.cc index 14ed536ce..73f4576b9 100644 --- a/src/actions/act_react.cc +++ b/src/actions/act_react.cc @@ -62,8 +62,6 @@ #include "utils/util.h" #include "utils/util_cstring.h" -#include "actions.h" - using namespace snort; using namespace HttpCommon; using namespace Http2Enums; @@ -214,7 +212,7 @@ public: ~ReactAction() override { delete config; } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; bool drops_traffic() override { return true; } private: @@ -222,12 +220,12 @@ private: ReactActiveAction react_act_action; }; -void ReactAction::exec(Packet* p, const OptTreeNode* otn) +void ReactAction::exec(Packet* p, const ActInfo& ai) { p->active->drop_packet(p); p->active->set_drop_reason("ips"); - Actions::alert(p, otn); + alert(p, ai); ++react_stats.react; } diff --git a/src/actions/act_reject.cc b/src/actions/act_reject.cc index 28bc7d805..df830aec6 100644 --- a/src/actions/act_reject.cc +++ b/src/actions/act_reject.cc @@ -55,8 +55,6 @@ #include "packet_io/active.h" #include "profiler/profiler.h" -#include "actions.h" - using namespace snort; #define action_name "reject" @@ -170,7 +168,7 @@ class RejectAction : public IpsAction public: RejectAction(uint32_t f = REJ_RST_BOTH); - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; private: RejectActiveAction rej_act_action; @@ -183,14 +181,14 @@ private: RejectAction::RejectAction(uint32_t f) : IpsAction(action_name, &rej_act_action) , rej_act_action(f) { } -void RejectAction::exec(Packet* p, const OptTreeNode* otn) +void RejectAction::exec(Packet* p, const ActInfo& ai) { p->active->set_delayed_action(Active::ACT_RESET, get_active_action()); p->active->set_drop_reason("ips"); p->active->reset_again(); p->active->update_status(p); - Actions::alert(p, otn); + alert(p, ai); ++reject_stats.reject; } @@ -341,7 +339,11 @@ static const ActionApi rej_api = rej_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_reject[] = +#endif { &rej_api.base, nullptr diff --git a/src/actions/act_replace.cc b/src/actions/act_replace.cc index 14c24fa4d..f49905963 100644 --- a/src/actions/act_replace.cc +++ b/src/actions/act_replace.cc @@ -28,8 +28,6 @@ #include "packet_io/active.h" #include "protocols/packet.h" -#include "actions.h" - using namespace snort; #define action_name "rewrite" @@ -113,17 +111,17 @@ class ReplaceAction : public IpsAction public: ReplaceAction() : IpsAction(action_name, &rep_act_action) { } - void exec(Packet*, const OptTreeNode* otn) override; + void exec(Packet*, const ActInfo&) override; private: ReplaceActiveAction rep_act_action; }; -void ReplaceAction::exec(Packet* p, const OptTreeNode* otn) +void ReplaceAction::exec(Packet* p, const ActInfo& ai) { p->active->rewrite_packet(p); - Actions::alert(p, otn); + alert(p, ai); ++replace_stats.replace; } @@ -184,7 +182,11 @@ static ActionApi rep_api rep_dtor }; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else const BaseApi* act_replace[] = +#endif { &rep_api.base, nullptr diff --git a/src/actions/actions.cc b/src/actions/actions.cc deleted file mode 100644 index 801150abe..000000000 --- a/src/actions/actions.cc +++ /dev/null @@ -1,92 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "actions.h" - -#include "detection/detect.h" -#include "managers/action_manager.h" -#include "parser/parser.h" -#include "utils/stats.h" - -using namespace snort; - -void Actions::pass() -{ - pc.pass_pkts++; -} - -void Actions::log(Packet* p, const OptTreeNode* otn) -{ - RuleTreeNode* rtn = getRtnFromOtn(otn); - if (!rtn) - return; - - CallLogFuncs(p, otn, rtn->listhead); -} - -void Actions::alert(Packet* p, const OptTreeNode* otn) -{ - if (!otn) - return; - - RuleTreeNode* rtn = getRtnFromOtn(otn); - if (!rtn) - return; - - /* Call OptTreeNode specific output functions */ - if (otn->outputFuncs) - { - ListHead lh = {}; // FIXIT-L use of ListHead for CallLogFuncs() is a little unwieldy here - lh.LogList = otn->outputFuncs; - CallLogFuncs(p, otn, &lh); - } - CallAlertFuncs(p, otn, rtn->listhead); - CallLogFuncs(p, otn, rtn->listhead); -} - -std::string Actions::get_string(Actions::Type action) -{ - return ActionManager::get_action_string(action); -} - -Actions::Type Actions::get_type(const char* s) -{ - return ActionManager::get_action_type(s); -} - -Actions::Type Actions::get_max_types() -{ - return ActionManager::get_max_action_types(); -} - -bool Actions::is_valid_action(Actions::Type action) -{ - if ( action < get_max_types() ) - return true; - - return false; -} - -std::string Actions::get_default_priorities(bool alert_before_pass) -{ - return ActionManager::get_action_priorities(alert_before_pass); -} diff --git a/src/actions/actions_module.cc b/src/actions/actions_module.cc index ddeb0e4e9..07d1a9898 100644 --- a/src/actions/actions_module.cc +++ b/src/actions/actions_module.cc @@ -22,11 +22,11 @@ #include "config.h" #endif +#include "actions_module.h" + #include #include -#include "actions_module.h" -#include "actions/actions.h" #include "log/messages.h" #include "managers/action_manager.h" #include "managers/module_manager.h" diff --git a/src/actions/ips_actions.cc b/src/actions/ips_actions.cc index c5a955add..d530b25d7 100644 --- a/src/actions/ips_actions.cc +++ b/src/actions/ips_actions.cc @@ -28,29 +28,29 @@ using namespace snort; #ifdef STATIC_IPS_ACTIONS -extern const BaseApi* act_react[]; -#endif extern const BaseApi* act_alert[]; extern const BaseApi* act_block[]; extern const BaseApi* act_drop[]; extern const BaseApi* act_file_id[]; extern const BaseApi* act_log[]; extern const BaseApi* act_pass[]; +extern const BaseApi* act_react[]; extern const BaseApi* act_reject[]; extern const BaseApi* act_replace[]; +#endif void load_actions() { #ifdef STATIC_IPS_ACTIONS - PluginManager::load_plugins(act_react); -#endif PluginManager::load_plugins(act_alert); PluginManager::load_plugins(act_block); PluginManager::load_plugins(act_drop); PluginManager::load_plugins(act_file_id); PluginManager::load_plugins(act_log); PluginManager::load_plugins(act_pass); + PluginManager::load_plugins(act_react); PluginManager::load_plugins(act_reject); PluginManager::load_plugins(act_replace); +#endif } diff --git a/src/codecs/ip/cd_tcp.cc b/src/codecs/ip/cd_tcp.cc index 66adba207..0412e6948 100644 --- a/src/codecs/ip/cd_tcp.cc +++ b/src/codecs/ip/cd_tcp.cc @@ -26,7 +26,6 @@ #include "codecs/codec_module.h" #include "framework/codec.h" -#include "log/log.h" #include "log/log_text.h" #include "main/snort_config.h" #include "parser/parse_ip.h" @@ -573,7 +572,7 @@ void TcpCodec::log(TextLog* const text_log, const uint8_t* raw_pkt, const tcp::TCPHdr* const tcph = reinterpret_cast(raw_pkt); /* print TCP flags */ - CreateTCPFlagString(tcph, tcpFlags); + tcph->stringify_flags(tcpFlags); TextLog_Puts(text_log, tcpFlags); /* We don't care about the null */ /* print other TCP info */ diff --git a/src/codecs/misc/cd_default.cc b/src/codecs/misc/cd_default.cc index f0f1530ee..dde34c5eb 100644 --- a/src/codecs/misc/cd_default.cc +++ b/src/codecs/misc/cd_default.cc @@ -75,9 +75,5 @@ static const CodecApi default_api = dtor, // dtor }; -const CodecApi* default_codec[] = -{ - &default_api, - nullptr -}; +const CodecApi* default_codec = &default_api; diff --git a/src/codecs/misc/test/geneve_codec_test.cc b/src/codecs/misc/test/geneve_codec_test.cc index 7082dfe73..7e1c1e628 100644 --- a/src/codecs/misc/test/geneve_codec_test.cc +++ b/src/codecs/misc/test/geneve_codec_test.cc @@ -27,7 +27,7 @@ #include void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } namespace snort { diff --git a/src/connectors/file_connector/test/file_connector_module_test.cc b/src/connectors/file_connector/test/file_connector_module_test.cc index 63c3de64b..7bcf432dc 100644 --- a/src/connectors/file_connector/test/file_connector_module_test.cc +++ b/src/connectors/file_connector/test/file_connector_module_test.cc @@ -37,7 +37,7 @@ THREAD_LOCAL SimpleStats file_connector_stats; THREAD_LOCAL ProfileStats file_connector_perfstats; void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } namespace snort { diff --git a/src/connectors/file_connector/test/file_connector_test.cc b/src/connectors/file_connector/test/file_connector_test.cc index 5c4a3ce5e..f950401f4 100644 --- a/src/connectors/file_connector/test/file_connector_test.cc +++ b/src/connectors/file_connector/test/file_connector_test.cc @@ -51,7 +51,7 @@ Connector* connector_tb; Connector* connector_rb; void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } namespace snort { diff --git a/src/connectors/tcp_connector/tcp_connector.cc b/src/connectors/tcp_connector/tcp_connector.cc index b3836d3b2..aaaaf1929 100644 --- a/src/connectors/tcp_connector/tcp_connector.cc +++ b/src/connectors/tcp_connector/tcp_connector.cc @@ -30,7 +30,6 @@ #include #include "log/messages.h" -#include "main/thread.h" #include "profiler/profiler_defs.h" #include "tcp_connector_module.h" diff --git a/src/connectors/tcp_connector/test/tcp_connector_module_test.cc b/src/connectors/tcp_connector/test/tcp_connector_module_test.cc index e944cbd47..16342d952 100644 --- a/src/connectors/tcp_connector/test/tcp_connector_module_test.cc +++ b/src/connectors/tcp_connector/test/tcp_connector_module_test.cc @@ -37,7 +37,7 @@ THREAD_LOCAL SimpleStats tcp_connector_stats; THREAD_LOCAL ProfileStats tcp_connector_perfstats; void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } namespace snort { diff --git a/src/connectors/tcp_connector/test/tcp_connector_test.cc b/src/connectors/tcp_connector/test/tcp_connector_test.cc index 0a1798e9d..76297a268 100644 --- a/src/connectors/tcp_connector/test/tcp_connector_test.cc +++ b/src/connectors/tcp_connector/test/tcp_connector_test.cc @@ -68,7 +68,7 @@ ConnectorCommon* connector_common; Connector* connector; void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } namespace snort { diff --git a/src/control/control.h b/src/control/control.h index 25ef1e5cc..b0814105e 100644 --- a/src/control/control.h +++ b/src/control/control.h @@ -90,7 +90,10 @@ private: static unsigned pending_cmds_count; //counter to serialize commands across control connections }; -#define LogRespond(cn, ...) do { if (cn) cn->respond(__VA_ARGS__); else LogMessage(__VA_ARGS__); } while(0) -#define LogfRespond(cn, fh, ...) do { if (cn) cn->respond(__VA_ARGS__); else LogMessage(fh, __VA_ARGS__); } while(0) +#define LogRespond(cn, ...) \ + do { if (cn) cn->respond(__VA_ARGS__); else snort::LogMessage(__VA_ARGS__); } while(0) + +#define LogfRespond(cn, fh, ...) \ + do { if (cn) cn->respond(__VA_ARGS__); else snort::LogMessage(fh, __VA_ARGS__); } while(0) #endif diff --git a/src/control/control_mgmt.cc b/src/control/control_mgmt.cc index e4051693f..70e6e01d0 100644 --- a/src/control/control_mgmt.cc +++ b/src/control/control_mgmt.cc @@ -36,6 +36,7 @@ #include "log/messages.h" #include "main/shell.h" #include "main/snort_config.h" +#include "main/thread.h" #include "utils/stats.h" #include "utils/util.h" #include "utils/util_cstring.h" diff --git a/src/decompress/file_decomp.cc b/src/decompress/file_decomp.cc index 4609a0080..6dd941f1c 100644 --- a/src/decompress/file_decomp.cc +++ b/src/decompress/file_decomp.cc @@ -26,7 +26,6 @@ #include -#include "detection/detection_util.h" #include "utils/util.h" #include "file_decomp_pdf.h" diff --git a/src/decompress/file_decomp_pdf.cc b/src/decompress/file_decomp_pdf.cc index 6c04d08c6..99244e225 100644 --- a/src/decompress/file_decomp_pdf.cc +++ b/src/decompress/file_decomp_pdf.cc @@ -26,7 +26,6 @@ #include -#include "main/thread.h" #include "utils/util.h" #ifdef UNIT_TEST diff --git a/src/decompress/file_olefile.h b/src/decompress/file_olefile.h index 16b984596..c35cea503 100644 --- a/src/decompress/file_olefile.h +++ b/src/decompress/file_olefile.h @@ -28,10 +28,10 @@ #include "detection/detection_engine.h" #include "helpers/literal_search.h" +#include "helpers/utf.h" #include "ips_options/ips_vba_data.h" #include "trace/trace_api.h" #include "utils/util.h" -#include "utils/util_utf.h" #define OLE_MAX_FILENAME_LEN_UTF16 64 #define OLE_MAX_FILENAME_ASCII 32 diff --git a/src/decompress/test/file_olefile_test.cc b/src/decompress/test/file_olefile_test.cc index 5f2464586..0abb17434 100644 --- a/src/decompress/test/file_olefile_test.cc +++ b/src/decompress/test/file_olefile_test.cc @@ -27,7 +27,7 @@ #include "detection/detection_engine.h" #include "helpers/literal_search.h" -#include "utils/util_utf.h" +#include "helpers/utf.h" #include #include diff --git a/src/detection/CMakeLists.txt b/src/detection/CMakeLists.txt index 757c0260f..9c48fb2fc 100644 --- a/src/detection/CMakeLists.txt +++ b/src/detection/CMakeLists.txt @@ -1,19 +1,13 @@ set (DETECTION_INCLUDES - detect.h + detection_buf.h detection_engine.h - detection_options.h - detection_util.h - detect_trace.h + extract.h ips_context.h ips_context_chain.h ips_context_data.h - regex_offload.h - rule_option_types.h - rules.h - signature.h - treenodes.h pattern_match_data.h + rule_option_types.h ) add_library (detection OBJECT @@ -21,13 +15,18 @@ add_library (detection OBJECT context_switcher.cc context_switcher.h detect.cc + detect.h + detection_continuation.h detection_engine.cc detection_module.cc detection_module.h detection_options.cc detection_options.h - detection_util.cc detect_trace.cc + detect_trace.h + event_trace.cc + event_trace.h + extract.cc fp_config.cc fp_config.h fp_create.cc @@ -42,15 +41,19 @@ add_library (detection OBJECT pcrm.cc pcrm.h regex_offload.cc + regex_offload.h rtn_checks.cc rtn_checks.h rules.cc + rules.h service_map.cc service_map.h sfrim.cc sfrim.h signature.cc + signature.h treenodes.cc + treenodes.h tag.cc tag.h ) diff --git a/src/detection/context_switcher.cc b/src/detection/context_switcher.cc index 41346c0be..a2caf6e1a 100644 --- a/src/detection/context_switcher.cc +++ b/src/detection/context_switcher.cc @@ -74,7 +74,7 @@ void ContextSwitcher::start() debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, "(wire) %" PRIu64 " cs::start %" PRIu64 " (i=%zu, b=%zu)\n", - get_packet_number(), c->context_num, idle.size(), busy.size()); + pc.analyzed_pkts, c->context_num, idle.size(), busy.size()); idle.pop_back(); @@ -98,7 +98,7 @@ void ContextSwitcher::stop() debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, "(wire) %" PRIu64 " cs::stop %" PRIu64 " (i=%zu, b=%zu)\n", - get_packet_number(), c->context_num, idle.size(), busy.size()); + pc.analyzed_pkts, c->context_num, idle.size(), busy.size()); c->clear(); @@ -114,7 +114,7 @@ void ContextSwitcher::abort() { debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, "(wire) %" PRIu64 " cs::abort (i=%zu, b=%zu)\n", - get_packet_number(), idle.size(), busy.size()); + pc.analyzed_pkts, idle.size(), busy.size()); busy.clear(); @@ -157,7 +157,7 @@ IpsContext* ContextSwitcher::interrupt() c->context_num = ++global_context_num; debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, "%" PRIu64 " cs::interrupt %" PRIu64 " (i=%zu, b=%zu)\n", - busy.empty() ? get_packet_number() : busy.back()->packet_number, + busy.empty() ? pc.analyzed_pkts : busy.back()->packet_number, busy.empty() ? 0 : busy.back()->context_num, idle.size(), busy.size()); idle.pop_back(); diff --git a/src/detection/context_switcher.h b/src/detection/context_switcher.h index aaeecd7d2..cf63c563c 100644 --- a/src/detection/context_switcher.h +++ b/src/detection/context_switcher.h @@ -42,7 +42,7 @@ #include #include "detection/ips_context_chain.h" -#include "utils/primed_allocator.h" +#include "helpers/primed_allocator.h" namespace snort { diff --git a/src/detection/detect.cc b/src/detection/detect.cc index b043b855e..395a19997 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -34,7 +34,6 @@ #include "latency/packet_latency.h" #include "main/snort_config.h" #include "managers/event_manager.h" -#include "managers/inspector_manager.h" #include "packet_io/active.h" #include "ports/port_object.h" #include "profiler/profiler_defs.h" @@ -65,9 +64,7 @@ bool snort_log(Packet* p) void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg) { - event->update_event_id(p->context->conf->get_event_log_id()); - - DetectionEngine::set_check_tags(false); + DetectionEngine::set_check_tags(p, false); pc.log_pkts++; OutputSet* idx = head ? head->LogList : nullptr; @@ -76,17 +73,10 @@ void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg) void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) { - Event event; - - // FIXIT-L this and the same below should be refactored to not need const_cast - event.sig_info = const_cast(&otn->sigInfo); - event.ref_time.tv_sec = p->pkth->ts.tv_sec; - event.ref_time.tv_usec = p->pkth->ts.tv_usec; - event.update_event_id_and_ref(p->context->conf->get_event_log_id()); - if (head and head->ruleListNode) - event.action_string = head->ruleListNode->name; + const char* act = (head and head->ruleListNode) ? head->ruleListNode->name : ""; + Event event(p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, otn->sigInfo, otn->buffer_setters, act); - DetectionEngine::set_check_tags(false); + DetectionEngine::set_check_tags(p, false); pc.log_pkts++; const uint8_t* data = nullptr; @@ -118,15 +108,8 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) { - Event event; - - event.sig_info = const_cast(&otn->sigInfo); - event.buffs_to_dump = otn->buffer_setters; - event.ref_time.tv_sec = p->pkth->ts.tv_sec; - event.ref_time.tv_usec = p->pkth->ts.tv_usec; - event.update_event_id_and_ref(p->context->conf->get_event_log_id()); - if (head and head->ruleListNode) - event.action_string = head->ruleListNode->name; + const char* act = (head and head->ruleListNode) ? head->ruleListNode->name : ""; + Event event(p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, otn->sigInfo, otn->buffer_setters, act); pc.total_alert_pkts++; @@ -151,19 +134,18 @@ void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) */ void check_tags(Packet* p) { - SigInfo info; - Event event(info); - - if ( DetectionEngine::get_check_tags() and !(p->packet_flags & PKT_REBUILT_STREAM) ) + if ( DetectionEngine::get_check_tags(p) and !(p->packet_flags & PKT_REBUILT_STREAM) ) { - void* listhead = nullptr; + SigInfo info; + ListHead* listhead = nullptr; + struct timeval tv; + uint32_t id; + const char* act; - if (CheckTagList(p, event, &listhead)) + if (CheckTagList(p, info, listhead, tv, id, act)) { - /* if we find a match, we want to send the packet to the - * logging mechanism - */ - CallLogFuncs(p, (ListHead*)listhead, &event, "Tagged Packet"); + Event event(tv.tv_sec, tv.tv_usec, info, nullptr, act, id); + CallLogFuncs(p, listhead, &event, "Tagged Packet"); } } } diff --git a/src/detection/detect.h b/src/detection/detect.h index df7db7db9..87d4e2501 100644 --- a/src/detection/detect.h +++ b/src/detection/detect.h @@ -21,9 +21,7 @@ #ifndef DETECT_H #define DETECT_H -#include "detection/rules.h" #include "main/snort_types.h" -#include "main/thread.h" namespace snort { @@ -31,6 +29,9 @@ struct Packet; struct ProfileStats; } +struct ListHead; +struct OptTreeNode; + extern THREAD_LOCAL snort::ProfileStats eventqPerfStats; // main loop hooks @@ -38,7 +39,7 @@ bool snort_ignore(snort::Packet*); bool snort_log(snort::Packet*); // alerts -void CallLogFuncs(snort::Packet*, ListHead*, struct Event*, const char*); +void CallLogFuncs(snort::Packet*, ListHead*, class Event*, const char*); void CallLogFuncs(snort::Packet*, const OptTreeNode*, ListHead*); void CallAlertFuncs(snort::Packet*, const OptTreeNode*, ListHead*); diff --git a/src/detection/detect_trace.cc b/src/detection/detect_trace.cc index c82349cfc..559d535af 100644 --- a/src/detection/detect_trace.cc +++ b/src/detection/detect_trace.cc @@ -25,7 +25,6 @@ #include "detect_trace.h" #include "log/log.h" -#include "main/thread.h" #include "protocols/packet.h" #include "utils/stats.h" #include "utils/util.h" diff --git a/src/detection/detect_trace.h b/src/detection/detect_trace.h index 8ce0df2ae..63bd81054 100644 --- a/src/detection/detect_trace.h +++ b/src/detection/detect_trace.h @@ -25,7 +25,6 @@ #include "framework/cursor.h" #include "main/snort_types.h" -#include "main/thread.h" namespace snort { diff --git a/src/detection/detection_util.h b/src/detection/detection_buf.h similarity index 72% rename from src/detection/detection_util.h rename to src/detection/detection_buf.h index 7c44adef2..38370db1a 100644 --- a/src/detection/detection_util.h +++ b/src/detection/detection_buf.h @@ -1,7 +1,5 @@ //-------------------------------------------------------------------------- -// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2002-2013 Sourcefire, Inc. -// Copyright (C) 1998-2002 Martin Roesch +// Copyright (C) 2024-2023 Cisco and/or its affiliates. All rights reserved. // // This program is free software; you can redistribute it and/or modify it // under the terms of the GNU General Public License Version 2 as published @@ -18,16 +16,13 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -#ifndef DETECTION_UTIL_H -#define DETECTION_UTIL_H +#ifndef DETECTION_BUF_H +#define DETECTION_BUF_H -// this is a legacy junk-drawer file that needs to be refactored -// it provides file and alt data and event trace foo. +// buffers used by DetectionEngine and IpsContext #include - -#include "actions/actions.h" -#include "main/snort_config.h" +#include #define DECODE_BLEN 65535 @@ -71,16 +66,5 @@ struct MatchedBuffer unsigned size = 0; }; -// FIXIT-RC event trace should be placed in its own files -void EventTrace_Init(); -void EventTrace_Term(); - -void EventTrace_Log(const snort::Packet*, const OptTreeNode*, Actions::Type action); - -inline int EventTrace_IsEnabled(const snort::SnortConfig* sc) -{ - return ( sc->event_trace_max > 0 ); -} - #endif diff --git a/src/detection/detection_continuation.h b/src/detection/detection_continuation.h index 743a1fb7a..6aa0f549e 100644 --- a/src/detection/detection_continuation.h +++ b/src/detection/detection_continuation.h @@ -23,18 +23,18 @@ #include "framework/cursor.h" #include "framework/ips_option.h" -#include "ips_options/extract.h" +#include "helpers/grouped_list.h" #include "latency/rule_latency.h" #include "latency/rule_latency_state.h" #include "main/snort_config.h" #include "main/thread_config.h" #include "protocols/packet.h" #include "trace/trace_api.h" -#include "utils/grouped_list.h" #include "utils/stats.h" #include "detection_options.h" #include "detect_trace.h" +#include "extract.h" #include "ips_context.h" #include "rule_option_types.h" #include "treenodes.h" diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 6945abce6..163c8e41a 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -24,18 +24,19 @@ #include "detection_engine.h" +#include "events/event_queue.h" #include "events/sfeventq.h" #include "filters/sfthreshold.h" #include "framework/endianness.h" +#include "framework/ips_action.h" #include "helpers/ring.h" #include "latency/packet_latency.h" #include "main/analyzer.h" #include "main/snort_config.h" -#include "main/thread.h" #include "managers/inspector_manager.h" #include "managers/mpse_manager.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "parser/parser.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" @@ -45,8 +46,8 @@ #include "utils/stats.h" #include "context_switcher.h" +#include "detection_buf.h" #include "detection_module.h" -#include "detection_util.h" #include "detect.h" #include "detect_trace.h" #include "fp_config.h" @@ -55,10 +56,11 @@ #include "ips_context_data.h" #include "regex_offload.h" -static THREAD_LOCAL RegexOffload* offloader = nullptr; - using namespace snort; +static THREAD_LOCAL RegexOffload* offloader = nullptr; +bool DetectionEngine::offload_enabled = false; + //-------------------------------------------------------------------------- // basic de //-------------------------------------------------------------------------- @@ -124,6 +126,9 @@ DetectionEngine::~DetectionEngine() } } +void DetectionEngine::enable_offload() +{ offload_enabled = true; } + void DetectionEngine::reset() { IpsContext* c = Analyzer::get_switcher()->get_context(); @@ -180,7 +185,7 @@ Packet* DetectionEngine::set_next_packet(const Packet* parent, Flow* flow) { if ( flow ) p->context->snapshot_flow(flow); - c->packet_number = get_packet_number(); + c->packet_number = pc.analyzed_pkts; c->wire_packet = nullptr; } @@ -221,7 +226,7 @@ Packet* DetectionEngine::set_next_packet(const Packet* parent, Flow* flow) void DetectionEngine::finish_inspect_with_latency(Packet* p) { - DetectionEngine::set_check_tags(); + DetectionEngine::set_check_tags(p); // By checking tagging here, we make sure that we log the // tagged packet whether it generates an alert or not. @@ -285,12 +290,6 @@ void DetectionEngine::finish_packet(Packet* p, bool flow_deletion) sw->complete(); } -uint8_t* DetectionEngine::get_buffer(unsigned& max) -{ - max = IpsContext::buf_size; - return Analyzer::get_switcher()->get_context()->buf; -} - uint8_t* DetectionEngine::get_next_buffer(unsigned& max) { max = IpsContext::buf_size; @@ -404,11 +403,11 @@ IpsContext::ActiveRules DetectionEngine::get_detects(Packet* p) void DetectionEngine::set_detects(Packet* p, IpsContext::ActiveRules ar) { p->context->active_rules = ar; } -void DetectionEngine::set_check_tags(bool enable) -{ Analyzer::get_switcher()->get_context()->check_tags = enable; } +void DetectionEngine::set_check_tags(Packet* p, bool enable) +{ p->context->check_tags = enable; } -bool DetectionEngine::get_check_tags() -{ return Analyzer::get_switcher()->get_context()->check_tags; } +bool DetectionEngine::get_check_tags(Packet* p) +{ return p->context->check_tags; } //-------------------------------------------------------------------------- // offload / onload @@ -475,12 +474,12 @@ void DetectionEngine::idle() while ( offloader->count() ) { debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, - "(wire) %" PRIu64 " de::sleep\n", get_packet_number()); + "(wire) %" PRIu64 " de::sleep\n", pc.analyzed_pkts); onload(); } debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, - "(wire) %" PRIu64 " de::idle (r=%d)\n", get_packet_number(), + "(wire) %" PRIu64 " de::idle (r=%d)\n", pc.analyzed_pkts, offloader->count()); offloader->stop(); @@ -495,7 +494,7 @@ void DetectionEngine::onload(Flow* flow) while ( flow->is_suspended() ) { debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr, - "(wire) %" PRIu64 " de::sleep\n", get_packet_number()); + "(wire) %" PRIu64 " de::sleep\n", pc.analyzed_pkts); resume_ready_suspends(flow->context_chain); // FIXIT-M makes onload reentrant-safe onload(); @@ -647,9 +646,9 @@ bool DetectionEngine::inspect(Packet* p) if ( !all_disabled(p) ) { if ( PacketTracer::is_daq_activated() ) - PacketTracer::pt_timer_start(); + PacketTracer::restart_timer(); - if ( detect(p, true) ) + if ( detect(p, offload_enabled) ) return false; // don't finish out offloaded packets } } diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h index e86fc7c8b..4c0a0460c 100644 --- a/src/detection/detection_engine.h +++ b/src/detection/detection_engine.h @@ -25,11 +25,11 @@ // packet (PDU), first call set_next_packet(). If rebuild is successful, // then instantiate a new DetectionEngine to detect that packet. -#include "detection/detection_util.h" +#include "detection/detection_buf.h" #include "detection/ips_context.h" #include "main/snort_types.h" -struct DataPointer; +struct OptTreeNode; struct Replacement; namespace snort @@ -59,6 +59,7 @@ public: static Packet* set_next_packet(const Packet* parent = nullptr, Flow* flow = nullptr); static uint8_t* get_next_buffer(unsigned& max); + static void enable_offload(); static bool offload(Packet*); static void onload(Flow*); @@ -76,7 +77,7 @@ public: static uint8_t* get_buffer(unsigned& max); static inline DataPointer get_alt_buffer(const Packet*); static inline DataBuffer& acquire_alt_buffer(const Packet*); - static inline void reset_alt_buffer(Packet*); + static void inline reset_alt_buffer(Packet*); static void set_data(unsigned id, IpsContextData*); static IpsContextData* get_data(unsigned id); @@ -89,7 +90,7 @@ public: static bool detect(Packet*, bool offload_ok = false); static bool inspect(Packet*); - static int queue_event(const struct OptTreeNode*); + static int queue_event(const OptTreeNode*); static int queue_event(unsigned gid, unsigned sid); static void disable_all(Packet*); @@ -102,8 +103,8 @@ public: static IpsContext::ActiveRules get_detects(Packet*); static void set_detects(Packet*, IpsContext::ActiveRules); - static void set_check_tags(bool enable = true); - static bool get_check_tags(); + static void set_check_tags(Packet*, bool enable = true); + static bool get_check_tags(Packet*); static void wait_for_context(); @@ -122,6 +123,7 @@ private: static void finish_packet(Packet*, bool flow_deletion = false); private: + static bool offload_enabled; IpsContext* context; }; diff --git a/src/detection/detection_module.cc b/src/detection/detection_module.cc index cad5d9159..fc8e303f0 100644 --- a/src/detection/detection_module.cc +++ b/src/detection/detection_module.cc @@ -33,6 +33,7 @@ #include "trace/trace.h" #include "detect_trace.h" +#include "detection_engine.h" using namespace snort; @@ -196,6 +197,9 @@ bool DetectionModule::end(const char* fqn, int idx, SnortConfig* sc) if ( sc->offload_threads and ThreadConfig::get_instance_max() != 1 ) ParseError("You can not enable experimental offload with more than one packet thread."); + if ( sc->offload_limit < 99999 ) + DetectionEngine::enable_offload(); + return true; } diff --git a/src/detection/detection_module.h b/src/detection/detection_module.h index b972b2934..98a8892bc 100644 --- a/src/detection/detection_module.h +++ b/src/detection/detection_module.h @@ -23,6 +23,7 @@ #define DETECTION_MODULE_H #include "framework/module.h" +#include "utils/stats.h" namespace snort { @@ -55,4 +56,5 @@ private: }; } -#endif // DETECTION_MODULE_H +#endif + diff --git a/src/detection/detection_options.cc b/src/detection/detection_options.cc index 88f56aa5d..a5e9d7b68 100644 --- a/src/detection/detection_options.cc +++ b/src/detection/detection_options.cc @@ -40,7 +40,6 @@ #include "hash/hash_defs.h" #include "hash/hash_key_operations.h" #include "hash/xhash.h" -#include "ips_options/extract.h" #include "ips_options/ips_flowbits.h" #include "latency/packet_latency.h" #include "latency/rule_latency_state.h" @@ -55,8 +54,8 @@ #include "detection_continuation.h" #include "detection_engine.h" #include "detection_module.h" -#include "detection_util.h" #include "detect_trace.h" +#include "extract.h" #include "fp_create.h" #include "fp_detect.h" #include "ips_context.h" @@ -697,7 +696,7 @@ int detection_option_node_evaluate( if ( continue_loop && rval == (int)IpsOption::MATCH && node->relative_children ) { IpsOption* opt = (IpsOption*)node->option_data; - continue_loop = opt->retry(cursor, orig_cursor); + continue_loop = opt->retry(cursor); } else continue_loop = false; diff --git a/src/detection/detection_util.cc b/src/detection/event_trace.cc similarity index 92% rename from src/detection/detection_util.cc rename to src/detection/event_trace.cc index e3e57857c..3df02c683 100644 --- a/src/detection/detection_util.cc +++ b/src/detection/event_trace.cc @@ -22,10 +22,10 @@ #include "config.h" #endif -#include "detection_util.h" +#include "event_trace.h" -#include "actions/actions.h" #include "events/event.h" +#include "framework/ips_action.h" #include "log/text_log.h" #include "protocols/packet.h" #include "utils/stats.h" @@ -75,16 +75,16 @@ static void LogBuffer(const char* s, const uint8_t* p, unsigned n) } } -void EventTrace_Log(const Packet* p, const OptTreeNode* otn, Actions::Type action) +void EventTrace_Log(const Packet* p, const OptTreeNode* otn, IpsAction::Type action) { - std::string acts = Actions::get_string(action); + std::string acts = IpsAction::get_string(action); if ( !tlog ) return; TextLog_Print(tlog, "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n", - get_event_id(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str()); + Event::get_curr_seq_num(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str()); TextLog_Print(tlog, "Pkt=" STDu64 ", Sec=%lu.%6lu, Len=%u, Cap=%u\n", diff --git a/src/detection/event_trace.h b/src/detection/event_trace.h new file mode 100644 index 000000000..f81171f34 --- /dev/null +++ b/src/detection/event_trace.h @@ -0,0 +1,42 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2002-2013 Sourcefire, Inc. +// Copyright (C) 1998-2002 Martin Roesch +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifndef EVENT_TRACE_H +#define EVENT_TRACE_H + +// facility for logging IPS events and packets regardless of filtering + +#include + +#include "framework/ips_action.h" +#include "main/snort_config.h" + +void EventTrace_Init(); +void EventTrace_Term(); + +void EventTrace_Log(const snort::Packet*, const struct OptTreeNode*, snort::IpsAction::Type action); + +inline int EventTrace_IsEnabled(const snort::SnortConfig* sc) +{ + return ( sc->event_trace_max > 0 ); +} + +#endif + diff --git a/src/ips_options/extract.cc b/src/detection/extract.cc similarity index 100% rename from src/ips_options/extract.cc rename to src/detection/extract.cc diff --git a/src/ips_options/extract.h b/src/detection/extract.h similarity index 92% rename from src/ips_options/extract.h rename to src/detection/extract.h index bcc4610e6..8cffd80d8 100644 --- a/src/ips_options/extract.h +++ b/src/detection/extract.h @@ -23,7 +23,6 @@ #include "framework/cursor.h" #include "framework/endianness.h" #include "main/snort_types.h" -#include "main/thread.h" #include "protocols/packet.h" #define ENDIAN_BIG 0x1 @@ -59,14 +58,14 @@ SO_PUBLIC int byte_extract( int endianness, int bytes_to_grab, const uint8_t* ptr, const uint8_t* start, const uint8_t* end, uint32_t* value); -void set_cursor_bounds(const ByteData& settings, const Cursor& c, +SO_PUBLIC void set_cursor_bounds(const ByteData& settings, const Cursor& c, const uint8_t*& start, const uint8_t*& ptr, const uint8_t*& end); -int32_t data_extraction(const ByteData& settings, Packet* p, +SO_PUBLIC int32_t data_extraction(const ByteData& settings, Packet* p, uint32_t& result_var, const uint8_t* start, const uint8_t* ptr, const uint8_t* end); -int32_t extract_data(const ByteData& settings, const Cursor& c, Packet* p, +SO_PUBLIC int32_t extract_data(const ByteData& settings, const Cursor& c, Packet* p, uint32_t& result_var); SO_PUBLIC void set_byte_order(uint8_t& order, uint8_t flag, const char* opt); diff --git a/src/detection/fp_create.cc b/src/detection/fp_create.cc index b6b76c7b1..46d81eb28 100644 --- a/src/detection/fp_create.cc +++ b/src/detection/fp_create.cc @@ -39,6 +39,7 @@ #include "hash/ghash.h" #include "hash/hash_defs.h" #include "hash/xhash.h" +#include "log/log_stats.h" #include "log/messages.h" #include "main/snort.h" #include "main/snort_config.h" diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index b909af47f..28cd6fe75 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -41,11 +41,13 @@ #include -#include "actions/actions.h" #include "events/event.h" +#include "events/event_queue.h" #include "filters/rate_filter.h" #include "filters/sfthreshold.h" +#include "framework/act_info.h" #include "framework/cursor.h" +#include "framework/ips_action.h" #include "framework/mpse.h" #include "latency/packet_latency.h" #include "latency/rule_latency.h" @@ -54,7 +56,7 @@ #include "main/snort_config.h" #include "managers/action_manager.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "parser/parser.h" #include "profiler/profiler_defs.h" #include "protocols/icmp4.h" @@ -67,13 +69,13 @@ #include "utils/util.h" #include "context_switcher.h" -#include "detect.h" #include "detect_trace.h" +#include "detection_buf.h" #include "detection_continuation.h" #include "detection_engine.h" #include "detection_module.h" #include "detection_options.h" -#include "detection_util.h" +#include "event_trace.h" #include "fp_config.h" #include "fp_create.h" #include "fp_utils.h" @@ -108,9 +110,7 @@ void populate_trace_data() if ( tr_len > 0 ) { tr_context[tr_len-1] = ' '; - PacketTracer::daq_log("IPS+%" PRId64"++%s$", - TO_NSECS(pt_timer->get()), - tr_context); + PacketTracer::daq_log("IPS+%" PRId64"++%s$", PacketTracer::get_time(), tr_context); tr_len = 0; tr_context[0] = '\0'; @@ -128,14 +128,14 @@ static inline void init_match_info(const IpsContext* c) // called by fpLogEvent(), which does the filtering etc. // this handles the non-rule-actions (responses). static inline void fpLogOther( - Packet* p, const RuleTreeNode* rtn, const OptTreeNode* otn, Actions::Type action) + Packet* p, const RuleTreeNode* rtn, const OptTreeNode* otn, IpsAction::Type action) { if ( EventTrace_IsEnabled(p->context->conf) ) EventTrace_Log(p, otn, action); if ( PacketTracer::is_active() ) { - std::string act = Actions::get_string(action); + std::string act = IpsAction::get_string(action); PacketTracer::log("Event: %u:%u:%u, Action %s\n", otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, act.c_str()); @@ -143,7 +143,7 @@ static inline void fpLogOther( if ( PacketTracer::is_daq_activated() ) { - std::string act = Actions::get_string(action); + std::string act = IpsAction::get_string(action); tr_len += snprintf(tr_context+tr_len, sizeof(tr_context) - tr_len, "gid:%u, sid:%u, rev:%u, action:%s, msg:%s\n", otn->sigInfo.gid, otn->sigInfo.sid, @@ -186,9 +186,9 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) // perform rate filtering tests - impacts action taken rateAction = RateFilter_Test(otn, p); - override = ( rateAction >= Actions::get_max_types() ); + override = ( rateAction >= IpsAction::get_max_types() ); if ( override ) - rateAction -= Actions::get_max_types(); + rateAction -= IpsAction::get_max_types(); // internal events are no-ops if ( (rateAction < 0) && EventIsInternal(otn->sigInfo.gid) ) @@ -223,10 +223,10 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) ** that are drop rules. We just don't want to see the alert. */ IpsAction * act = get_ips_policy()->action[action]; - act->exec(p); + ActInfo ai(otn, false); + act->exec(p, ai); - if ( p->active && p->flow && - (p->active->get_action() >= Active::ACT_DROP) ) + if ( p->active && p->flow && (p->active->get_action() >= Active::ACT_DROP) ) { if ( p->active->can_partial_block_session() ) p->flow->flags.ips_pblock_event_suppressed = true; @@ -247,20 +247,19 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) const SnortConfig* sc = p->context->conf; if ( (p->packet_flags & PKT_PASS_RULE) && - (sc->get_eval_index(rtn->action) > sc->get_eval_index(Actions::get_type("pass"))) ) + (sc->get_eval_index(rtn->action) > sc->get_eval_index(IpsAction::get_type("pass"))) ) { fpLogOther(p, rtn, otn, rtn->action); return 1; } otn->state[get_instance_id()].alerts++; + uint16_t eseq = Event::get_next_seq_num(); + IpsAction* act = get_ips_policy()->action[action]; + ActInfo ai(otn); - incr_event_id(); - - IpsAction * act = get_ips_policy()->action[action]; - act->exec(p, otn); - SetTags(p, otn, get_event_id()); - + act->exec(p, ai); + SetTags(p, otn, eseq); fpLogOther(p, rtn, otn, action); return 0; @@ -642,7 +641,7 @@ static inline int fpFinalSelectEvent(OtnxMatchData* omd, Packet* p) { /* bail if were not dumping events in all the action groups, * and we've already got some events */ - if (!p->context->conf->process_all_events() && (tcnt > 0)) + if (!p->context->conf->event_queue_config->process_all_events && (tcnt > 0)) return 1; if ( omd->matchInfo[i].iMatchCount ) @@ -1398,7 +1397,8 @@ static inline int fp_do_actions(OtnxMatchData* omd, Packet* p) const OptTreeNode* otn = omd->matchInfo[i].MatchArray[0]; RuleTreeNode* rtn = getRtnFromOtn(otn); IpsAction* act = get_ips_policy()->action[rtn->action]; - act->exec(p, otn); + ActInfo ai(otn); + act->exec(p, ai); } } diff --git a/src/detection/fp_detect.h b/src/detection/fp_detect.h index fbcc77694..15cad2f45 100644 --- a/src/detection/fp_detect.h +++ b/src/detection/fp_detect.h @@ -29,7 +29,6 @@ // rule groups are selected based on traffic and any fast pattern // matches trigger rule tree evaluation. -#include "main/thread.h" #include "profiler/profiler_defs.h" #include "target_based/snort_protocols.h" diff --git a/src/detection/fp_utils.cc b/src/detection/fp_utils.cc index 022aa63c0..4cfa1683f 100644 --- a/src/detection/fp_utils.cc +++ b/src/detection/fp_utils.cc @@ -39,6 +39,7 @@ #include "ips_options/ips_flowbits.h" #include "log/messages.h" #include "main/snort_config.h" +#include "main/thread.h" #include "parser/parse_conf.h" #include "pattern_match_data.h" #include "ports/port_group.h" diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index c86908612..bffb6182e 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -27,7 +27,7 @@ #include -#include "detection/detection_util.h" +#include "detection/detection_buf.h" #include "framework/codec.h" #include "framework/mpse.h" #include "framework/mpse_batch.h" diff --git a/src/detection/regex_offload.cc b/src/detection/regex_offload.cc index 9ec335928..9acb6bc1b 100644 --- a/src/detection/regex_offload.cc +++ b/src/detection/regex_offload.cc @@ -38,7 +38,6 @@ #include "latency/packet_latency.h" #include "latency/rule_latency.h" #include "main/snort_config.h" -#include "main/thread.h" #include "main/thread_config.h" #include "managers/module_manager.h" #include "utils/stats.h" diff --git a/src/detection/rules.h b/src/detection/rules.h index 8fec29f8f..651fb22b7 100644 --- a/src/detection/rules.h +++ b/src/detection/rules.h @@ -27,7 +27,7 @@ #include #include -#include "actions/actions.h" +#include "framework/ips_action.h" #include "main/policy.h" #define GID_DEFAULT 1 @@ -61,7 +61,7 @@ struct ListHead struct RuleListNode { ListHead* RuleList; /* The rule list associated with this node */ - Actions::Type mode; /* the rule mode */ + snort::IpsAction::Type mode; /* the rule mode */ unsigned evalIndex; /* eval index for this rule set */ char* name; /* name of this rule list */ RuleListNode* next; /* the next RuleListNode */ @@ -94,7 +94,7 @@ public: private: RuleTreeNode* dup_rtn(RuleTreeNode*, IpsPolicy*); void update_rtn(snort::SnortConfig*, RuleTreeNode*, const RuleState&); - void apply(snort::SnortConfig*, OptTreeNode*, unsigned ips_num, const RuleState&); + void apply(snort::SnortConfig*, struct OptTreeNode*, unsigned ips_num, const RuleState&); private: std::map map; diff --git a/src/detection/signature.cc b/src/detection/signature.cc index f7c4f4ff2..025d007be 100644 --- a/src/detection/signature.cc +++ b/src/detection/signature.cc @@ -28,9 +28,9 @@ #include "signature.h" -#include "actions/actions.h" #include "framework/decode_data.h" #include "filters/sfthd.h" +#include "framework/ips_action.h" #include "hash/hash_defs.h" #include "hash/ghash.h" #include "helpers/json_stream.h" @@ -462,7 +462,7 @@ void dump_rule_state(const SnortConfig* sc) auto pid = snort::get_ips_policy(sc, i)->user_policy_id; json.put("policy", pid); - std::string action = Actions::get_string(rtn->action); + std::string action = IpsAction::get_string(rtn->action); json.put("action", action.c_str()); const char* s = rtn->enabled() ? "yes" : "no"; diff --git a/src/detection/tag.cc b/src/detection/tag.cc index 8799e8426..fee071abe 100644 --- a/src/detection/tag.cc +++ b/src/detection/tag.cc @@ -98,7 +98,7 @@ struct TagNode uint16_t event_id; struct timeval event_time; - void* log_list; // retain custom logging if any from triggering alert + struct ListHead* log_list; // retain custom logging if any from triggering alert }; /* G L O B A L S **************************************************/ @@ -114,16 +114,9 @@ static THREAD_LOCAL unsigned s_sessions = 0; // (consecutive) sessions to be captured. static const unsigned s_max_sessions = 1; - /* P R O T O T Y P E S ********************************************/ -static TagNode* TagAlloc(XHash*); static void TagFree(XHash*, TagNode*); static int PruneTagCache(uint32_t, int); -static int PruneTime(XHash* tree, uint32_t thetime); -static void TagSession(const Packet*, TagData*, uint32_t, uint16_t, void*); -static void TagHost(const Packet*, TagData*, uint32_t, uint16_t, void*); -static void AddTagNode(const Packet*, TagData*, int, uint32_t, uint16_t, void*); -static inline void SwapTag(TagNode*); class TagSessionCache : public XHash { @@ -241,16 +234,7 @@ static TagNode* TagAlloc( return tag_node; } -/**Frees allocated TagNode. - * - * @param hash - pointer to XHash that should point to either ssn_tag_cache_ptr - * or host_tag_cache_ptr. - * @param node - pointer to node to be freed - */ -static void TagFree( - XHash* hash, - TagNode* node - ) +static void TagFree(XHash* hash, TagNode* node) { if (node == nullptr) return; @@ -262,11 +246,6 @@ static void TagFree( tag_memory_usage -= memory_per_node(hash); } -/** - * swap the sips and dips, dp's and sp's - * - * @param np TagNode ptr - */ static inline void SwapTag(TagNode* np) { SfIp tip; @@ -295,33 +274,8 @@ void CleanupTag() delete host_tag_cache; } -static void TagSession(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, void* log_list) -{ - AddTagNode(p, tag, TAG_SESSION, time, event_id, log_list); -} - -static void TagHost(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, void* log_list) -{ - int mode; - - switch (tag->tag_direction) - { - case TAG_HOST_DST: - mode = TAG_HOST_DST; - break; - case TAG_HOST_SRC: - mode = TAG_HOST_SRC; - break; - default: - mode = TAG_HOST_SRC; - break; - } - - AddTagNode(p, tag, mode, time, event_id, log_list); -} - static void AddTagNode(const Packet* p, TagData* tag, int mode, uint32_t now, - uint16_t event_id, void* log_list) + uint16_t event_id, ListHead* log_list) { TagNode* idx; /* index pointer */ TagNode* returned; @@ -427,7 +381,33 @@ static void AddTagNode(const Packet* p, TagData* tag, int mode, uint32_t now, } } -int CheckTagList(Packet* p, Event& event, void** log_list) +static void TagSession(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, ListHead* log_list) +{ + AddTagNode(p, tag, TAG_SESSION, time, event_id, log_list); +} + +static void TagHost(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, ListHead* log_list) +{ + int mode; + + switch (tag->tag_direction) + { + case TAG_HOST_DST: + mode = TAG_HOST_DST; + break; + case TAG_HOST_SRC: + mode = TAG_HOST_SRC; + break; + default: + mode = TAG_HOST_SRC; + break; + } + + AddTagNode(p, tag, mode, time, event_id, log_list); +} + +int CheckTagList( + Packet* p, SigInfo& info, ListHead*& ret_list, struct timeval& ret_time, uint32_t& ret_id, const char*& ret_act) { TagNode idx; TagNode* returned = nullptr; @@ -540,10 +520,16 @@ int CheckTagList(Packet* p, Event& event, void** log_list) if ( create_event ) { - event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, - p->context->conf->get_event_log_id(), returned->event_time); - - *log_list = returned->log_list; + info.gid = GID_TAG; + info.sid = TAG_LOG_PKT; + info.rev = 1; + info.class_id = 1; + info.priority = 1; + + ret_time = returned->event_time; + ret_id = returned->event_id; + ret_list = returned->log_list; + ret_act = (ret_list and ret_list->ruleListNode) ? ret_list->ruleListNode->name : ""; } if ( !returned->metric ) @@ -567,6 +553,30 @@ int CheckTagList(Packet* p, Event& event, void** log_list) return 0; } +static int PruneTime(XHash* tree, uint32_t thetime) +{ + int pruned = 0; + TagNode* lru_node = nullptr; + + while ((lru_node = (TagNode*)tree->get_lru_user_data()) != nullptr) + { + if ((lru_node->last_access + TAG_PRUNE_QUANTUM) < thetime) + { + if (tree->release_node(&lru_node->key) != HASH_OK) + { + LogMessage("WARNING: failed to remove tagNode from hash.\n"); + } + pruned++; + } + else + { + break; + } + } + + return pruned; +} + static int PruneTagCache(uint32_t thetime, int mustdie) { int pruned = 0; @@ -599,30 +609,6 @@ static int PruneTagCache(uint32_t thetime, int mustdie) return pruned; } -static int PruneTime(XHash* tree, uint32_t thetime) -{ - int pruned = 0; - TagNode* lru_node = nullptr; - - while ((lru_node = (TagNode*)tree->get_lru_user_data()) != nullptr) - { - if ((lru_node->last_access + TAG_PRUNE_QUANTUM) < thetime) - { - if (tree->release_node(&lru_node->key) != HASH_OK) - { - LogMessage("WARNING: failed to remove tagNode from hash.\n"); - } - pruned++; - } - else - { - break; - } - } - - return pruned; -} - void SetTags(const Packet* p, const OptTreeNode* otn, uint16_t event_id) { if (otn != nullptr && otn->tag != nullptr) @@ -630,7 +616,7 @@ void SetTags(const Packet* p, const OptTreeNode* otn, uint16_t event_id) if (otn->tag->tag_type != 0) { RuleTreeNode* rtn = getRtnFromOtn(otn); - void* log_list = rtn ? rtn->listhead : nullptr; + ListHead* log_list = rtn ? rtn->listhead : nullptr; switch (otn->tag->tag_type) { diff --git a/src/detection/tag.h b/src/detection/tag.h index af661f798..c4f816856 100644 --- a/src/detection/tag.h +++ b/src/detection/tag.h @@ -34,8 +34,10 @@ namespace snort struct Packet; } +class Event; +struct ListHead; struct OptTreeNode; -struct Event; +struct SigInfo; #define GID_TAG 2 #define TAG_LOG_PKT 1 @@ -64,7 +66,7 @@ struct TagData void InitTag(); void CleanupTag(); -int CheckTagList(snort::Packet*, Event&, void**); +int CheckTagList(snort::Packet*, SigInfo&, ListHead*&, struct timeval&, uint32_t& id, const char*& action); void SetTags(const snort::Packet*, const OptTreeNode*, uint16_t); #endif diff --git a/src/detection/treenodes.h b/src/detection/treenodes.h index baaadbcf9..e6ac4986e 100644 --- a/src/detection/treenodes.h +++ b/src/detection/treenodes.h @@ -24,9 +24,9 @@ #include -#include "actions/actions.h" #include "detection/signature.h" #include "detection/rule_option_types.h" +#include "framework/ips_action.h" #include "framework/pdu_section.h" #include "main/policy.h" #include "main/snort_types.h" @@ -136,7 +136,7 @@ struct RuleTreeNode // Multiple OTNs can reference this RTN with the same policy. unsigned int otnRefCount = 0; // FIXIT-L shared_ptr? - Actions::Type action = 0; + snort::IpsAction::Type action = 0; uint8_t flags = 0; diff --git a/src/events/CMakeLists.txt b/src/events/CMakeLists.txt index c690af09f..ed56c8be8 100644 --- a/src/events/CMakeLists.txt +++ b/src/events/CMakeLists.txt @@ -1,12 +1,12 @@ set (INCLUDES event.h - event_queue.h ) add_library (events OBJECT event.cc event_queue.cc + event_queue.h sfeventq.cc sfeventq.h ${INCLUDES} diff --git a/src/events/event.cc b/src/events/event.cc index f2375bebf..30c4d0860 100644 --- a/src/events/event.cc +++ b/src/events/event.cc @@ -25,69 +25,134 @@ #include "detection/signature.h" #include "main/snort_config.h" +#include "main/thread.h" using namespace snort; static THREAD_LOCAL uint16_t g_event_id; +static SigInfo s_dummy; -uint16_t get_event_id() -{ - return g_event_id; -} - -void incr_event_id() -{ - g_event_id++; -} - -static uint32_t calc_event_id(uint16_t id, uint16_t log_id) +static uint32_t calc_event_id(uint16_t id) { // Use instance ID to make log_id unique per packet thread. Even if // it overflows, value will still be unique if there are less than // 65k threads. + uint16_t log_id = SnortConfig::get_conf()->get_event_log_id(); log_id += snort::get_instance_id(); return (id | (log_id << 16)); } -void Event::update_event_id(uint16_t log_id) +uint16_t Event::get_curr_seq_num() +{ return g_event_id; } + +uint16_t Event::get_next_seq_num() +{ return ++g_event_id; } + +uint32_t Event::get_next_event_id() { - event_id = calc_event_id(g_event_id, log_id); + uint16_t eseq = get_next_seq_num(); + return calc_event_id(eseq); } -void Event::update_event_id_and_ref(uint16_t log_id) +Event::Event() : sig_info(s_dummy) { } + +Event::Event(uint32_t sec, uint32_t usec, const SigInfo& si, const char** bufs, const char* act) : + sig_info(si) { - event_id = calc_event_id(g_event_id, log_id); + ts_sec = sec; + ts_usec = usec; + + buffs_to_dump = bufs; + action = act; + + event_id = calc_event_id(g_event_id); event_reference = event_id; } -uint32_t Event::update_and_get_event_id(void) +Event::Event(uint32_t sec, uint32_t usec, const SigInfo& si, const char** bufs, const char* act, uint32_t ref) : + sig_info(si) { - /* return event id based on g_event_id. */ - incr_event_id(); + ts_sec = sec; + ts_usec = usec; + + buffs_to_dump = bufs; + action = act; - return calc_event_id(g_event_id, - SnortConfig::get_conf()->get_event_log_id()); + event_id = get_next_event_id(); + event_reference = calc_event_id(ref); } -void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev, - uint32_t classification, uint32_t priority, uint16_t event_ref, - uint16_t log_id, const struct timeval& tv, const std::string& act) +uint32_t Event::get_seconds() const +{ return ts_sec; } + +void Event::get_timestamp(uint32_t& sec, uint32_t& usec) const +{ sec = ts_sec; usec = ts_usec; } + +uint32_t Event::get_event_id() const +{ return event_id; } + +uint32_t Event::get_event_reference() const +{ return event_reference; } + +uint32_t Event::get_gid() const +{ return sig_info.gid; } + +uint32_t Event::get_sid() const +{ return sig_info.sid; } + +uint32_t Event::get_rev() const +{ return sig_info.rev; } + +void Event::get_sig_ids(uint32_t& gid, uint32_t& sid, uint32_t& rev) const { - sig_info->gid = gid; - sig_info->sid = sid; - sig_info->rev = rev; - sig_info->class_id = classification; - sig_info->priority = priority; - - event_id = update_and_get_event_id(); - - if (event_ref) - event_reference = calc_event_id(event_ref, log_id); - else - event_reference = event_id; - - ref_time.tv_sec = tv.tv_sec; - ref_time.tv_usec = tv.tv_usec; - action_string = act; + gid = sig_info.gid; + sid = sig_info.sid; + rev = sig_info.rev; +} + +const char* Event::get_msg() const +{ + if ( sig_info.message.empty() ) + return nullptr; + + return sig_info.message.c_str(); +} + +const char* Event::get_class_type() const +{ + if ( !sig_info.class_type or sig_info.class_type->text.empty() ) + return nullptr; + + return sig_info.class_type->text.c_str(); } +const char** Event::get_buffers() const +{ return buffs_to_dump; } + +const char* Event::get_action() const +{ return action; } + +uint32_t Event::get_class_id() const +{ return sig_info.class_id; } + +uint32_t Event::get_priority() const +{ return sig_info.priority; } + +bool Event::get_target(bool& src) const +{ + if ( sig_info.target == TARGET_SRC ) + { + src = true; + return true; + } + else if ( sig_info.target == TARGET_DST ) + { + src = false; + return true; + } + return false; +} + +const SigInfo& Event::get_sig_info() const +{ return sig_info; } + diff --git a/src/events/event.h b/src/events/event.h index 5290de902..2bf8a5855 100644 --- a/src/events/event.h +++ b/src/events/event.h @@ -1,7 +1,5 @@ //-------------------------------------------------------------------------- // Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2002-2013 Sourcefire, Inc. -// Copyright (C) 1998-2002 Martin Roesch // // This program is free software; you can redistribute it and/or modify it // under the terms of the GNU General Public License Version 2 as published @@ -21,54 +19,59 @@ #ifndef EVENT_H #define EVENT_H -#include "main/thread.h" +#include "main/snort_types.h" struct SigInfo; -/* we must use fixed size of 32 bits, because on-disk - * format of savefiles uses 32-bit tv_sec (and tv_usec) - */ -struct sf_timeval32 +class SO_PUBLIC Event { - uint32_t tv_sec; /* seconds */ - uint32_t tv_usec; /* microseconds */ -}; +public: + Event(); + Event(uint32_t sec, uint32_t usec, const SigInfo&, const char** buffers, const char* action); + Event(uint32_t sec, uint32_t usec, const SigInfo&, const char** buffers, const char* action, uint32_t ref); -struct Event -{ - SigInfo* sig_info = nullptr; - struct sf_timeval32 ref_time = { 0, 0 }; /* reference time for the event reference */ - const char* alt_msg = nullptr; - std::string action_string; - const char** buffs_to_dump = nullptr; + static uint16_t get_curr_seq_num(); + static uint16_t get_next_seq_num(); + static uint32_t get_next_event_id(); + + const SigInfo& get_sig_info() const; + + uint32_t get_seconds() const; + void get_timestamp(uint32_t& sec, uint32_t& usec) const; - Event() = default; - Event(SigInfo& si) - { sig_info = &si; } + uint32_t get_event_id() const; + uint32_t get_event_reference() const; - uint32_t get_event_id() const { return event_id; } - void set_event_id(uint32_t id) { event_id = id; } + const char** get_buffers() const; + const char* get_action() const; - uint32_t get_event_reference() const { return event_reference; } - void set_event_reference(uint32_t ref) { event_reference = ref; } + uint32_t get_gid() const; + uint32_t get_sid() const; + uint32_t get_rev() const; - void update_event_id(uint16_t log_id); - void update_event_id_and_ref(uint16_t log_id); - SO_PUBLIC static uint32_t update_and_get_event_id(); + void get_sig_ids(uint32_t& gid, uint32_t& sid, uint32_t& rev) const; - void set_event(uint32_t gid, uint32_t sid, uint32_t rev, - uint32_t classification, uint32_t priority, uint16_t event_ref, - uint16_t log_id, const struct timeval& tv, const std::string& act = ""); + const char* get_msg() const; + const char* get_class_type() const; + uint32_t get_class_id() const; + uint32_t get_priority() const; + + // returns false if not specified; otherwise src indicates target is source or dest + bool get_target(bool& src) const; private: + const SigInfo& sig_info; + const char* action = nullptr; + const char** buffs_to_dump = nullptr; + + uint32_t ts_sec = 0; + uint32_t ts_usec = 0; + uint32_t event_id = 0; uint32_t event_reference = 0; // reference to other events that have gone off, // such as in the case of tagged packets... }; -uint16_t get_event_id(); -void incr_event_id(); - #endif diff --git a/src/file_api/CMakeLists.txt b/src/file_api/CMakeLists.txt index 32fa5969d..9336330bd 100644 --- a/src/file_api/CMakeLists.txt +++ b/src/file_api/CMakeLists.txt @@ -2,12 +2,8 @@ set( FILE_API_INCLUDES file_api.h file_capture.h - file_config.h file_flows.h - file_identifier.h file_lib.h - file_module.h - file_segment.h file_service.h ) @@ -20,14 +16,22 @@ add_library ( file_api OBJECT file_cache.cc file_cache.h file_config.cc + file_config.h file_flows.cc file_identifier.cc + file_identifier.h + file_inspect.cc + file_inspect.h file_lib.cc file_log.cc file_mempool.cc file_mempool.h file_module.cc + file_module.h + file_policy.cc + file_policy.h file_segment.cc + file_segment.h file_service.cc file_stats.cc file_stats.h diff --git a/src/file_api/file_cache.cc b/src/file_api/file_cache.cc index 0256594d3..e47859090 100644 --- a/src/file_api/file_cache.cc +++ b/src/file_api/file_cache.cc @@ -30,10 +30,11 @@ #include "main/snort_config.h" #include "main/thread_config.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "time/packet_time.h" #include "file_flows.h" +#include "file_module.h" #include "file_service.h" #include "file_stats.h" diff --git a/src/file_api/file_capture.cc b/src/file_api/file_capture.cc index c3f1a49ec..8beee355f 100644 --- a/src/file_api/file_capture.cc +++ b/src/file_api/file_capture.cc @@ -34,7 +34,9 @@ #include +#include "log/log_stats.h" #include "log/messages.h" +#include "main/thread.h" #include "utils/stats.h" #include "utils/util.h" diff --git a/src/file_api/file_config.cc b/src/file_api/file_config.cc index 459adabb1..0390f5e9c 100644 --- a/src/file_api/file_config.cc +++ b/src/file_api/file_config.cc @@ -29,11 +29,12 @@ #include "file_config.h" -#include "main/snort_config.h" #include "managers/inspector_manager.h" +#include "main/snort_config.h" #include "parser/parse_utils.h" #include "file_flows.h" +#include "file_inspect.h" using namespace snort; diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc index c37e0e08f..0f47c2b54 100644 --- a/src/file_api/file_flows.cc +++ b/src/file_api/file_flows.cc @@ -32,8 +32,9 @@ #include "detection/detection_engine.h" #include "log/messages.h" #include "main/snort_config.h" +#include "main/thread.h" #include "managers/inspector_manager.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "protocols/packet.h" #include "trace/trace_api.h" @@ -78,7 +79,7 @@ static void populate_trace_data(FileContext* context) PacketTracer::daq_log("file+%" PRId64"+Matched policy id %u, identification %s, signature %s, capture %s+" "File with ID %lu, name %s, type %s, size %lu, SHA %s detected. Verdict %s.$", - TO_NSECS(pt_timer->get()), + PacketTracer::get_time(), context->get_policy_id(), ((context->is_file_type_enabled() || context->get_file_type() || context->get_file_sig_sha256()) ? "" : ""), ((context->is_file_signature_enabled() || context->get_file_sig_sha256()) ? "" : ""), @@ -368,7 +369,7 @@ bool FileFlows::file_process(Packet* p, uint64_t file_id, const uint8_t* file_da } if (PacketTracer::is_daq_activated()) - PacketTracer::pt_timer_start(); + PacketTracer::restart_timer(); if (!cacheable) context->set_not_cacheable(); @@ -460,7 +461,7 @@ bool FileFlows::file_process(Packet* p, const uint8_t* file_data, int data_size, } if (PacketTracer::is_daq_activated()) - PacketTracer::pt_timer_start(); + PacketTracer::restart_timer(); context = find_main_file_context(position, direction, file_index); @@ -518,120 +519,3 @@ void FileFlows::add_pending_file(uint64_t file_id) current_file_id = pending_file_id = file_id; } -FileInspect::FileInspect(FileIdModule* fm) -{ - fm->load_config(config); -} - -FileInspect:: ~FileInspect() -{ - if (config) - delete config; -} - -bool FileInspect::configure(SnortConfig*) -{ - if (!config) - return true; - - FileCache* file_cache = FileService::get_file_cache(); - if (file_cache) - { - file_cache->set_block_timeout(config->file_block_timeout); - file_cache->set_lookup_timeout(config->file_lookup_timeout); - file_cache->set_max_files(config->max_files_cached); - } - - return true; -} - -static void file_config_show(const FileConfig* fc) -{ - if ( ConfigLogger::log_flag("enable_type", FileService::is_file_type_id_enabled()) ) - ConfigLogger::log_value("type_depth", fc->file_type_depth); - - if ( ConfigLogger::log_flag("enable_signature", FileService::is_file_signature_enabled()) ) - ConfigLogger::log_value("signature_depth", fc->file_signature_depth); - - if ( ConfigLogger::log_flag("block_timeout_lookup", fc->block_timeout_lookup) ) - ConfigLogger::log_value("block_timeout", fc->file_block_timeout); - - if ( ConfigLogger::log_flag("enable_capture", FileService::is_file_capture_enabled()) ) - { - ConfigLogger::log_value("capture_memcap", fc->capture_memcap); - ConfigLogger::log_value("capture_max_size", fc->capture_max_size); - ConfigLogger::log_value("capture_min_size", fc->capture_min_size); - ConfigLogger::log_value("capture_block_size", fc->capture_block_size); - } - - ConfigLogger::log_value("lookup_timeout", fc->file_lookup_timeout); - ConfigLogger::log_value("max_files_cached", fc->max_files_cached); - ConfigLogger::log_value("max_files_per_flow", fc->max_files_per_flow); - ConfigLogger::log_value("show_data_depth", fc->show_data_depth); - - ConfigLogger::log_flag("trace_type", fc->trace_type); - ConfigLogger::log_flag("trace_signature", fc->trace_signature); - ConfigLogger::log_flag("trace_stream", fc->trace_stream); -} - -void FileInspect::show(const SnortConfig*) const -{ - if ( config ) - file_config_show(config); -} - -static Module* mod_ctor() -{ return new FileIdModule; } - -static void mod_dtor(Module* m) -{ delete m; } - -static void file_init() -{ - FileFlows::init(); -} - -static void file_term() -{ -} - -static Inspector* file_ctor(Module* m) -{ - FileIdModule* mod = (FileIdModule*)m; - return new FileInspect(mod); -} - -static void file_dtor(Inspector* p) -{ - delete p; -} - -static const InspectApi file_inspect_api = -{ - { - PT_INSPECTOR, - sizeof(InspectApi), - INSAPI_VERSION, - 0, - API_RESERVED, - API_OPTIONS, - FILE_ID_NAME, - FILE_ID_HELP, - mod_ctor, - mod_dtor - }, - IT_FILE, - PROTO_BIT__NONE, - nullptr, - "file", - file_init, - file_term, - nullptr, // tinit - nullptr, // tterm - file_ctor, - file_dtor, - nullptr, // ssn - nullptr // reset -}; - -const BaseApi* sin_file_flow = &file_inspect_api.base; diff --git a/src/file_api/file_flows.h b/src/file_api/file_flows.h index abd6ad13a..6cd9e3a2c 100644 --- a/src/file_api/file_flows.h +++ b/src/file_api/file_flows.h @@ -24,37 +24,36 @@ // This provides a wrapper to manage several file contexts #include "flow/flow.h" +#include "helpers/event_gen.h" #include "main/snort_types.h" -#include "utils/event_gen.h" #include "file_api.h" -#include "file_module.h" #include +static const uint32_t FILE_ID_GID = 150; + +enum FileSid +{ + EVENT__NONE = -1, + EVENT_FILE_DROPPED_OVER_LIMIT = 1, + EVENT__MAX_VALUE +}; + using FileEventGen = EventGen; +class FileInspect; + namespace snort { class FileContext; class Flow; -class FileInspect : public Inspector -{ -public: - FileInspect(FileIdModule*); - ~FileInspect() override; - void eval(Packet*) override { } - bool configure(SnortConfig*) override; - void show(const SnortConfig*) const override; - FileConfig* config; -}; - class SO_PUBLIC FileFlows : public FlowData { public: - FileFlows(Flow* f, FileInspect* inspect) : FlowData(file_flow_data_id, inspect), flow(f) { } + FileFlows(Flow* f, FileInspect* fi) : FlowData(file_flow_data_id, (Inspector*)fi), flow(f) { } ~FileFlows() override; std::mutex file_flow_context_mutex; static void init() diff --git a/src/file_api/file_inspect.cc b/src/file_api/file_inspect.cc new file mode 100644 index 000000000..02d488abd --- /dev/null +++ b/src/file_api/file_inspect.cc @@ -0,0 +1,155 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2012-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +/* + ** Author(s): Hui Cao + ** + ** NOTES + ** 8.15.15 - Initial Source Code. Hui Cao + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "file_inspect.h" + +#include "log/messages.h" + +#include "file_cache.h" +#include "file_config.h" +#include "file_flows.h" +#include "file_module.h" +#include "file_service.h" + +using namespace snort; + +FileInspect::FileInspect(FileIdModule* fm) +{ + fm->load_config(config); +} + +FileInspect:: ~FileInspect() +{ + if (config) + delete config; +} + +bool FileInspect::configure(SnortConfig*) +{ + if (!config) + return true; + + FileCache* file_cache = FileService::get_file_cache(); + if (file_cache) + { + file_cache->set_block_timeout(config->file_block_timeout); + file_cache->set_lookup_timeout(config->file_lookup_timeout); + file_cache->set_max_files(config->max_files_cached); + } + + return true; +} + +static void file_config_show(const FileConfig* fc) +{ + if ( ConfigLogger::log_flag("enable_type", FileService::is_file_type_id_enabled()) ) + ConfigLogger::log_value("type_depth", fc->file_type_depth); + + if ( ConfigLogger::log_flag("enable_signature", FileService::is_file_signature_enabled()) ) + ConfigLogger::log_value("signature_depth", fc->file_signature_depth); + + if ( ConfigLogger::log_flag("block_timeout_lookup", fc->block_timeout_lookup) ) + ConfigLogger::log_value("block_timeout", fc->file_block_timeout); + + if ( ConfigLogger::log_flag("enable_capture", FileService::is_file_capture_enabled()) ) + { + ConfigLogger::log_value("capture_memcap", fc->capture_memcap); + ConfigLogger::log_value("capture_max_size", fc->capture_max_size); + ConfigLogger::log_value("capture_min_size", fc->capture_min_size); + ConfigLogger::log_value("capture_block_size", fc->capture_block_size); + } + + ConfigLogger::log_value("lookup_timeout", fc->file_lookup_timeout); + ConfigLogger::log_value("max_files_cached", fc->max_files_cached); + ConfigLogger::log_value("max_files_per_flow", fc->max_files_per_flow); + ConfigLogger::log_value("show_data_depth", fc->show_data_depth); + + ConfigLogger::log_flag("trace_type", fc->trace_type); + ConfigLogger::log_flag("trace_signature", fc->trace_signature); + ConfigLogger::log_flag("trace_stream", fc->trace_stream); +} + +void FileInspect::show(const SnortConfig*) const +{ + if ( config ) + file_config_show(config); +} + +static Module* mod_ctor() +{ return new FileIdModule; } + +static void mod_dtor(Module* m) +{ delete m; } + +static void file_init() +{ + FileFlows::init(); +} + +static Inspector* file_ctor(Module* m) +{ + FileIdModule* mod = (FileIdModule*)m; + return new FileInspect(mod); +} + +static void file_dtor(Inspector* p) +{ + delete p; +} + +static const InspectApi file_inspect_api = +{ + { + PT_INSPECTOR, + sizeof(InspectApi), + INSAPI_VERSION, + 0, + API_RESERVED, + API_OPTIONS, + FILE_ID_NAME, + FILE_ID_HELP, + mod_ctor, + mod_dtor + }, + IT_FILE, + PROTO_BIT__NONE, + nullptr, + "file", + file_init, + nullptr, + nullptr, // tinit + nullptr, // tterm + file_ctor, + file_dtor, + nullptr, // ssn + nullptr // reset +}; + +const BaseApi* sin_file_flow = &file_inspect_api.base; + diff --git a/src/file_api/file_inspect.h b/src/file_api/file_inspect.h new file mode 100644 index 000000000..fa67abf0b --- /dev/null +++ b/src/file_api/file_inspect.h @@ -0,0 +1,40 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2015-2023 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// author Hui Cao + +#ifndef FILE_INSPECT_H +#define FILE_INSPECT_H + +// file processing configuration +// +#include "framework/inspector.h" + +class FileInspect : public snort::Inspector +{ +public: + FileInspect(class FileIdModule*); + ~FileInspect() override; + void eval(snort::Packet*) override { } + bool configure(snort::SnortConfig*) override; + void show(const snort::SnortConfig*) const override; + class FileConfig* config; +}; + +#endif + diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index aca3b17c7..6891b346a 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -34,27 +34,28 @@ #include #include -#include "hash/hashes.h" +#include "detection/fp_detect.h" #include "framework/data_bus.h" -#include "main/snort_config.h" #include "managers/inspector_manager.h" -#include "packet_tracer/packet_tracer.h" +#include "hash/hashes.h" +#include "helpers/utf.h" +#include "main/snort_config.h" +#include "packet_io/packet_tracer.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/intrinsic_event_ids.h" #include "utils/util.h" -#include "utils/util_utf.h" #include "file_api.h" +#include "file_cache.h" #include "file_capture.h" #include "file_config.h" -#include "file_cache.h" #include "file_flows.h" -#include "file_service.h" +#include "file_inspect.h" +#include "file_module.h" #include "file_segment.h" +#include "file_service.h" #include "file_stats.h" -#include "file_module.h" -#include "detection/fp_detect.h" using namespace snort; @@ -336,10 +337,11 @@ FileContext::~FileContext () { if (file_signature_context) snort_free(file_signature_context); + if (file_capture) stop_file_capture(); - if (file_segments) - delete file_segments; + + delete file_segments; InspectorManager::release(inspector); } diff --git a/src/file_api/file_lib.h b/src/file_api/file_lib.h index 7f7faed17..bd0776b7c 100644 --- a/src/file_api/file_lib.h +++ b/src/file_api/file_lib.h @@ -38,12 +38,12 @@ const std::string VerdictName[] = {"Unknown", "Log", "Stop", "Block", "Reset", "Pending", "Stop Capture", "INVALID"}; class FileConfig; +class FileInspect; class FileSegments; namespace snort { class FileCapture; -class FileInspect; class Flow; class SO_PUBLIC FileInfo diff --git a/src/file_api/file_log.cc b/src/file_api/file_log.cc index c2f499bd8..7e748432e 100644 --- a/src/file_api/file_log.cc +++ b/src/file_api/file_log.cc @@ -206,7 +206,6 @@ public: { } void show(const SnortConfig*) const override; - void eval(Packet*) override { } bool configure(SnortConfig*) override { diff --git a/src/file_api/file_module.h b/src/file_api/file_module.h index 04e6f16c7..4f38db385 100644 --- a/src/file_api/file_module.h +++ b/src/file_api/file_module.h @@ -27,15 +27,15 @@ #include "framework/module.h" #include "file_config.h" +#include "file_flows.h" #include "file_identifier.h" #include "trace/trace_api.h" #include "utils/util.h" + //------------------------------------------------------------------------- // file_id module //------------------------------------------------------------------------- -static const uint32_t FILE_ID_GID = 150; - #define FILE_DEBUG(module_name, module_id, log_level, p, ...) \ trace_logf(log_level, module_name , module_id, p, __VA_ARGS__) @@ -80,12 +80,5 @@ private: std::string magic_file; }; -enum FileSid -{ - EVENT__NONE = -1, - EVENT_FILE_DROPPED_OVER_LIMIT = 1, - EVENT__MAX_VALUE -}; - #endif diff --git a/src/framework/file_policy.cc b/src/file_api/file_policy.cc similarity index 99% rename from src/framework/file_policy.cc rename to src/file_api/file_policy.cc index 121791e35..27e3bacad 100644 --- a/src/framework/file_policy.cc +++ b/src/file_api/file_policy.cc @@ -22,7 +22,7 @@ #include "config.h" #endif -#include "framework/file_policy.h" +#include "file_policy.h" #include "file_api/file_capture.h" #include "file_api/file_lib.h" diff --git a/src/framework/file_policy.h b/src/file_api/file_policy.h similarity index 100% rename from src/framework/file_policy.h rename to src/file_api/file_policy.h diff --git a/src/file_api/file_stats.cc b/src/file_api/file_stats.cc index 370f2e01c..6635ceb23 100644 --- a/src/file_api/file_stats.cc +++ b/src/file_api/file_stats.cc @@ -30,6 +30,7 @@ #include "file_stats.h" +#include "log/log_stats.h" #include "log/messages.h" #include "utils/stats.h" #include "utils/util.h" diff --git a/src/file_api/file_stats.h b/src/file_api/file_stats.h index 9eccf8af6..e94da62b7 100644 --- a/src/file_api/file_stats.h +++ b/src/file_api/file_stats.h @@ -23,7 +23,6 @@ #define FILE_STATS_H #include "framework/counts.h" -#include "main/thread.h" #include "file_api.h" #include "file_config.h" diff --git a/src/filters/detection_filter.cc b/src/filters/detection_filter.cc index ef137ef69..4e5ee679c 100644 --- a/src/filters/detection_filter.cc +++ b/src/filters/detection_filter.cc @@ -25,7 +25,6 @@ #include "hash/xhash.h" #include "log/messages.h" -#include "main/thread.h" #include "utils/util.h" #include "sfthd.h" diff --git a/src/filters/sfrf.cc b/src/filters/sfrf.cc index d169cf1b0..4904609f8 100644 --- a/src/filters/sfrf.cc +++ b/src/filters/sfrf.cc @@ -26,7 +26,6 @@ #include "sfrf.h" -#include "main/thread.h" #include "detection/rules.h" #include "framework/ips_action.h" #include "hash/ghash.h" @@ -317,7 +316,7 @@ static int SFRF_TestObject(tSFRFConfigNode* cfgNode, const SfIp* ip, time_t curT // if the count were not incremented in such cases, the // threshold would never be exceeded. if ( !cfgNode->seconds && (dynNode->count > cfgNode->count) - && Actions::is_valid_action(cfgNode->newAction) ) + && IpsAction::is_valid_action(cfgNode->newAction) ) { IpsAction* act = get_ips_policy()->action[cfgNode->newAction]; if ( act->drops_traffic() ) @@ -561,7 +560,7 @@ static int checkThreshold(tSFRFConfigNode* cfgNode, tSFRFTrackingNode* dynNode, dynNode->filterState = FS_ON; dynNode->overRate = 1; - return Actions::get_max_types() + cfgNode->newAction; + return IpsAction::get_max_types() + cfgNode->newAction; } static void updateDependentThresholds(RateFilterConfig* config, unsigned gid, diff --git a/src/filters/sfrf.h b/src/filters/sfrf.h index 46ac8da53..b0f3747f9 100644 --- a/src/filters/sfrf.h +++ b/src/filters/sfrf.h @@ -25,8 +25,8 @@ #include #include -#include "actions/actions.h" #include "framework/counts.h" +#include "framework/ips_action.h" #include "main/policy.h" #include "sfip/sf_ip.h" #include "sfip/sf_ipvar.h" @@ -72,7 +72,11 @@ struct tSFRFConfigNode SFRF_TRACK tracking; unsigned count; unsigned seconds; - Actions::Type newAction; + + // Action that replaces original rule action on reaching threshold + snort::IpsAction::Type newAction; + + // Threshold action duration in seconds before reverting to original rule action unsigned timeout; sfip_var_t* applyTo; }; diff --git a/src/filters/sfrf_test.cc b/src/filters/sfrf_test.cc index 8112d9053..316ecdef6 100644 --- a/src/filters/sfrf_test.cc +++ b/src/filters/sfrf_test.cc @@ -558,7 +558,7 @@ static void Init(const SnortConfig* sc, unsigned cap) cfg.tracking = p->track; cfg.count = p->count; cfg.seconds = p->seconds; - cfg.newAction = (Actions::Type)RULE_NEW; + cfg.newAction = (IpsAction::Type)RULE_NEW; cfg.timeout = p->timeout; cfg.applyTo = p->ip ? sfip_var_from_string(p->ip, "sfrf_test") : nullptr; @@ -599,8 +599,8 @@ static int EventTest(EventData* p) status = SFRF_TestThreshold(rfc, p->gid, p->sid, get_network_policy()->policy_id, &sip, &dip, curtime, op); - if ( status >= Actions::get_max_types() ) - status -= Actions::get_max_types(); + if ( status >= IpsAction::get_max_types() ) + status -= IpsAction::get_max_types(); return status; } diff --git a/src/filters/sfthd.cc b/src/filters/sfthd.cc index c0bdcafe4..a530ecd5f 100644 --- a/src/filters/sfthd.cc +++ b/src/filters/sfthd.cc @@ -36,7 +36,6 @@ #include "hash/ghash.h" #include "hash/hash_defs.h" #include "hash/xhash.h" -#include "main/thread.h" #include "sfip/sf_ipvar.h" #include "utils/sflsq.h" #include "utils/util.h" @@ -361,7 +360,6 @@ static int sfthd_create_threshold_global( return 0; } - /*! Add a permanent threshold object to the threshold table. Multiple objects may be defined for each gen_id and sig_id pair. Internally diff --git a/src/flow/CMakeLists.txt b/src/flow/CMakeLists.txt index d8f5ec9ca..a1de6ff1c 100644 --- a/src/flow/CMakeLists.txt +++ b/src/flow/CMakeLists.txt @@ -1,6 +1,6 @@ set (FLOW_INCLUDES deferred_trust.h - expect_cache.h + expect_flow.h flow.h flow_data.h flow_key.h @@ -8,6 +8,7 @@ set (FLOW_INCLUDES ha.h session.h stash_item.h + stream_flow.h ) add_library (flow OBJECT @@ -16,6 +17,7 @@ add_library (flow OBJECT expect_cache.cc flow.cc flow_cache.cc + expect_cache.h flow_cache.h flow_config.h flow_control.cc diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index 0fc7b586c..53a612819 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -22,11 +22,12 @@ #endif #include "expect_cache.h" +#include "expect_flow.h" #include "detection/ips_context.h" #include "hash/zhash.h" +#include "packet_io/packet_tracer.h" #include "packet_io/sfdaq_instance.h" -#include "packet_tracer/packet_tracer.h" #include "protocols/packet.h" #include "protocols/vlan.h" #include "pub_sub/expect_events.h" diff --git a/src/flow/expect_cache.h b/src/flow/expect_cache.h index c14592c11..b61d2bf5a 100644 --- a/src/flow/expect_cache.h +++ b/src/flow/expect_cache.h @@ -25,42 +25,6 @@ // ExpectCache is used to track anticipated flows (like ftp data channels). // when the flow is found, it updated with the given info. -//------------------------------------------------------------------------- -// data structs -// -- key has IP address and port pairs; one port must be zero (wild card) -// forming a 3-tuple -// -- node struct is stored in hash table by key -// -- each node struct has one or more list structs linked together -// -- each list struct has a list of flow data -// -- when a new expect is added, a new list struct is created if a new -// node is created or the last list struct of an existing node already -// has the same preproc id in the flow data list -// -- when a new expect is added, the last list struct is used if the -// given preproc id is not already in the flow data list -// -- nodes are preallocated and stored in hash table; if there is no node -// available when an expect is added, LRU nodes are pruned -// -- list structs are also preallocated and stored in free list; if there -// is no list struct available when an expect is added, LRU nodes are -// pruned freeing up both nodes and list structs -// -- the number of list structs per node is capped at MAX_LIST; once -// reached, requests to add new expects requiring new list structs fail -// -- the number of data structs per list struct is not capped -// -- example: ftp preproc adds a new 3-tuple twice for 2 expected data -// channels -> new node with 2 list structs linked to it -// -- example: ftp preproc adds a new 3-tuple once and then another -// preproc expects the same 3-tuple -> new node with one list struct -// is created for ftp and the next request goes in that same list -// struct -// -- new list structs are appended to node's list struct chain -// -- matching expected sessions are pulled off from the head of the node's -// list struct chain -// -// FIXIT-M expiration is by node struct but should be by list struct, ie -// individual sessions, not all sessions to a given 3-tuple -// (this would make pruning a little harder unless we add linkage -// a la FlowCache) -//------------------------------------------------------------------------- -#include #include "flow/flow_key.h" #include "target_based/snort_protocols.h" @@ -70,21 +34,9 @@ namespace snort { class Flow; class FlowData; -struct Packet; -struct SO_PUBLIC ExpectFlow -{ - struct ExpectFlow* next; - snort::FlowData* data; - - ~ExpectFlow(); - void clear(); - int add_flow_data(snort::FlowData*); - snort::FlowData* get_flow_data(unsigned); - static std::vector* get_expect_flows(); - static void reset_expect_flows(); - static void handle_expected_flows(const snort::Packet*); -}; +struct ExpectFlow; +struct Packet; } class ExpectCache diff --git a/src/flow/expect_flow.h b/src/flow/expect_flow.h new file mode 100644 index 000000000..814d5b48d --- /dev/null +++ b/src/flow/expect_flow.h @@ -0,0 +1,91 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2013-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// expect_cache.h author Russ Combs + +#ifndef EXPECT_FLOW_H +#define EXPECT_FLOW_H + +// ExpectCache is used to track anticipated flows (like ftp data channels). +// when the flow is found, it updated with the given info. + +//------------------------------------------------------------------------- +// data structs +// -- key has IP address and port pairs; one port must be zero (wild card) +// forming a 3-tuple +// -- node struct is stored in hash table by key +// -- each node struct has one or more list structs linked together +// -- each list struct has a list of flow data +// -- when a new expect is added, a new list struct is created if a new +// node is created or the last list struct of an existing node already +// has the same preproc id in the flow data list +// -- when a new expect is added, the last list struct is used if the +// given preproc id is not already in the flow data list +// -- nodes are preallocated and stored in hash table; if there is no node +// available when an expect is added, LRU nodes are pruned +// -- list structs are also preallocated and stored in free list; if there +// is no list struct available when an expect is added, LRU nodes are +// pruned freeing up both nodes and list structs +// -- the number of list structs per node is capped at MAX_LIST; once +// reached, requests to add new expects requiring new list structs fail +// -- the number of data structs per list struct is not capped +// -- example: ftp preproc adds a new 3-tuple twice for 2 expected data +// channels -> new node with 2 list structs linked to it +// -- example: ftp preproc adds a new 3-tuple once and then another +// preproc expects the same 3-tuple -> new node with one list struct +// is created for ftp and the next request goes in that same list +// struct +// -- new list structs are appended to node's list struct chain +// -- matching expected sessions are pulled off from the head of the node's +// list struct chain +// +// FIXIT-M expiration is by node struct but should be by list struct, ie +// individual sessions, not all sessions to a given 3-tuple +// (this would make pruning a little harder unless we add linkage +// a la FlowCache) +//------------------------------------------------------------------------- + +#include + +#include "main/snort_types.h" + +struct ExpectNode; + +namespace snort +{ +class FlowData; +struct Packet; + +struct SO_PUBLIC ExpectFlow +{ + struct ExpectFlow* next; + snort::FlowData* data; + + ~ExpectFlow(); + void clear(); + int add_flow_data(snort::FlowData*); + snort::FlowData* get_flow_data(unsigned); + static std::vector* get_expect_flows(); + static void reset_expect_flows(); + static void handle_expected_flows(const snort::Packet*); +}; +} + +#endif + diff --git a/src/flow/flow.h b/src/flow/flow.h index 84ebac467..379a29ed3 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -39,7 +39,6 @@ #include "framework/data_bus.h" #include "framework/decode_data.h" #include "framework/inspector.h" -#include "network_inspectors/appid/application_ids.h" #include "protocols/layer.h" #include "sfip/sf_ip.h" #include "target_based/snort_protocols.h" @@ -110,7 +109,6 @@ namespace snort { class FlowHAState; struct FlowKey; -class IpsContext; struct Packet; typedef void (* StreamAppDataFree)(void*); @@ -159,20 +157,6 @@ struct LwState char ignore_direction; }; -class SO_PUBLIC StreamFlowIntf -{ -public: - virtual FlowData* get_stream_flow_data(const Flow* flow) = 0; - virtual void set_stream_flow_data(Flow* flow, FlowData* flow_data) = 0; - virtual void get_stream_id(const Flow* flow, int64_t& stream_id) = 0; - virtual void* get_hi_msg_section(const Flow* flow) = 0; - virtual void set_hi_msg_section(Flow* flow, void* section) = 0; - virtual AppId get_appid_from_stream(const Flow*) { return APP_ID_NONE; } - // Stream based flows should override this interface to return parent flow - // when child flow is passed as input - virtual Flow* get_stream_parent_flow(Flow* cflow) { return cflow; } -}; - // this struct is organized by member size for compactness class SO_PUBLIC Flow { @@ -474,7 +458,7 @@ public: // FIXIT-M privatize if possible IpsContextChain context_chain; FlowData* current_flow_data = nullptr; FlowStats flowstats = {}; - StreamFlowIntf* stream_intf = nullptr; + class StreamFlowIntf* stream_intf = nullptr; SfIp client_ip = {}; SfIp server_ip = {}; diff --git a/src/flow/flow_cache.cc b/src/flow/flow_cache.cc index bee007c62..7515ce89b 100644 --- a/src/flow/flow_cache.cc +++ b/src/flow/flow_cache.cc @@ -37,7 +37,7 @@ #endif #include "main/thread_config.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "stream/base/stream_module.h" #include "stream/tcp/tcp_stream_session.h" #include "stream/tcp/tcp_trace.h" diff --git a/src/flow/flow_cache.h b/src/flow/flow_cache.h index 20deac882..7066a56da 100644 --- a/src/flow/flow_cache.h +++ b/src/flow/flow_cache.h @@ -33,10 +33,8 @@ #include #include "framework/counts.h" -#include "main/analyzer_command.h" -#include "main/thread.h" - #include "flow_config.h" +#include "main/analyzer_command.h" #include "prune_stats.h" #include "filter_flow_critera.h" diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 3acc2202a..34f5a5012 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -26,9 +26,8 @@ #include "detection/detection_engine.h" #include "main/snort_config.h" -#include "managers/inspector_manager.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "protocols/icmp4.h" #include "protocols/tcp.h" #include "protocols/udp.h" diff --git a/src/flow/flow_data.h b/src/flow/flow_data.h index 12434e1a5..5123db7b9 100644 --- a/src/flow/flow_data.h +++ b/src/flow/flow_data.h @@ -20,6 +20,9 @@ #ifndef FLOW_DATA_H #define FLOW_DATA_H +// FlowData is how inspectors maintain flow state +// use Flow::set/get_flow_data() to attach to a flow + #include "main/snort_types.h" namespace snort @@ -30,7 +33,6 @@ struct Packet; class SO_PUBLIC FlowData { public: - FlowData(unsigned u, Inspector* = nullptr); virtual ~FlowData(); unsigned get_id() @@ -41,13 +43,13 @@ public: Inspector* get_handler() { return handler; } - // deprecated - do not implement - virtual size_t size_of() { return 0; } - virtual void handle_expected(Packet*) { } virtual void handle_retransmit(Packet*) { } virtual void handle_eof(Packet*) { } +protected: + FlowData(unsigned u, Inspector* = nullptr); + public: // FIXIT-L privatize FlowData* next; FlowData* prev; diff --git a/src/flow/flow_key.h b/src/flow/flow_key.h index 5b25e8e7e..f7bcb04bb 100644 --- a/src/flow/flow_key.h +++ b/src/flow/flow_key.h @@ -31,8 +31,6 @@ #include "hash/hash_key_operations.h" #include "utils/cpp_macros.h" -class HashKeyOperations; - namespace snort { struct SfIp; diff --git a/src/flow/flow_stash.cc b/src/flow/flow_stash.cc index fa26bf45b..15a19fd51 100644 --- a/src/flow/flow_stash.cc +++ b/src/flow/flow_stash.cc @@ -26,6 +26,7 @@ #include +#include "main/snort_config.h" #include "pub_sub/auxiliary_ip_event.h" #include "pub_sub/stash_events.h" diff --git a/src/flow/flow_stash.h b/src/flow/flow_stash.h index 077f022e6..09f77d697 100644 --- a/src/flow/flow_stash.h +++ b/src/flow/flow_stash.h @@ -21,12 +21,13 @@ #ifndef FLOW_STASH_H #define FLOW_STASH_H +// a generic store for shared flow data + #include #include #include #include -#include "main/snort_config.h" #include "main/snort_types.h" #include "sfip/sf_ip.h" @@ -52,7 +53,7 @@ public: void store(const std::string& key, std::string* val, unsigned pubid = 0, unsigned evid = 0); void store(const std::string& key, StashGenericObject* val, unsigned pubid = 0, unsigned evid = 0); - bool store(const snort::SfIp&, const SnortConfig* sc = nullptr); + bool store(const snort::SfIp&, const struct SnortConfig* = nullptr); std::list& get_aux_ip_list() { return aux_ip_fifo; } diff --git a/src/flow/ha.h b/src/flow/ha.h index 41c65b94c..9f4465584 100644 --- a/src/flow/ha.h +++ b/src/flow/ha.h @@ -24,8 +24,8 @@ #include -#include "framework/bits.h" -#include "main/thread.h" +#include "main/snort_types.h" +#include "utils/bits.h" //------------------------------------------------------------------------- diff --git a/src/flow/ha_module.h b/src/flow/ha_module.h index 284c0dfd8..0849efdac 100644 --- a/src/flow/ha_module.h +++ b/src/flow/ha_module.h @@ -24,7 +24,6 @@ #include #include "framework/module.h" -#include "main/thread.h" #define HA_NAME "high_availability" #define HA_HELP "implement flow tracking high availability" diff --git a/src/flow/stash_item.h b/src/flow/stash_item.h index ac31e9742..388c20b06 100644 --- a/src/flow/stash_item.h +++ b/src/flow/stash_item.h @@ -21,6 +21,8 @@ #ifndef STASH_ITEM_H #define STASH_ITEM_H +// stored in the FlowStash + #include #include diff --git a/src/flow/stream_flow.h b/src/flow/stream_flow.h new file mode 100644 index 000000000..3560ddb57 --- /dev/null +++ b/src/flow/stream_flow.h @@ -0,0 +1,49 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// stream_flow.h author Abhijit Pal + +#ifndef STREAM_FLOW_H +#define STREAM_FLOW_H + +// for munged services like http2 + +#include "network_inspectors/appid/application_ids.h" + +namespace snort +{ +class Flow; +class FlowData; + +class SO_PUBLIC StreamFlowIntf +{ +public: + virtual FlowData* get_stream_flow_data(const Flow*) = 0; + virtual void set_stream_flow_data(Flow*, FlowData*) = 0; + virtual void get_stream_id(const Flow*, int64_t& stream_id) = 0; + virtual void* get_hi_msg_section(const Flow*) = 0; + virtual void set_hi_msg_section(Flow*, void* section) = 0; + virtual AppId get_appid_from_stream(const Flow*) { return APP_ID_NONE; } + // Stream based flows should override this interface to return parent flow + // when child flow is passed as input + virtual Flow* get_stream_parent_flow(Flow* cflow) { return cflow; } +}; + +} +#endif + diff --git a/src/flow/test/flow_cache_test.cc b/src/flow/test/flow_cache_test.cc index 8425a2fe4..4ebbd223f 100644 --- a/src/flow/test/flow_cache_test.cc +++ b/src/flow/test/flow_cache_test.cc @@ -35,7 +35,11 @@ #include "main/analyzer.h" #include "main/thread_config.h" #include "managers/inspector_manager.h" +#include "main/policy.h" +#include "main/snort_config.h" +#include "main/thread_config.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "protocols/icmp4.h" #include "protocols/tcp.h" #include "protocols/udp.h" @@ -50,36 +54,46 @@ using namespace snort; -THREAD_LOCAL bool Active::s_suspend = false; -THREAD_LOCAL Active::ActiveSuspendReason Active::s_suspend_reason = Active::ASP_NONE; - THREAD_LOCAL const Trace* stream_trace = nullptr; THREAD_LOCAL FlowControl* flow_con = nullptr; -void Active::drop_packet(snort::Packet const*, bool) { } Analyzer* Analyzer::get_local_analyzer() { return nullptr; } void Analyzer::resume(uint64_t) { } + +void Active::drop_packet(snort::Packet const*, bool) { } +void Active::suspend(ActiveSuspendReason) { } +void Active::resume() { } void Active::set_drop_reason(char const*) { } -ExpectCache::ExpectCache(uint32_t) { } -ExpectCache::~ExpectCache() = default; -bool ExpectCache::check(Packet*, Flow*) { return true; } + +DetectionEngine::DetectionEngine() = default; +DetectionEngine::~DetectionEngine() = default; void DetectionEngine::disable_all(Packet*) { } + +const SnortConfig* SnortConfig::get_conf() { return nullptr; } + Flow* HighAvailabilityManager::import(Packet&, FlowKey&) { return nullptr; } bool HighAvailabilityManager::in_standby(Flow*) { return false; } -SfIpRet SfIp::set(void const*, int) { return SFIP_SUCCESS; } -const SnortConfig* SnortConfig::get_conf() { return nullptr; } + uint8_t TraceApi::get_constraints_generation() { return 0; } void TraceApi::filter(const Packet&) {} + void ThreadConfig::preemptive_kick() {} +unsigned ThreadConfig::get_instance_max() { return 0; } + +SfIpRet SfIp::set(void const*, int) { return SFIP_SUCCESS; } SfIpRet SfIp::set(void const*) { return SFIP_SUCCESS; } SfIpRet SfIp::pton(const int, const char* ) { return SFIP_SUCCESS; } + const char* SfIp::ntop(char* buf, int) const { buf[0] = 0; return buf; } -unsigned ThreadConfig::get_instance_max() { return 0; } + bool ControlConn::respond(const char*, ...) { return true; } + class TcpStreamTracker; const char* stream_tcp_state_to_str(const TcpStreamTracker&) { return "error"; } + void LogMessage(const char*, ...) { } + namespace snort { Flow::~Flow() = default; @@ -104,6 +118,11 @@ uint32_t IpApi::id() const { return 0; } } } +ExpectCache::ExpectCache(uint32_t) { } +ExpectCache::~ExpectCache() = default; + +bool ExpectCache::check(Packet*, Flow*) { return true; } + int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t, const SfIp*, uint16_t, char, FlowData*, SnortProtocolId, bool, bool, bool, bool) { diff --git a/src/flow/test/flow_control_test.cc b/src/flow/test/flow_control_test.cc index abcc797b3..98501336d 100644 --- a/src/flow/test/flow_control_test.cc +++ b/src/flow/test/flow_control_test.cc @@ -29,9 +29,8 @@ #include "detection/detection_engine.h" #include "main/policy.h" #include "main/snort_config.h" -#include "managers/inspector_manager.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "protocols/icmp4.h" #include "protocols/packet.h" #include "protocols/tcp.h" @@ -51,17 +50,15 @@ using namespace snort; -THREAD_LOCAL bool Active::s_suspend = false; -THREAD_LOCAL Active::ActiveSuspendReason Active::s_suspend_reason = Active::ASP_NONE; - void Active::drop_packet(snort::Packet const*, bool) { } +void Active::suspend(ActiveSuspendReason) { } +void Active::resume() { } void Active::set_drop_reason(char const*) { } FlowCache::FlowCache(const FlowCacheConfig& cfg) : config(cfg) { } FlowCache::~FlowCache() = default; Flow::~Flow() = default; DetectionEngine::DetectionEngine() { context = nullptr; } DetectionEngine::~DetectionEngine() = default; -ExpectCache::~ExpectCache() = default; unsigned FlowCache::purge() { return 1; } unsigned FlowCache::get_flows_allocated() const { return 0; } Flow* FlowCache::find(const FlowKey*) { return nullptr; } @@ -83,6 +80,7 @@ void Flow::set_direction(Packet*) { } void Flow::set_mpls_layer_per_dir(Packet*) { } void DetectionEngine::disable_all(Packet*) { } ExpectCache::ExpectCache(uint32_t) { } +ExpectCache::~ExpectCache() = default; bool ExpectCache::check(Packet*, Flow*) { return true; } Flow* HighAvailabilityManager::import(Packet&, FlowKey&) { return nullptr; } diff --git a/src/flow/test/flow_stash_test.cc b/src/flow/test/flow_stash_test.cc index b9071c999..5c915bf53 100644 --- a/src/flow/test/flow_stash_test.cc +++ b/src/flow/test/flow_stash_test.cc @@ -25,6 +25,7 @@ #include #include "flow/flow_stash.h" +#include "main/snort_config.h" #include "pub_sub/stash_events.h" #include "utils/util.h" diff --git a/src/flow/test/flow_stubs.h b/src/flow/test/flow_stubs.h index b8d40ef73..d544d3e3d 100644 --- a/src/flow/test/flow_stubs.h +++ b/src/flow/test/flow_stubs.h @@ -25,7 +25,7 @@ #include "main/policy.h" #include "main/snort_config.h" #include "main/thread_config.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "protocols/layer.h" #include "protocols/packet.h" #include "stream/stream.h" @@ -48,7 +48,7 @@ Packet::Packet(bool) Packet::~Packet() = default; uint32_t Packet::get_flow_geneve_vni() const { return 0; } -THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr; +THREAD_LOCAL PacketTracer* PacketTracer::s_pkt_trace = nullptr; PacketTracer::~PacketTracer() = default; void PacketTracer::log(const char*, ...) { } diff --git a/src/framework/CMakeLists.txt b/src/framework/CMakeLists.txt index db2db7e33..e58fb401d 100644 --- a/src/framework/CMakeLists.txt +++ b/src/framework/CMakeLists.txt @@ -2,8 +2,8 @@ add_subdirectory(test) set (FRAMEWORK_INCLUDES base_api.h - bits.h codec.h + connector.h counts.h cursor.h data_bus.h @@ -13,30 +13,32 @@ set (FRAMEWORK_INCLUDES ips_action.h ips_option.h logger.h - lua_api.h module.h mpse.h mpse_batch.h - packet_constraints.h parameter.h + pig_pen.h pdu_section.h policy_selector.h + plugins.h range.h so_rule.h value.h - connector.h ) add_library ( framework OBJECT ${FRAMEWORK_INCLUDES} + act_info.h codec.cc cursor.cc data_bus.cc - file_policy.cc inspector.cc + ips_info.h + ips_action.cc ips_option.cc - packet_constraints.cc + lua_api.h parameter.cc + pig_pen.cc module.cc mpse.cc mpse_batch.cc @@ -44,7 +46,9 @@ add_library ( framework OBJECT value.cc ) -install (FILES ${FRAMEWORK_INCLUDES} ${CMAKE_CURRENT_BINARY_DIR}/api_options.h +install (FILES ${FRAMEWORK_INCLUDES} + ${CMAKE_CURRENT_BINARY_DIR}/api_options.h + ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h DESTINATION "${INCLUDE_INSTALL_PATH}/framework" ) @@ -56,10 +60,23 @@ add_custom_command( add_custom_target(api_options ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/api_options.h) +add_custom_command( + OUTPUT + ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h + COMMAND + ${CMAKE_CURRENT_SOURCE_DIR}/plug_gen.sh ${CMAKE_CXX_COMPILER} ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} > ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/plug_gen.sh + ${CMAKE_CURRENT_SOURCE_DIR}/plugins.h + ${CMAKE_CURRENT_BINARY_DIR}/api_options.h +) + +add_custom_target(snort_api ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h) + set_property( DIRECTORY PROPERTY - ADDITIONAL_MAKE_CLEAN_FILES api_options.h + ADDITIONAL_MAKE_CLEAN_FILES api_options.h snort_api.h ) add_catch_test( parameter_test diff --git a/src/actions/actions.h b/src/framework/act_info.h similarity index 61% rename from src/actions/actions.h rename to src/framework/act_info.h index 31c7f0ee6..03c8a8c5b 100644 --- a/src/actions/actions.h +++ b/src/framework/act_info.h @@ -15,38 +15,30 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- +// act_info.h author Russ Combs -#ifndef ACTIONS_H -#define ACTIONS_H +#ifndef ACT_INFO_H +#define ACT_INFO_H -// Define action types and provide hooks to apply a given action to a packet - -#include -#include - -#include "main/snort_types.h" - -struct OptTreeNode; +// enables keeping OTN private namespace snort { -struct Packet; -} + class IpsAction; +}; -class SO_PUBLIC Actions +class ActInfo { public: - using Type = uint8_t; -public: - static std::string get_string(Type); - static Type get_type(const char*); - static Type get_max_types(); - static bool is_valid_action(Type); - static std::string get_default_priorities(bool alert_before_pass = false); - - static void pass(); - static void log(snort::Packet*, const OptTreeNode*); - static void alert(snort::Packet*, const OptTreeNode*); + ActInfo(const OptTreeNode* o, bool b = true) + { otn = o; log = b; } + +private: + friend class snort::IpsAction; + + const struct OptTreeNode* otn; + bool log; }; + #endif diff --git a/src/framework/base_api.h b/src/framework/base_api.h index d50853ef2..09be4cb20 100644 --- a/src/framework/base_api.h +++ b/src/framework/base_api.h @@ -27,15 +27,19 @@ #include -// this is the current version of the base api -// must be prefixed to subtype version -#define BASE_API_VERSION 19 - // set options to API_OPTIONS to ensure compatibility #ifndef API_OPTIONS #include "framework/api_options.h" #endif +// the current version of the Snort API +// must be prefixed to subtype version + +// depends on includes installed in framework/snort_api.h +// see framework/plugins.h + +#define BASE_API_VERSION 20 + // set the reserved field to this to be future proof #define API_RESERVED 0 @@ -64,14 +68,14 @@ typedef void (* ModDelFunc)(Module*); struct BaseApi { PlugType type; - uint32_t size; - uint32_t api_version; - uint32_t version; - uint64_t reserved; - const char* options; - const char* name; - const char* help; - snort::ModNewFunc mod_ctor; + uint32_t size; // sizeof(plugin-api) + uint32_t api_version; // (BASE_API_VERSION << 16) | plugin-api-version) + uint32_t version; // version of plugin + uint64_t reserved; // zero + const char* options; // API_OPTIONS + const char* name; // plugin name + const char* help; // short help text + ModNewFunc mod_ctor; ModDelFunc mod_dtor; }; } diff --git a/src/framework/codec.cc b/src/framework/codec.cc index ab76c8ab1..04f4b04d9 100644 --- a/src/framework/codec.cc +++ b/src/framework/codec.cc @@ -25,7 +25,6 @@ #include "codecs/codec_module.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #ifdef UNIT_TEST #include "catch/snort_catch.h" diff --git a/src/framework/codec.h b/src/framework/codec.h index b4dc26ada..d9f2bd777 100644 --- a/src/framework/codec.h +++ b/src/framework/codec.h @@ -23,6 +23,9 @@ // Codec is a type of plugin that provides protocol-specific encoding and // decoding. +// the CDAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include #include @@ -38,22 +41,10 @@ namespace snort { enum CodecSid : uint32_t; -namespace ip -{ -class IpApi; -} -namespace tcp -{ -struct TCPHdr; -} -namespace udp -{ -struct UDPHdr; -} -namespace icmp -{ -struct ICMPHdr; -} +namespace ip { class IpApi; } +namespace tcp { struct TCPHdr; } +namespace udp { struct UDPHdr; } +namespace icmp { struct ICMPHdr; } class Flow; @@ -384,7 +375,7 @@ private: //------------------------------------------------------------------------- // this is the current version of the api -#define CDAPI_VERSION ((BASE_API_VERSION << 16) | 1) +#define CDAPI_VERSION ((BASE_API_VERSION << 16) | 2) typedef Codec* (* CdNewFunc)(Module*); typedef void (* CdDelFunc)(Codec*); @@ -406,5 +397,5 @@ struct CodecApi CdDelFunc dtor; // clean up instance data }; } -#endif /* FRAMEWORK_CODEC_H */ +#endif diff --git a/src/framework/connector.h b/src/framework/connector.h index a4bd2886a..3a03c388f 100644 --- a/src/framework/connector.h +++ b/src/framework/connector.h @@ -23,6 +23,9 @@ // Connector provides out-of-band communications among packet processing // threads, high-availability partners, and other threads. +// the CONNECTOR_API_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include #include @@ -32,7 +35,7 @@ namespace snort { // this is the current version of the api -#define CONNECTOR_API_VERSION ((BASE_API_VERSION << 16) | 0) +#define CONNECTOR_API_VERSION ((BASE_API_VERSION << 16) | 1) //------------------------------------------------------------------------- // api for class @@ -40,7 +43,6 @@ namespace snort // other methods are packet thread specific //------------------------------------------------------------------------- -struct ConnectorApi; class ConnectorConfig; struct ConnectorMsg diff --git a/src/framework/counts.h b/src/framework/counts.h index a67a2b782..31763d862 100644 --- a/src/framework/counts.h +++ b/src/framework/counts.h @@ -32,9 +32,9 @@ typedef uint64_t PegCount; enum CountType { END, // sentinel value - SUM, // tracks cumulative total number of items seen (eg #events) - NOW, // gives snapshot of current number of items (eg current #sessions) - MAX, // tracks maximum value seen (eg max #sessions) + SUM, // running total: tracks cumulative total number of items seen (eg #events) + NOW, // current level: gives snapshot of current number of items (eg current #sessions) + MAX, // maximum level: tracks maximum value seen (eg max #sessions) }; struct SimpleStats diff --git a/src/framework/cursor.cc b/src/framework/cursor.cc index ca70efbb7..948fc7c8c 100644 --- a/src/framework/cursor.cc +++ b/src/framework/cursor.cc @@ -25,8 +25,8 @@ #include "cursor.h" +#include "detection/detection_buf.h" #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "protocols/packet.h" #include "detection/ips_context.h" diff --git a/src/framework/cursor.h b/src/framework/cursor.h index 39e55e5b3..7fe3e0a9f 100644 --- a/src/framework/cursor.h +++ b/src/framework/cursor.h @@ -22,8 +22,8 @@ #ifndef CURSOR_H #define CURSOR_H -// Cursor provides a formal way of using buffers when doing detection with -// IpsOptions. +// Cursor provides access to the current buffer pointer used by IpsOptions +// during signature evaluation. #include #include diff --git a/src/framework/endianness.h b/src/framework/endianness.h index 957433137..8088f71e3 100644 --- a/src/framework/endianness.h +++ b/src/framework/endianness.h @@ -25,7 +25,7 @@ namespace snort { -class SO_PUBLIC Endianness +class Endianness { public: Endianness() = default; diff --git a/src/framework/inspector.cc b/src/framework/inspector.cc index dc4466797..f3eed8427 100644 --- a/src/framework/inspector.cc +++ b/src/framework/inspector.cc @@ -42,12 +42,14 @@ public: using namespace snort; +#ifndef _WIN64 +unsigned THREAD_LOCAL Inspector::slot = 0; +#endif + //------------------------------------------------------------------------- // packet handler stuff //------------------------------------------------------------------------- -unsigned THREAD_LOCAL Inspector::slot = 0; - Inspector::Inspector() { unsigned max = ThreadConfig::get_instance_max(); @@ -120,10 +122,10 @@ bool Inspector::likes(Packet* p) } void Inspector::add_ref() -{ ++ref_count[slot]; } +{ ++ref_count[get_slot()]; } void Inspector::rem_ref() -{ --ref_count[slot]; } +{ --ref_count[get_slot()]; } void Inspector::add_global_ref() { ++ref_count[0]; } @@ -145,10 +147,10 @@ void Inspector::copy_thread_storage(Inspector* ins) } void Inspector::set_thread_specific_data(void* tsd) -{ thread_specific_data->data[slot] = tsd; } +{ thread_specific_data->data[get_slot()] = tsd; } void* Inspector::get_thread_specific_data() const -{ return thread_specific_data->data[slot]; } +{ return thread_specific_data->data[get_slot()]; } static const char* InspectorTypeNames[IT_MAX] = { diff --git a/src/framework/inspector.h b/src/framework/inspector.h index 7c36ad641..b446a2498 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -24,13 +24,15 @@ // decoding a packet and detection. There are several types that operate // in different ways. These correspond to Snort 2X preprocessors. +// the INSAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include #include #include #include #include "framework/base_api.h" -#include "main/thread.h" #include "target_based/snort_protocols.h" class Session; @@ -41,7 +43,7 @@ struct SnortConfig; struct Packet; // this is the current version of the api -#define INSAPI_VERSION ((BASE_API_VERSION << 16) | 0) +#define INSAPI_VERSION ((BASE_API_VERSION << 16) | 1) struct InspectionBuffer { @@ -109,7 +111,7 @@ public: // clear is a bookend to eval() for the active service inspector // clear is called when Snort is done with the previously eval'd // packet to release any thread-local or flow-based data - virtual void eval(Packet*) = 0; + virtual void eval(Packet*) { } virtual void clear(Packet*) { } // framework support @@ -199,8 +201,12 @@ public: virtual const uint8_t* adjust_log_packet(Packet*, uint16_t&) { return nullptr; } -public: - static THREAD_LOCAL unsigned slot; + static unsigned get_slot() +#ifndef _WIN64 + { return slot; } +#else + { return get_instance_id(); } +#endif protected: // main thread functions @@ -215,6 +221,12 @@ private: const char* alias_name = nullptr; uint64_t network_policy_user_id = 0; bool network_policy_user_id_set = false; + +#ifndef _WIN64 +private: + friend class InspectorManager; + static THREAD_LOCAL unsigned slot; +#endif }; // at present there is no sequencing among like types except that appid diff --git a/src/framework/ips_action.cc b/src/framework/ips_action.cc new file mode 100644 index 000000000..d735c3630 --- /dev/null +++ b/src/framework/ips_action.cc @@ -0,0 +1,100 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "ips_action.h" + +#include "detection/detect.h" +#include "detection/treenodes.h" +#include "managers/action_manager.h" +#include "parser/parser.h" +#include "utils/stats.h" + +#include "act_info.h" + +using namespace snort; + +namespace snort +{ + +std::string IpsAction::get_string(IpsAction::Type action) +{ return ActionManager::get_action_string(action); } + +IpsAction::Type IpsAction::get_type(const char* s) +{ return ActionManager::get_action_type(s); } + +IpsAction::Type IpsAction::get_max_types() +{ return ActionManager::get_max_action_types(); } + +bool IpsAction::is_valid_action(IpsAction::Type action) +{ + if ( action < get_max_types() ) + return true; + + return false; +} + +std::string IpsAction::get_default_priorities(bool alert_before_pass) +{ return ActionManager::get_action_priorities(alert_before_pass); } + +bool IpsAction::log_it(const ActInfo& ai) const +{ return ai.log; } + +uint64_t IpsAction::get_file_id(const ActInfo& ai) const +{ return ai.otn->sigInfo.file_id; } + +void IpsAction::pass() +{ + pc.pass_pkts++; +} + +void IpsAction::log(Packet* p, const ActInfo& ai) +{ + RuleTreeNode* rtn = getRtnFromOtn(ai.otn); + + if (!rtn) + return; + + CallLogFuncs(p, ai.otn, rtn->listhead); +} + +void IpsAction::alert(Packet* p, const ActInfo& ai) +{ + if (!ai.otn or !log_it(ai)) + return; + + RuleTreeNode* rtn = getRtnFromOtn(ai.otn); + if (!rtn) + return; + + /* Call OptTreeNode specific output functions */ + if (ai.otn->outputFuncs) + { + ListHead lh = { }; // FIXIT-L use of ListHead for CallLogFuncs() is a little unwieldy here + lh.LogList = ai.otn->outputFuncs; + CallLogFuncs(p, ai.otn, &lh); + } + CallAlertFuncs(p, ai.otn, rtn->listhead); + CallLogFuncs(p, ai.otn, rtn->listhead); +} + +} // snort + diff --git a/src/framework/ips_action.h b/src/framework/ips_action.h index ddf2d753f..f74adc1e1 100644 --- a/src/framework/ips_action.h +++ b/src/framework/ips_action.h @@ -25,18 +25,25 @@ // These can be used to execute external controls like updating an external // firewall. +// the ACTAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + +#include +#include + #include "framework/base_api.h" #include "main/snort_types.h" #include "packet_io/active_action.h" // this is the current version of the api -#define ACTAPI_VERSION ((BASE_API_VERSION << 16) | 1) +#define ACTAPI_VERSION ((BASE_API_VERSION << 16) | 2) //------------------------------------------------------------------------- // api for class //------------------------------------------------------------------------- -struct OptTreeNode; +class ActInfo; + namespace snort { struct Packet; @@ -44,6 +51,8 @@ struct Packet; class SO_PUBLIC IpsAction { public: + using Type = uint8_t; + enum IpsActionPriority : uint16_t { IAP_OTHER = 1, @@ -62,9 +71,22 @@ public: const char* get_name() const { return name; } ActiveAction* get_active_action() const { return active_action; } - virtual void exec(Packet*, const OptTreeNode* otn = nullptr) = 0; + virtual void exec(Packet*, const ActInfo&) = 0; virtual bool drops_traffic() { return false; } + static std::string get_string(Type); + static Type get_type(const char*); + static Type get_max_types(); + static bool is_valid_action(Type); + static std::string get_default_priorities(bool alert_before_pass = false); + + bool log_it(const ActInfo&) const; + uint64_t get_file_id(const ActInfo&) const; + + void pass(); + void log(snort::Packet*, const ActInfo&); + void alert(snort::Packet*, const ActInfo&); + protected: IpsAction(const char* s, ActiveAction* a) { diff --git a/src/framework/ips_info.h b/src/framework/ips_info.h new file mode 100644 index 000000000..00266ebe1 --- /dev/null +++ b/src/framework/ips_info.h @@ -0,0 +1,47 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// ips_info.h author Russ Combs + +#ifndef IPS_INFO_H +#define IPS_INFO_H + +// enables keeping OTN private + +namespace snort +{ + struct SnortConfig; + class IpsOption; +}; + +struct OptTreeNode; + +struct IpsInfo +{ +public: + IpsInfo(OptTreeNode* o, snort::SnortConfig* s) + { otn = o; sc = s; } + +private: + friend class snort::IpsOption; + + OptTreeNode* otn; + snort::SnortConfig* sc; +}; + +#endif + diff --git a/src/framework/ips_option.cc b/src/framework/ips_option.cc index d20c75b81..6c79eebe9 100644 --- a/src/framework/ips_option.cc +++ b/src/framework/ips_option.cc @@ -25,10 +25,22 @@ #include +#include "detection/rules.h" +#include "detection/signature.h" +#include "detection/treenodes.h" +#include "filters/detection_filter.h" +#include "filters/sfthd.h" +#include "framework/ips_info.h" #include "hash/hash_key_operations.h" +#include "main/snort_config.h" +#include "managers/so_manager.h" +#include "parser/parse_conf.h" +#include "utils/util.h" using namespace snort; +namespace snort +{ //------------------------------------------------------------------------- IpsOption::IpsOption(const char* s, option_type_t t) @@ -55,6 +67,120 @@ section_flags IpsOption::get_pdu_section(bool) const return section_to_flag(PS_NONE); } +//------------------------------------------------------------------------- +// static / instantiator methods +//------------------------------------------------------------------------- + +bool IpsOption::has_plugin(IpsInfo& info, const char* name) +{ return otn_has_plugin(info.otn, name); } + +void IpsOption::set_priority(const IpsInfo& info, uint32_t pri) +{ info.otn->sigInfo.priority = pri; } + +void IpsOption::set_classtype(IpsInfo& info, const char* type) +{ + const ClassType* ct = get_classification(info.sc, type); + + if ( !ct and info.sc->dump_rule_info() ) + { + add_classification(info.sc, type, type, 1); + ct = get_classification(info.sc, type); + } + + info.otn->sigInfo.class_type = ct; + + if ( ct ) + { + info.otn->sigInfo.class_id = ct->id; + info.otn->sigInfo.priority = ct->priority; + } +} + +void IpsOption::set_detection_filter(IpsInfo& info, bool track_src, uint32_t count, uint32_t seconds) +{ + THDX_STRUCT thdx = { }; + thdx.type = THD_TYPE_DETECT; + thdx.tracking = (track_src ? THD_TRK_SRC : THD_TRK_DST); + thdx.count = count; + thdx.seconds = seconds; + info.otn->detection_filter = detection_filter_create(info.sc->detection_filter_config, &thdx); +} + +void IpsOption::set_enabled(IpsInfo& info, Enable ie) +{ + if ( !info.sc->rule_states ) + info.sc->rule_states = new RuleStateMap; + + IpsPolicy::Enable e; + + switch (ie) + { + case IpsOption::NO: e = IpsPolicy::DISABLED; break; + case IpsOption::INHERIT: e = IpsPolicy::INHERIT_ENABLE; break; + default: e = IpsPolicy::ENABLED; break; + } + info.otn->set_enabled(e); +} + +void IpsOption::set_file_id(const IpsInfo& info, uint64_t fid) +{ info.otn->sigInfo.file_id = fid; } + +void IpsOption::set_flowbits_check(IpsInfo& info) +{ info.otn->set_flowbits_check(); } + +void IpsOption::set_stateless(IpsInfo& info) +{ info.otn->set_stateless(); } + +void IpsOption::set_to_client(IpsInfo& info) +{ info.otn->set_to_client(); } + +void IpsOption::set_to_server(IpsInfo& info) +{ info.otn->set_to_server(); } + +void IpsOption::set_gid(const IpsInfo& info, uint32_t gid) +{ info.otn->sigInfo.gid = gid; } + +void IpsOption::set_sid(const IpsInfo& info, uint32_t sid) +{ info.otn->sigInfo.sid = sid; } + +void IpsOption::set_rev(const IpsInfo& info, uint32_t rev) +{ info.otn->sigInfo.rev = rev; } + +void IpsOption::set_message(const IpsInfo& info, const char* msg) +{ info.otn->sigInfo.message = msg; } + +void IpsOption::set_metadata_match(IpsInfo& info) +{ info.otn->set_metadata_match(); } + +void IpsOption::set_tag(IpsInfo& info, TagData* td) +{ info.otn->tag = td; } + +void IpsOption::set_target(const IpsInfo& info, bool src_ip) +{ info.otn->sigInfo.target = (src_ip ? TARGET_SRC : TARGET_DST); } + +void IpsOption::add_reference(IpsInfo& info, const char* scheme, const char* id) +{ ::add_reference(info.sc, info.otn, scheme, id); } + +void IpsOption::add_service(IpsInfo& info, const char* svc) +{ add_service_to_otn(info.sc, info.otn, svc); } + +void IpsOption::set_soid(IpsInfo& info, const char* s) +{ info.otn->soid = snort_strdup(s); } + +const char* IpsOption::get_soid(const IpsInfo& info) +{ return info.otn->soid; } + +IpsOption::SoEvalFunc IpsOption::get_so_eval(IpsInfo& info, const char* name, void*& data) +{ return SoManager::get_so_eval(info.otn->soid, name, &data, info.sc); } + +SnortProtocolId IpsOption::get_protocol_id(const IpsInfo& info) +{ return info.otn->snort_protocol_id; } + +SoRules* IpsOption::get_so_rules(const IpsInfo& info) +{ return info.sc->so_rules; } + +} // snort + //------------------------------------------------------------------------- // UNIT TESTS //------------------------------------------------------------------------- @@ -74,11 +200,6 @@ TEST_CASE("IpsOption test", "[ips_option]") StubIpsOption main_ips("ips_test", option_type_t::RULE_OPTION_TYPE_OTHER); - SECTION("buffer test") - { - REQUIRE(main_ips.get_buffer()); // only until api is updated - } - SECTION("IpsOperator == test") { StubIpsOption case_diff_name("not_hello_world", diff --git a/src/framework/ips_option.h b/src/framework/ips_option.h index 76499f337..1543f0ecf 100644 --- a/src/framework/ips_option.h +++ b/src/framework/ips_option.h @@ -15,7 +15,7 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// ips_manager.h author Russ Combs +// ips_option.h author Russ Combs #ifndef IPS_OPTION_H #define IPS_OPTION_H @@ -23,21 +23,28 @@ // All IPS rule keywords are realized as IpsOptions instantiated when rules // are parsed. +// the IPSAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + +#include + #include "detection/rule_option_types.h" #include "framework/base_api.h" +#include "framework/cursor.h" +#include "framework/pdu_section.h" #include "main/snort_types.h" #include "target_based/snort_protocols.h" -#include "pdu_section.h" - //------------------------------------------------------------------------- // api for class // eval and action are packet thread specific //------------------------------------------------------------------------- class Cursor; -struct OptTreeNode; +struct IpsInfo; struct PatternMatchData; +struct TagData; +struct SoRules; namespace snort { @@ -46,7 +53,7 @@ struct SnortConfig; class Module; // this is the current version of the api -#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 0) +#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 1) enum CursorActionType { @@ -82,8 +89,7 @@ public: // packet threads virtual bool is_relative() { return false; } - // 2nd cursor is deprecated, do not use - virtual bool retry(Cursor&, const Cursor&) { return false; } + virtual bool retry(Cursor&) { return false; } virtual void action(Packet*) { } enum EvalStatus { NO_MATCH, MATCH, NO_ALERT, FAILED_BIT }; @@ -105,17 +111,54 @@ public: bool is_buffer_setter() const { return get_cursor_type() > CAT_ADJUST; } - const char* get_buffer() - { return buffer; } - virtual section_flags get_pdu_section(bool to_server) const; + // these methods are only available to the instantiator method (IpsNewFunc) + static bool has_plugin(IpsInfo&, const char* name); + + static void set_priority(const IpsInfo&, uint32_t); + static void set_classtype(IpsInfo&, const char*); + static void set_reference(IpsInfo&, const char* scheme, const char* id); + + enum Enable { NO, YES, INHERIT }; + static void set_enabled(IpsInfo&, Enable); + + static void set_flowbits_check(IpsInfo&); + static void set_detection_filter(IpsInfo&, bool track_src, uint32_t count, uint32_t seconds); // don't install header + + static void set_stateless(IpsInfo&); + static void set_to_client(IpsInfo&); + static void set_to_server(IpsInfo&); + + static void set_gid(const IpsInfo&, uint32_t); + static void set_sid(const IpsInfo&, uint32_t); + static void set_rev(const IpsInfo&, uint32_t); + + static void set_message(const IpsInfo&, const char*); + static void set_metadata_match(IpsInfo&); + + static void set_tag(IpsInfo&, TagData*); + static void set_target(const IpsInfo&, bool src_ip); + + static void set_file_id(const IpsInfo&, uint64_t); + static void add_reference(IpsInfo&, const char*, const char*); + static void add_service(IpsInfo&, const char*); + + static void set_soid(IpsInfo&, const char*); + static const char* get_soid(const IpsInfo&); + + typedef snort::IpsOption::EvalStatus (* SoEvalFunc)(void*, class Cursor&, snort::Packet*); + static SoEvalFunc get_so_eval(IpsInfo&, const char* name, void*& data); + + static SnortProtocolId get_protocol_id(const IpsInfo&); + + static SoRules* get_so_rules(const IpsInfo&); + protected: IpsOption(const char* s, option_type_t t = RULE_OPTION_TYPE_OTHER); private: const char* name; - const char* buffer = "error"; // FIXIT-API to be deleted; here to avoid an api update option_type_t type; }; @@ -129,7 +172,7 @@ enum RuleOptType typedef void (* IpsOptFunc)(const SnortConfig*); -typedef IpsOption* (* IpsNewFunc)(Module*, OptTreeNode*); +typedef IpsOption* (* IpsNewFunc)(Module*, IpsInfo&); typedef void (* IpsDelFunc)(IpsOption*); struct IpsApi @@ -137,8 +180,8 @@ struct IpsApi BaseApi base; RuleOptType type; - unsigned max_per_rule; - unsigned protos; + unsigned max_per_rule; // max instances of this keyword per IPS rule + unsigned protos; // bitmask of PROTO_BIT_* from decode_data.h IpsOptFunc pinit; IpsOptFunc pterm; diff --git a/src/framework/logger.h b/src/framework/logger.h index a0db8cfbe..233c032a0 100644 --- a/src/framework/logger.h +++ b/src/framework/logger.h @@ -20,20 +20,24 @@ #ifndef LOGGER_H #define LOGGER_H -// Logger is used to log packets and events. Events are thresholded before +// Logger is used to log packets and IPS events. Events are thresholded before // they reach the Logger. Packets may be logged along with events or as a // result of tagging. +// the LOGAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include "framework/base_api.h" #include "main/snort_types.h" -struct Event; +class Event; + namespace snort { struct Packet; // this is the current version of the api -#define LOGAPI_VERSION ((BASE_API_VERSION << 16) | 0) +#define LOGAPI_VERSION ((BASE_API_VERSION << 16) | 1) #define OUTPUT_TYPE_FLAG__NONE 0x0 #define OUTPUT_TYPE_FLAG__ALERT 0x1 @@ -79,7 +83,7 @@ typedef void (* LogDelFunc)(Logger*); struct LogApi { BaseApi base; - unsigned flags; + unsigned flags; // bitmask of OUTPUT_TYPE_FLAG__* LogNewFunc ctor; LogDelFunc dtor; }; diff --git a/src/framework/module.cc b/src/framework/module.cc index 08aac4f49..607ce76e3 100644 --- a/src/framework/module.cc +++ b/src/framework/module.cc @@ -25,6 +25,7 @@ #include "main/thread_config.h" #include "trace/trace.h" +#include "utils/stats.h" using namespace snort; @@ -185,7 +186,7 @@ void Module::sum_stats(bool dump_stats) } } -void Module::show_interval_stats(IndexVec& peg_idxs, FILE* fh) +void Module::show_interval_stats(std::vector& peg_idxs, FILE* fh) { if ( num_counts > 0 ) ::show_stats(get_counts(), get_pegs(), peg_idxs, get_name(), fh); diff --git a/src/framework/module.h b/src/framework/module.h index f2f97bfab..08b640aa0 100644 --- a/src/framework/module.h +++ b/src/framework/module.h @@ -17,10 +17,6 @@ //-------------------------------------------------------------------------- // module.h author Russ Combs -// FIXIT-M add trace param(s) -// FIXIT-M add memcap related -// FIXIT-L add set_default method - #ifndef MODULE_H #define MODULE_H @@ -46,7 +42,7 @@ #include "framework/parameter.h" #include "framework/value.h" #include "main/snort_types.h" -#include "utils/stats.h" +#include "main/thread.h" struct lua_State; @@ -182,8 +178,8 @@ public: { return false; } virtual void sum_stats(bool dump_stats); - virtual void show_interval_stats(IndexVec&, FILE*); virtual void show_stats(); + virtual void show_interval_stats(std::vector&, FILE*); virtual void reset_stats(); virtual void init_stats(bool new_thread=false); virtual void main_accumulate_stats(); @@ -195,13 +191,7 @@ public: bool verified_set(const char*, Value&, SnortConfig*); bool verified_end(const char*, int, SnortConfig*); - enum Usage - { - GLOBAL, - CONTEXT, - INSPECT, - DETECT - }; + enum Usage { GLOBAL, CONTEXT, INSPECT, DETECT }; virtual Usage get_usage() const { return CONTEXT; } diff --git a/src/framework/mpse.cc b/src/framework/mpse.cc index 597a9f394..5093baa63 100644 --- a/src/framework/mpse.cc +++ b/src/framework/mpse.cc @@ -26,7 +26,6 @@ #include #include "profiler/profiler_defs.h" -#include "search_engines/pat_stats.h" #include "managers/mpse_manager.h" #include "managers/module_manager.h" #include "main/snort_config.h" @@ -46,28 +45,14 @@ namespace snort Mpse::Mpse(const char* m) : method(m) { } -int Mpse::search( - const unsigned char* T, int n, MpseMatch match, - void* context, int* current_state) -{ - pmqs.matched_bytes += n; - return _search(T, n, match, context, current_state); -} - int Mpse::search_all( const unsigned char* T, int n, MpseMatch match, void* context, int* current_state) { - pmqs.matched_bytes += n; - return _search(T, n, match, context, current_state); + return search(T, n, match, context, current_state); } void Mpse::search(MpseBatch& batch, MpseType mpse_type) -{ - _search(batch, mpse_type); -} - -void Mpse::_search(MpseBatch& batch, MpseType mpse_type) { int start_state; diff --git a/src/framework/mpse.h b/src/framework/mpse.h index ad5fea0f1..1b3f629b2 100644 --- a/src/framework/mpse.h +++ b/src/framework/mpse.h @@ -25,24 +25,24 @@ // machine from the patterns, and search either a single buffer or a set // of (related) buffers for patterns. -#include +// the SEAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include #include "framework/base_api.h" #include "main/snort_types.h" -#include "main/thread.h" #include "search_engines/search_common.h" +//#include "framework/mpse_batch.h" namespace snort { // this is the current version of the api -#define SEAPI_VERSION ((BASE_API_VERSION << 16) | 0) +#define SEAPI_VERSION ((BASE_API_VERSION << 16) | 1) struct SnortConfig; -class Mpse; struct MpseApi; struct MpseBatch; -struct ProfileStats; class SO_PUBLIC Mpse { @@ -83,13 +83,13 @@ public: virtual void reuse_search() { } - int search( - const uint8_t* T, int n, MpseMatch, void* context, int* current_state); + virtual int search( + const uint8_t* T, int n, MpseMatch, void* context, int* current_state) = 0; virtual int search_all( const uint8_t* T, int n, MpseMatch, void* context, int* current_state); - void search(MpseBatch&, MpseType); + virtual void search(MpseBatch&, MpseType); virtual MpseRespType receive_responses(MpseBatch&, MpseType) { return MPSE_RESP_COMPLETE_SUCCESS; } @@ -113,11 +113,6 @@ public: protected: Mpse(const char* method); - virtual int _search( - const uint8_t* T, int n, MpseMatch, void* context, int* current_state) = 0; - - virtual void _search(MpseBatch&, MpseType); - private: std::string method; int verbose = 0; @@ -140,7 +135,7 @@ typedef Mpse::MpseRespType (* MpsePollFunc)(MpseBatch*&, Mpse::MpseType); struct MpseApi { BaseApi base; - uint32_t flags; + uint32_t flags; // bitmask of MPSE_* MpseOptFunc activate; MpseOptFunc setup; diff --git a/src/framework/mpse_batch.cc b/src/framework/mpse_batch.cc index 448da8a99..153ab23e3 100644 --- a/src/framework/mpse_batch.cc +++ b/src/framework/mpse_batch.cc @@ -24,7 +24,6 @@ #include "mpse_batch.h" #include "profiler/profiler_defs.h" -#include "search_engines/pat_stats.h" #include "managers/mpse_manager.h" #include "managers/module_manager.h" #include "main/snort_config.h" diff --git a/src/framework/mpse_batch.h b/src/framework/mpse_batch.h index 781d0ac19..47549b7a3 100644 --- a/src/framework/mpse_batch.h +++ b/src/framework/mpse_batch.h @@ -20,6 +20,7 @@ #ifndef MPSE_BATCH_H #define MPSE_BATCH_H +#include #include #include diff --git a/src/framework/pdu_section.h b/src/framework/pdu_section.h index 0226a9a3f..4d41da1d6 100644 --- a/src/framework/pdu_section.h +++ b/src/framework/pdu_section.h @@ -36,8 +36,7 @@ namespace snort // PS_ERROR is used for invalid combination of sections: // trailer and body sections can be combined only if it's a request trailer in a to_client direction // When updating this enum, also update section_to_str -enum PduSection { PS_NONE = 0, PS_HEADER, PS_HEADER_BODY, PS_BODY, PS_TRAILER, PS_MAX = PS_TRAILER, - PS_ERROR }; +enum PduSection { PS_NONE = 0, PS_HEADER, PS_HEADER_BODY, PS_BODY, PS_TRAILER, PS_MAX = PS_TRAILER, PS_ERROR }; // Bitmask with all of supported sections using section_flags = uint16_t; diff --git a/src/framework/pig_pen.cc b/src/framework/pig_pen.cc new file mode 100644 index 000000000..a8b7f1095 --- /dev/null +++ b/src/framework/pig_pen.cc @@ -0,0 +1,103 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// pig_pen.cc author Russ Combs + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "pig_pen.h" + +#include "detection/detection_engine.h" +#include "log/log.h" +#include "main/process.h" +#include "main/snort.h" +#include "managers/inspector_manager.h" +#include "profiler/profiler_impl.h" +#include "utils/stats.h" + +using namespace snort; + +//-------------------------------------------------------------------------- +// inspector foo +//-------------------------------------------------------------------------- + +Inspector* PigPen::get_binder() +{ return InspectorManager::get_binder(); } + +Inspector* PigPen::get_file_inspector(const SnortConfig* sc) +{ return InspectorManager::get_file_inspector(sc); } + +Inspector* PigPen::acquire_file_inspector() +{ return InspectorManager::acquire_file_inspector(); } + +Inspector* PigPen::get_service_inspector(const SnortProtocolId id) +{ return InspectorManager::get_service_inspector(id); } + +Inspector* PigPen::get_service_inspector(const char* svc) +{ return InspectorManager::get_service_inspector(svc); } + +Inspector* PigPen::get_inspector(const char* key, bool dflt_only, const SnortConfig* sc) +{ return InspectorManager::get_inspector(key, dflt_only, sc); } + +Inspector* PigPen::get_inspector(const char* key, Module::Usage use, InspectorType type) +{ return InspectorManager::get_inspector(key, use, type); } + +void PigPen::release(Inspector* pi) +{ InspectorManager::release(pi); } + +//-------------------------------------------------------------------------- +// process foo +//-------------------------------------------------------------------------- + +bool PigPen::snort_is_reloading() +{ return Snort::is_reloading(); } + +void PigPen::install_oops_handler() +{ ::install_oops_handler(); } + +void PigPen::remove_oops_handler() +{ ::remove_oops_handler(); } + +//-------------------------------------------------------------------------- +// detection foo +//-------------------------------------------------------------------------- + +bool PigPen::inspect_rebuilt(Packet* pdu) +{ + DetectionEngine de; + return de.inspect(pdu); +} + +//-------------------------------------------------------------------------- +// stats foo +//-------------------------------------------------------------------------- + +uint64_t PigPen::get_packet_number() +{ return pc.analyzed_pkts; } + +void PigPen::show_runtime_memory_stats() +{ Profiler::show_runtime_memory_stats(); } + +//-------------------------------------------------------------------------- +// log foo +//-------------------------------------------------------------------------- + +const char* PigPen::get_protocol_name(uint8_t ip_proto) +{ return ::get_protocol_name(ip_proto); } + diff --git a/src/framework/pig_pen.h b/src/framework/pig_pen.h new file mode 100644 index 000000000..2ada69fd8 --- /dev/null +++ b/src/framework/pig_pen.h @@ -0,0 +1,73 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// pig_pen.h author Russ Combs + +#ifndef FRAMEWORK_PIG_PEN_H +#define FRAMEWORK_PIG_PEN_H + +#include "framework/inspector.h" +#include "framework/module.h" +#include "main/snort_types.h" +#include "target_based/snort_protocols.h" + +struct PacketCount; + +namespace snort +{ +struct Packet; + +struct SO_PUBLIC PigPen +{ + // inspector foo + static Inspector* get_binder(); + + static Inspector* get_file_inspector(const SnortConfig* = nullptr); + static Inspector* acquire_file_inspector(); + + static Inspector* get_service_inspector(const SnortProtocolId); + static Inspector* get_service_inspector(const char*); + + // This assumes that, in a multi-tenant scenario, this is called with the correct network and inspection + // policies are set correctly + static Inspector* get_inspector(const char* key, bool dflt_only = false, const SnortConfig* = nullptr); + + // This cannot be called in or before the inspector configure phase for a new snort config during reload + static Inspector* get_inspector(const char* key, Module::Usage, InspectorType); + + static void release(Inspector*); + + // process foo + static bool snort_is_reloading(); + + static void install_oops_handler(); + static void remove_oops_handler(); + + // analyzer foo + static bool inspect_rebuilt(Packet*); + + // stats foo + static uint64_t get_packet_number(); + static void show_runtime_memory_stats(); + + // log foo + static const char* get_protocol_name(uint8_t ip_proto); +}; + +} +#endif + diff --git a/src/framework/plug_gen.sh b/src/framework/plug_gen.sh new file mode 100755 index 000000000..26203a7f3 --- /dev/null +++ b/src/framework/plug_gen.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +cxx=$1 +src=$2 +bin=$3 + +plugs=framework/plugins.h + +cd $src/.. + +echo "// the set of versioned headers installed by Snort" +echo "// this file is generated automatically - do not edit" +echo "// see framework/plugins.h for details" +echo + +$cxx -MM $plugs -I. -I$bin/.. | \ + sed -e "s/ /\n/g" | \ + grep ".*.h$" | grep -v "$plugs" | \ + sed -e "s/^/#include \"/" -e "s/$/\"/" -e 's/.*api_options.h.*/#include "framework\/api_options.h"/' | \ + sort + diff --git a/src/framework/plugins.h b/src/framework/plugins.h new file mode 100644 index 000000000..3694bc540 --- /dev/null +++ b/src/framework/plugins.h @@ -0,0 +1,49 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// plugins.h author Russ Combs + +#ifndef PLUGINS_H +#define PLUGINS_H + +// top level headers required by plugins +// used to establish base header dependencies + +// the base API is comprised of the set of headers installed +// in framework/snort_api.h less these plugin specific headers +// which have their own API versions: + +#include "framework/codec.h" +#include "framework/connector.h" +#include "framework/inspector.h" +#include "framework/ips_action.h" +#include "framework/ips_option.h" +#include "framework/logger.h" +#include "framework/mpse.h" +#include "framework/policy_selector.h" +#include "framework/so_rule.h" + +// forward decls we must explicitly include here to +// generate the complete set of API dependencies: + +#include "flow/flow.h" +#include "framework/module.h" +#include "framework/pig_pen.h" +#include "protocols/packet.h" + +#endif + diff --git a/src/framework/policy_selector.h b/src/framework/policy_selector.h index 7b8777c54..8a0f87ef5 100644 --- a/src/framework/policy_selector.h +++ b/src/framework/policy_selector.h @@ -23,6 +23,9 @@ // Policy selectors provide a method to select the network policy and default inspection // and IPS policies for a given packet +// the POLICY_SELECTOR_API_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include #include "framework/base_api.h" @@ -34,7 +37,7 @@ struct _daq_pkt_hdr; namespace snort { -#define POLICY_SELECTOR_API_VERSION ((BASE_API_VERSION << 16) | 0) +#define POLICY_SELECTOR_API_VERSION ((BASE_API_VERSION << 16) | 1) struct Packet; class PolicySelector; diff --git a/src/framework/range.cc b/src/framework/range.cc index db54813e8..8b6829a86 100644 --- a/src/framework/range.cc +++ b/src/framework/range.cc @@ -21,7 +21,7 @@ #include "config.h" #endif -#include "framework/range.h" +#include "range.h" #include #include diff --git a/src/framework/so_rule.h b/src/framework/so_rule.h index 8025574fc..b2154ae93 100644 --- a/src/framework/so_rule.h +++ b/src/framework/so_rule.h @@ -25,6 +25,9 @@ // like a text rule except that it can call function hooks. It can also // define its own rule options and any other plugins it may need. +// the SOAPI_VERSION will change if anything in this file changes. +// see also framework/base_api.h. + #include "framework/base_api.h" #include "framework/ips_option.h" #include "main/snort_types.h" @@ -35,7 +38,7 @@ struct Packet; } // this is the current version of the api -#define SOAPI_VERSION ((BASE_API_VERSION << 16) | 0) +#define SOAPI_VERSION ((BASE_API_VERSION << 16) | 1) //------------------------------------------------------------------------- // rule format is: header ( [;] soid:; [;] ) @@ -45,6 +48,7 @@ struct Packet; typedef snort::IpsOption::EvalStatus (* SoEvalFunc)(void*, class Cursor&, snort::Packet*); typedef SoEvalFunc (* SoNewFunc)(const char* key, void**); + typedef void (* SoDelFunc)(void*); typedef void (* SoAuxFunc)(); diff --git a/src/framework/test/CMakeLists.txt b/src/framework/test/CMakeLists.txt index ba7457616..0f554e0f6 100644 --- a/src/framework/test/CMakeLists.txt +++ b/src/framework/test/CMakeLists.txt @@ -2,3 +2,13 @@ add_cpputest( data_bus_test SOURCES ../data_bus.cc ) + +# libapi_def.a is actually a text file with the preprocessed header source + +if ( ENABLE_UNIT_TESTS ) + add_library(api_def api_def.cc) + target_compile_options(api_def PRIVATE -E) + install(TARGETS api_def) +endif () + + diff --git a/src/framework/test/api_def.cc b/src/framework/test/api_def.cc new file mode 100644 index 000000000..e59884eae --- /dev/null +++ b/src/framework/test/api_def.cc @@ -0,0 +1,33 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// api_def.cpp author Russ Combs + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +// this file is solely used to produce compiler preprocessor output +// for detecting changes to the Snort plugin interface. + +#undef API_OPTIONS +#define API_OPTIONS 0 + +#include "framework/plugins.h" + +int main() { return 0; } + diff --git a/src/framework/test/data_bus_test.cc b/src/framework/test/data_bus_test.cc index f96789303..b372e543d 100644 --- a/src/framework/test/data_bus_test.cc +++ b/src/framework/test/data_bus_test.cc @@ -23,7 +23,6 @@ #include "framework/data_bus.h" #include "main/snort_config.h" -#include "main/thread.h" #include "utils/stats.h" #include diff --git a/src/framework/value.h b/src/framework/value.h index a935b164a..3ec96ce28 100644 --- a/src/framework/value.h +++ b/src/framework/value.h @@ -26,9 +26,9 @@ #include #include -#include "framework/bits.h" #include "framework/parameter.h" #include "main/snort_types.h" +#include "utils/bits.h" namespace snort { diff --git a/src/hash/CMakeLists.txt b/src/hash/CMakeLists.txt index 72e3139d7..9fac8b428 100644 --- a/src/hash/CMakeLists.txt +++ b/src/hash/CMakeLists.txt @@ -1,8 +1,6 @@ set (HASH_INCLUDES - ghash.h hashes.h - hash_defs.h hash_key_operations.h lru_cache_local.h lru_cache_shared.h @@ -13,6 +11,8 @@ set (HASH_INCLUDES add_library( hash OBJECT ${HASH_INCLUDES} ghash.cc + ghash.h + hash_defs.h hashes.cc hash_lru_cache.cc hash_lru_cache.h diff --git a/src/hash/ghash.h b/src/hash/ghash.h index be27622fd..e25ff5f93 100644 --- a/src/hash/ghash.h +++ b/src/hash/ghash.h @@ -40,7 +40,7 @@ struct GHashNode typedef void (* gHashFree)(void*); -class SO_PUBLIC GHash +class GHash { public: GHash(int nrows, unsigned keysize, bool userkey, gHashFree); diff --git a/src/hash/hash_key_operations.cc b/src/hash/hash_key_operations.cc index 79e0a2645..93b861f35 100644 --- a/src/hash/hash_key_operations.cc +++ b/src/hash/hash_key_operations.cc @@ -28,6 +28,7 @@ #include #include "main/snort_config.h" +#include "main/thread.h" #include "utils/util.h" #include "primetable.h" diff --git a/src/hash/test/ghash_test.cc b/src/hash/test/ghash_test.cc index cf8b35201..9e29c4609 100644 --- a/src/hash/test/ghash_test.cc +++ b/src/hash/test/ghash_test.cc @@ -27,6 +27,7 @@ #include "hash/hash_defs.h" #include "main/snort_config.h" +#include "main/thread.h" #include "utils/util.h" #include diff --git a/src/hash/test/xhash_test.cc b/src/hash/test/xhash_test.cc index 3b6112f53..ee9ddadff 100644 --- a/src/hash/test/xhash_test.cc +++ b/src/hash/test/xhash_test.cc @@ -27,6 +27,7 @@ #include "hash/hash_defs.h" #include "main/snort_config.h" +#include "main/thread.h" #include "utils/util.h" #include diff --git a/src/hash/xhash.h b/src/hash/xhash.h index 31c5d4f7e..6ecf6206c 100644 --- a/src/hash/xhash.h +++ b/src/hash/xhash.h @@ -27,8 +27,8 @@ #include #include "framework/counts.h" +#include "helpers/memcap_allocator.h" #include "main/snort_types.h" -#include "utils/memcap_allocator.h" class HashLruCache; diff --git a/src/helpers/CMakeLists.txt b/src/helpers/CMakeLists.txt index de23cd7f0..a94f72d2c 100644 --- a/src/helpers/CMakeLists.txt +++ b/src/helpers/CMakeLists.txt @@ -13,39 +13,47 @@ endif () set (HELPERS_INCLUDES ${HYPER_HEADERS} base64_encoder.h + ber.h bitop.h + boyer_moore.h boyer_moore_search.h buffer_data.h + event_gen.h + infractions.h json_stream.h literal_search.h - process.h + memcap_allocator.h scratch_allocator.h sigsafe.h + utf.h ) add_library (helpers OBJECT ${HELPERS_INCLUDES} ${HYPER_SOURCES} base64_encoder.cc + ber.cc + boyer_moore.cc boyer_moore_search.cc buffer_data.cc - chunk.cc - chunk.h directory.cc directory.h discovery_filter.cc discovery_filter.h flag_context.h + grouped_list.h json_stream.cc - json_stream.h literal_search.cc markup.cc markup.h - process.cc + primed_allocator.h ring.h ring_logic.h sigsafe.cc scratch_allocator.cc + streambuf.cc + streambuf.h + utf.cc ) install (FILES ${HELPERS_INCLUDES} diff --git a/src/utils/util_ber.cc b/src/helpers/ber.cc similarity index 99% rename from src/utils/util_ber.cc rename to src/helpers/ber.cc index 7951a2668..7ec11b2de 100644 --- a/src/utils/util_ber.cc +++ b/src/helpers/ber.cc @@ -21,7 +21,7 @@ #include "config.h" #endif -#include "util_ber.h" +#include "ber.h" namespace snort { diff --git a/src/utils/util_ber.h b/src/helpers/ber.h similarity index 95% rename from src/utils/util_ber.h rename to src/helpers/ber.h index 9707cf06c..98a91481a 100644 --- a/src/utils/util_ber.h +++ b/src/helpers/ber.h @@ -15,10 +15,10 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// util_ber.h author Brandon Stultz +// ber.h author Brandon Stultz -#ifndef UTIL_BER_H -#define UTIL_BER_H +#ifndef BER_H +#define BER_H #include "main/snort_types.h" #include "framework/cursor.h" diff --git a/src/utils/boyer_moore.cc b/src/helpers/boyer_moore.cc similarity index 100% rename from src/utils/boyer_moore.cc rename to src/helpers/boyer_moore.cc diff --git a/src/utils/boyer_moore.h b/src/helpers/boyer_moore.h similarity index 100% rename from src/utils/boyer_moore.h rename to src/helpers/boyer_moore.h diff --git a/src/helpers/buffer_data.h b/src/helpers/buffer_data.h index 7a8271a90..637afe3eb 100644 --- a/src/helpers/buffer_data.h +++ b/src/helpers/buffer_data.h @@ -16,6 +16,7 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- // buffer_data.h author Amarnath Nayak + #ifndef BUFFER_DATA_H #define BUFFER_DATA_H diff --git a/src/helpers/dev_notes.txt b/src/helpers/dev_notes.txt index 8f1dd3b10..c794ea78c 100644 --- a/src/helpers/dev_notes.txt +++ b/src/helpers/dev_notes.txt @@ -1,3 +1,48 @@ This directory contains new utility classes and methods for use by the -framework. +framework. Utility funcitons, defines, etc. should go in src/utils/. + +On stream buffer, there are two classes inherited from std::streambuf: + +* istreambuf_glue class for reading operations +* ostreambuf_infl class for writing operations + +The input stream buffer presents a continuous sequence of bytes to the client, +gathered from different sources. For example: + + char* s1 = "world"; + char* s2 = "!"; + char* s3 = "Hello "; + +These sources being fed to the stream buffer as s3, s1, s2 will form +"Hello world!" sequence. + +In order to do that, istreambuf_glue class represents each source as a chunk of +data, which has its own position in the resulting sequence. +The chunk structure contains a pointer to the source, source size, and +the chunk's offset in the resulting sequence. + +Reading is done sequentially within the current chunk. When the end of chunk +reached, the buffer switches to the next one, setting std::streambuf pointers. + +Positioning the cursor is done in two steps: + +1. Calculate the final cursor position (absolute or by offset). + +2. Find the right chunk and local offset in it to set cursor there. + +Currently, no intermediate buffering done between chunks (like alignment, +prepending/appending the next chunk). The buffer doesn't take ownership over +the source's memory. + +The output stream buffer is mostly like std::stringbuf. The main purpose of it +is having an extensible dynamic array, where clients could write their data, +not worrying about resizing and memory management. + +Aside from that, ostreambuf_infl can give away ownership over its memory, +which could be useful for final consumer. + +From performance perspective, ostreambuf_infl can reserve an amount of memory +before actual operations. Also, memory extending is done by predefined +portions of 2^11^, 2^12^, 2^13^, 2^14^, 2^15^, 2^15^, 2^15^... +This tries to minimize the number of memory reallocation. diff --git a/src/utils/event_gen.h b/src/helpers/event_gen.h similarity index 100% rename from src/utils/event_gen.h rename to src/helpers/event_gen.h diff --git a/src/utils/grouped_list.h b/src/helpers/grouped_list.h similarity index 100% rename from src/utils/grouped_list.h rename to src/helpers/grouped_list.h diff --git a/src/helpers/hyper_search.cc b/src/helpers/hyper_search.cc index 052a02d7e..465101282 100644 --- a/src/helpers/hyper_search.cc +++ b/src/helpers/hyper_search.cc @@ -32,7 +32,6 @@ #include "log/messages.h" #include "main/snort_config.h" -#include "main/thread.h" #include "utils/util.h" #include "hyper_scratch_allocator.h" @@ -104,11 +103,14 @@ HyperSearch::~HyperSearch() } +namespace +{ struct ScanContext { unsigned index; bool found = false; }; +} static int hs_match(unsigned int, unsigned long long, unsigned long long to, unsigned int, void* context) { diff --git a/src/utils/infractions.h b/src/helpers/infractions.h similarity index 100% rename from src/utils/infractions.h rename to src/helpers/infractions.h diff --git a/src/utils/memcap_allocator.h b/src/helpers/memcap_allocator.h similarity index 100% rename from src/utils/memcap_allocator.h rename to src/helpers/memcap_allocator.h diff --git a/src/utils/primed_allocator.h b/src/helpers/primed_allocator.h similarity index 100% rename from src/utils/primed_allocator.h rename to src/helpers/primed_allocator.h diff --git a/src/utils/streambuf.cc b/src/helpers/streambuf.cc similarity index 100% rename from src/utils/streambuf.cc rename to src/helpers/streambuf.cc diff --git a/src/utils/streambuf.h b/src/helpers/streambuf.h similarity index 100% rename from src/utils/streambuf.h rename to src/helpers/streambuf.h diff --git a/src/helpers/test/CMakeLists.txt b/src/helpers/test/CMakeLists.txt index 5255dd7e0..1e41ac818 100644 --- a/src/helpers/test/CMakeLists.txt +++ b/src/helpers/test/CMakeLists.txt @@ -1,8 +1,21 @@ + +add_catch_test( bitop_test ) + +add_cpputest( boyer_moore_test + SOURCES + ../boyer_moore.cc +) + add_cpputest( boyer_moore_search_test SOURCES ../boyer_moore_search.cc ) +add_catch_test( grouped_list_test + SOURCES + ../grouped_list.h +) + if ( HAVE_HYPERSCAN ) add_cpputest( hyper_search_test SOURCES @@ -14,11 +27,16 @@ if ( HAVE_HYPERSCAN ) ) endif() -add_catch_test( bitop_test ) - add_catch_test( json_stream_test SOURCES json_stream_test.cc ../json_stream.cc ) +add_cpputest( memcap_allocator_test ) + +add_catch_test( streambuf_test + SOURCES + ../streambuf.cc +) + diff --git a/src/utils/test/boyer_moore_test.cc b/src/helpers/test/boyer_moore_test.cc similarity index 100% rename from src/utils/test/boyer_moore_test.cc rename to src/helpers/test/boyer_moore_test.cc diff --git a/src/utils/test/grouped_list_test.cc b/src/helpers/test/grouped_list_test.cc similarity index 99% rename from src/utils/test/grouped_list_test.cc rename to src/helpers/test/grouped_list_test.cc index 70187b7d4..375b1a602 100644 --- a/src/utils/test/grouped_list_test.cc +++ b/src/helpers/test/grouped_list_test.cc @@ -27,7 +27,7 @@ #include #include -#include "utils/grouped_list.h" +#include "helpers/grouped_list.h" using namespace snort; using namespace std; diff --git a/src/utils/test/memcap_allocator_test.cc b/src/helpers/test/memcap_allocator_test.cc similarity index 100% rename from src/utils/test/memcap_allocator_test.cc rename to src/helpers/test/memcap_allocator_test.cc diff --git a/src/utils/test/streambuf_test.cc b/src/helpers/test/streambuf_test.cc similarity index 99% rename from src/utils/test/streambuf_test.cc rename to src/helpers/test/streambuf_test.cc index 0771a5580..e934fdad5 100644 --- a/src/utils/test/streambuf_test.cc +++ b/src/helpers/test/streambuf_test.cc @@ -26,7 +26,7 @@ #include #include -#include "utils/streambuf.h" +#include "helpers/streambuf.h" using namespace snort; using namespace std; diff --git a/src/utils/util_utf.cc b/src/helpers/utf.cc similarity index 99% rename from src/utils/util_utf.cc rename to src/helpers/utf.cc index f5ad38335..6d4452621 100644 --- a/src/utils/util_utf.cc +++ b/src/helpers/utf.cc @@ -23,7 +23,7 @@ #include "config.h" #endif -#include "util_utf.h" +#include "utf.h" #include #include diff --git a/src/utils/util_utf.h b/src/helpers/utf.h similarity index 100% rename from src/utils/util_utf.h rename to src/helpers/utf.h diff --git a/src/host_tracker/CMakeLists.txt b/src/host_tracker/CMakeLists.txt index 8625723b5..1cb414d30 100644 --- a/src/host_tracker/CMakeLists.txt +++ b/src/host_tracker/CMakeLists.txt @@ -2,7 +2,6 @@ set (HOST_TRACKER_INCLUDES cache_allocator.h cache_interface.h host_cache.h - host_cache_segmented.h host_tracker.h ) @@ -16,6 +15,7 @@ add_library( host_tracker OBJECT host_tracker_module.cc host_tracker_module.h host_tracker.cc + host_tracker_stats.h ) add_subdirectory ( test ) diff --git a/src/host_tracker/cache_allocator.h b/src/host_tracker/cache_allocator.h index b006f50aa..c42dbe5c3 100644 --- a/src/host_tracker/cache_allocator.h +++ b/src/host_tracker/cache_allocator.h @@ -89,13 +89,13 @@ public: CacheInterface* get_cache_ptr() { return Base::get_lru(); } template - HostCacheAllocIp(const HostCacheAllocIp& other) + HostCacheAllocIp(const HostCacheAllocIp& other) { this->lru = other.get_lru(); } template - HostCacheAllocIp(HostCacheAllocIp&& other) noexcept + HostCacheAllocIp(HostCacheAllocIp&& other) noexcept { this->lru = other.get_lru(); } diff --git a/src/host_tracker/host_cache.h b/src/host_tracker/host_cache.h index 156e46906..76c89420e 100644 --- a/src/host_tracker/host_cache.h +++ b/src/host_tracker/host_cache.h @@ -28,10 +28,10 @@ #include "hash/lru_cache_shared.h" #include "host_tracker.h" +#include "log/log_stats.h" #include "log/messages.h" #include "main/snort_config.h" #include "sfip/sf_ip.h" -#include "utils/stats.h" #include "cache_allocator.h" #include "cache_interface.h" diff --git a/src/host_tracker/host_cache_module.cc b/src/host_tracker/host_cache_module.cc index 9612d28df..1bb3e8fb4 100644 --- a/src/host_tracker/host_cache_module.cc +++ b/src/host_tracker/host_cache_module.cc @@ -563,8 +563,6 @@ string HostCacheModule::get_host_cache_stats() } } - - return str; } diff --git a/src/host_tracker/host_cache_segmented.h b/src/host_tracker/host_cache_segmented.h index 01e660109..d73905a64 100644 --- a/src/host_tracker/host_cache_segmented.h +++ b/src/host_tracker/host_cache_segmented.h @@ -1,5 +1,5 @@ //-------------------------------------------------------------------------- -// Copyright (C) 2015-2024 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2023-2024 Cisco and/or its affiliates. All rights reserved. // // This program is free software; you can redistribute it and/or modify it // under the terms of the GNU General Public License Version 2 as published @@ -20,15 +20,12 @@ #ifndef HOST_CACHE_SEGMENTED_H #define HOST_CACHE_SEGMENTED_H -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - #include #include #include #include "host_cache.h" +#include "log/log_stats.h" #include "log/messages.h" #define DEFAULT_HOST_CACHE_SEGMENTS 4 diff --git a/src/host_tracker/host_tracker.cc b/src/host_tracker/host_tracker.cc index 52f9b7458..df4b361d7 100644 --- a/src/host_tracker/host_tracker.cc +++ b/src/host_tracker/host_tracker.cc @@ -22,6 +22,9 @@ #include "config.h" #endif +#include "host_tracker.h" +#include "host_tracker_stats.h" + #include #include "flow/flow.h" @@ -31,7 +34,6 @@ #include "cache_allocator.cc" #include "host_cache.h" #include "host_cache_segmented.h" -#include "host_tracker.h" using namespace snort; using namespace std; diff --git a/src/host_tracker/host_tracker.h b/src/host_tracker/host_tracker.h index 9ef80e4b5..ef43d1673 100644 --- a/src/host_tracker/host_tracker.h +++ b/src/host_tracker/host_tracker.h @@ -29,12 +29,12 @@ #include #include #include +#include #include #include #include "framework/counts.h" #include "main/snort_types.h" -#include "main/thread.h" #include "network_inspectors/appid/application_ids.h" #include "protocols/protocol_ids.h" #include "protocols/vlan.h" @@ -42,14 +42,6 @@ #include "cache_allocator.h" -struct HostTrackerStats -{ - PegCount service_adds; - PegCount service_finds; -}; - -extern THREAD_LOCAL struct HostTrackerStats host_tracker_stats; - class RNAFlow; namespace snort @@ -387,13 +379,13 @@ public: return ++nat_count; } - void set_cache_idx(uint8_t idx) - { + void set_cache_idx(uint8_t idx) + { std::lock_guard lck(host_tracker_lock); - cache_idx = idx; + cache_idx = idx; } - void init_visibility(size_t v) + void init_visibility(size_t v) { std::lock_guard lck(host_tracker_lock); visibility = v; @@ -474,12 +466,12 @@ private: uint32_t nat_count_start; // the time nat counting starts for this host size_t visibility; - uint8_t cache_idx = 0; + uint8_t cache_idx = 0; uint32_t num_visible_services = 0; uint32_t num_visible_clients = 0; uint32_t num_visible_macs = 0; - + CacheInterface * cache_interface = nullptr; // These three do not lock independently; they are used by payload discovery and called diff --git a/src/host_tracker/host_tracker_module.cc b/src/host_tracker/host_tracker_module.cc index b04d0743b..09b817fa0 100644 --- a/src/host_tracker/host_tracker_module.cc +++ b/src/host_tracker/host_tracker_module.cc @@ -23,6 +23,7 @@ #endif #include "host_tracker_module.h" +#include "host_tracker_stats.h" #include "host_cache_segmented.h" #include "log/messages.h" diff --git a/src/host_tracker/host_tracker_stats.h b/src/host_tracker/host_tracker_stats.h new file mode 100644 index 000000000..46c5037cf --- /dev/null +++ b/src/host_tracker/host_tracker_stats.h @@ -0,0 +1,37 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// host_tracker_stats.h author Russ Combs + +#ifndef HOST_TRACKER_STATS_H +#define HOST_TRACKER_STATS_H + +// private HostTracker data (not installed) + +#include "framework/counts.h" + +struct HostTrackerStats +{ + PegCount service_adds; + PegCount service_finds; +}; + +extern THREAD_LOCAL struct HostTrackerStats host_tracker_stats; + +#endif + diff --git a/src/host_tracker/test/host_cache_allocator_ht_test.cc b/src/host_tracker/test/host_cache_allocator_ht_test.cc index fc0ff89c5..1371a7328 100644 --- a/src/host_tracker/test/host_cache_allocator_ht_test.cc +++ b/src/host_tracker/test/host_cache_allocator_ht_test.cc @@ -65,12 +65,12 @@ public: CacheInterface* get_cache_ptr() { return Base::get_lru(); } template - Allocator(const Allocator& other) + Allocator(const Allocator& other) { lru = other.lru; } template - Allocator(const Allocator&& other) + Allocator(const Allocator&& other) { lru = other.lru; } @@ -102,7 +102,7 @@ TEST_GROUP(host_cache_allocator_ht) }; TEST(host_cache_allocator_ht, allocate_update) -{ +{ //declare a list with allocator cache std::list> test_list; CHECK(test_list.get_allocator().get_lru() == &cache1); diff --git a/src/host_tracker/test/host_cache_module_test.cc b/src/host_tracker/test/host_cache_module_test.cc index bfa4c4955..3e1bc2f5e 100644 --- a/src/host_tracker/test/host_cache_module_test.cc +++ b/src/host_tracker/test/host_cache_module_test.cc @@ -92,7 +92,7 @@ unsigned ThreadConfig::get_instance_max() { return 1; } } // end of namespace snort void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } template HostCacheAllocIp::HostCacheAllocIp() @@ -177,12 +177,12 @@ TEST(host_cache_module, misc) // cache, because sum_stats resets the pegs. module.sum_stats(true); - // add 3 entries to segment 3 + // add 3 entries to segment 3 SfIp ip1, ip2, ip3; ip1.set("1.1.1.1"); ip2.set("2.2.2.2"); ip3.set("3.3.3.3"); - + host_cache.find_else_create(ip1, nullptr); host_cache.find_else_create(ip2, nullptr); host_cache.find_else_create(ip3, nullptr); @@ -206,7 +206,7 @@ TEST(host_cache_module, misc) // pruning in thread is not done when reload_mutex is already locked for(auto cache : host_cache.seg_list) cache->reload_mutex.lock(); - + std::thread test_negative(try_reload_prune, false); test_negative.join(); @@ -268,8 +268,6 @@ TEST(host_cache_module, get_segment_stats) str = module.get_host_cache_segment_stats(-1); contain = str.find("total cache segments: 4") != std::string::npos; CHECK_TRUE(contain); - - } TEST(host_cache_module, log_host_cache_messages) diff --git a/src/host_tracker/test/host_tracker_module_test.cc b/src/host_tracker/test/host_tracker_module_test.cc index 5d429d2be..8f4ccccb0 100644 --- a/src/host_tracker/test/host_tracker_module_test.cc +++ b/src/host_tracker/test/host_tracker_module_test.cc @@ -28,6 +28,7 @@ #include "host_tracker/host_cache.h" #include "host_tracker/host_cache_segmented.h" #include "host_tracker/host_tracker_module.h" +#include "host_tracker/host_tracker_stats.h" #include "main/snort_config.h" #include "main/thread_config.h" #include "target_based/snort_protocols.h" @@ -50,7 +51,7 @@ unsigned ThreadConfig::get_instance_max() { return 1; } // Fake show_stats to avoid bringing in a ton of dependencies. void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } SfIp expected_addr; diff --git a/src/ips_options/CMakeLists.txt b/src/ips_options/CMakeLists.txt index 4ae54c65e..3512b4860 100644 --- a/src/ips_options/CMakeLists.txt +++ b/src/ips_options/CMakeLists.txt @@ -1,6 +1,3 @@ -set(IPS_INCLUDES - extract.h -) SET( PLUGIN_LIST ips_ack.cc @@ -12,13 +9,20 @@ SET( PLUGIN_LIST ips_byte_jump.cc ips_byte_math.cc ips_byte_test.cc + ips_classtype.cc + ips_content.cc ips_cvs.cc + ips_dsize.cc ips_enable.cc + ips_file_data.cc + ips_file_meta.cc ips_file_type.cc ips_flags.cc + ips_flow.cc ips_fragbits.cc ips_fragoffset.cc ips_gid.cc + ips_hash.cc ips_icmp_id.cc ips_icmp_seq.cc ips_icode.cc @@ -27,14 +31,19 @@ SET( PLUGIN_LIST ips_ip_proto.cc ips_isdataat.cc ips_itype.cc + ips_js_data.cc + ips_metadata.cc ips_msg.cc ips_pcre.cc + ips_pkt_data.cc ips_priority.cc ips_raw_data.cc + ips_reference.cc ips_rem.cc ips_rev.cc ips_rpc.cc ips_seq.cc + ips_service.cc ips_sid.cc ips_soid.cc ips_tag.cc @@ -42,33 +51,16 @@ SET( PLUGIN_LIST ips_tos.cc ips_ttl.cc ips_window.cc - ips_vba_data.cc - ips_vba_data.h ) - set (IPS_SOURCES - ${IPS_INCLUDES} - extract.cc - ips_classtype.cc - ips_content.cc ips_detection_filter.cc - ips_dsize.cc - ips_file_data.cc - ips_file_meta.cc - ips_flow.cc ips_flowbits.cc ips_flowbits.h - ips_hash.cc - ips_js_data.cc ips_luajit.cc - ips_metadata.cc ips_options.cc ips_options.h - ips_pkt_data.cc - ips_reference.cc ips_replace.cc - ips_service.cc ips_so.cc ips_vba_data.cc ips_vba_data.h @@ -86,7 +78,6 @@ if (STATIC_IPS_OPTIONS) add_library ( ips_options OBJECT ${IPS_SOURCES} - ${OPTION_LIST} ${PLUGIN_LIST} ) @@ -94,22 +85,28 @@ else (STATIC_IPS_OPTIONS) add_library ( ips_options OBJECT ${IPS_SOURCES} - ${OPTION_LIST} ) + add_dynamic_module(ips_content ips_options ips_content.cc) + add_dynamic_module(ips_hash ips_options ips_hash.cc) add_dynamic_module(ips_ack ips_options ips_ack.cc) add_dynamic_module(ips_base64 ips_options ips_base64.cc) add_dynamic_module(ips_ber_data ips_options ips_ber_data.cc) add_dynamic_module(ips_ber_skip ips_options ips_ber_skip.cc) add_dynamic_module(ips_bufferlen ips_options ips_bufferlen.cc) - add_dynamic_module(ips_byte_extract ips_options extract.cc ips_byte_extract.cc) - add_dynamic_module(ips_byte_jump ips_options extract.cc ips_byte_jump.cc) - add_dynamic_module(ips_byte_math ips_options extract.cc ips_byte_math.cc) - add_dynamic_module(ips_byte_test ips_options extract.cc ips_byte_test.cc) + add_dynamic_module(ips_byte_extract ips_options ips_byte_extract.cc) + add_dynamic_module(ips_byte_jump ips_options ips_byte_jump.cc) + add_dynamic_module(ips_byte_math ips_options ips_byte_math.cc) + add_dynamic_module(ips_byte_test ips_options ips_byte_test.cc) + add_dynamic_module(ips_classtype ips_options ips_classtype.cc) add_dynamic_module(ips_cvs ips_options ips_cvs.cc) + add_dynamic_module(ips_dsize ips_options ips_dsize.cc) add_dynamic_module(ips_enable ips_options ips_enable.cc) + add_dynamic_module(ips_file_data ips_options ips_file_data.cc) + add_dynamic_module(ips_file_meta ips_options ips_file_meta.cc) add_dynamic_module(ips_file_type ips_options ips_file_type.cc) add_dynamic_module(ips_flags ips_options ips_flags.cc) + add_dynamic_module(ips_flow ips_options ips_flow.cc) add_dynamic_module(ips_fragbits ips_options ips_fragbits.cc) add_dynamic_module(ips_fragoffset ips_options ips_fragoffset.cc) add_dynamic_module(ips_gid ips_options ips_gid.cc) @@ -121,13 +118,18 @@ else (STATIC_IPS_OPTIONS) add_dynamic_module(ips_ip_proto ips_options ips_ip_proto.cc) add_dynamic_module(ips_isdataat ips_options ips_isdataat.cc) add_dynamic_module(ips_itype ips_options ips_itype.cc) + add_dynamic_module(ips_js_data ips_options ips_js_data.cc) + add_dynamic_module(ips_metadata ips_options ips_metadata.cc) add_dynamic_module(ips_msg ips_options ips_msg.cc) add_dynamic_module(ips_pcre ips_options ips_pcre.cc) + add_dynamic_module(ips_pkt_data ips_options ips_pkt_data.cc) add_dynamic_module(ips_priority ips_options ips_priority.cc) add_dynamic_module(ips_raw_data ips_options ips_raw_data.cc) + add_dynamic_module(ips_reference ips_options ips_reference.cc) add_dynamic_module(ips_rem ips_options ips_rem.cc) add_dynamic_module(ips_rev ips_options ips_rev.cc) add_dynamic_module(ips_rpc ips_options ips_rpc.cc) + add_dynamic_module(ips_service ips_options ips_service.cc) add_dynamic_module(ips_sid ips_options ips_sid.cc) add_dynamic_module(ips_seq ips_options ips_seq.cc) add_dynamic_module(ips_soid ips_options ips_soid.cc) @@ -145,6 +147,3 @@ endif (STATIC_IPS_OPTIONS) add_subdirectory(test) -install(FILES ${IPS_INCLUDES} - DESTINATION "${INCLUDE_INSTALL_PATH}/ips_options/" -) diff --git a/src/ips_options/ips_ack.cc b/src/ips_options/ips_ack.cc index f978c77ad..178d619f2 100644 --- a/src/ips_options/ips_ack.cc +++ b/src/ips_options/ips_ack.cc @@ -148,7 +148,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ack_ctor(Module* p, OptTreeNode*) +static IpsOption* ack_ctor(Module* p, IpsInfo&) { AckModule* m = (AckModule*)p; return new TcpAckOption(m->data); diff --git a/src/ips_options/ips_base64.cc b/src/ips_options/ips_base64.cc index 6b56627cb..da3ea0f71 100644 --- a/src/ips_options/ips_base64.cc +++ b/src/ips_options/ips_base64.cc @@ -24,7 +24,6 @@ #endif #include "detection/detection_engine.h" -#include "detection/treenodes.h" #include "hash/hash_key_operations.h" #include "framework/cursor.h" #include "framework/ips_option.h" @@ -229,7 +228,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* base64_decode_ctor(Module* p, OptTreeNode*) +static IpsOption* base64_decode_ctor(Module* p, IpsInfo&) { B64DecodeModule* m = (B64DecodeModule*)p; return new Base64DecodeOption(m->data); @@ -302,9 +301,9 @@ IpsOption::EvalStatus Base64DataOption::eval(Cursor& c, Packet* p) //------------------------------------------------------------------------- static class IpsOption* base64_data_ctor( - Module*, OptTreeNode* otn) + Module*, IpsInfo& info) { - if ( !otn_has_plugin(otn, "base64_decode") ) + if ( !IpsOption::has_plugin(info, "base64_decode") ) { ParseError("base64_decode needs to be specified before base64_data in a rule"); return nullptr; diff --git a/src/ips_options/ips_ber_data.cc b/src/ips_options/ips_ber_data.cc index a0527d7c6..e7797821f 100644 --- a/src/ips_options/ips_ber_data.cc +++ b/src/ips_options/ips_ber_data.cc @@ -25,8 +25,8 @@ #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_key_operations.h" +#include "helpers/ber.h" #include "profiler/profiler.h" -#include "utils/util_ber.h" using namespace snort; @@ -165,7 +165,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ber_data_ctor(Module* p, OptTreeNode*) +static IpsOption* ber_data_ctor(Module* p, IpsInfo&) { BerDataModule* m = (BerDataModule*)p; return new BerDataOption(m->type); diff --git a/src/ips_options/ips_ber_skip.cc b/src/ips_options/ips_ber_skip.cc index f54e404b7..2ac03eb0b 100644 --- a/src/ips_options/ips_ber_skip.cc +++ b/src/ips_options/ips_ber_skip.cc @@ -25,8 +25,8 @@ #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_key_operations.h" +#include "helpers/ber.h" #include "profiler/profiler.h" -#include "utils/util_ber.h" using namespace snort; @@ -182,7 +182,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ber_skip_ctor(Module* p, OptTreeNode*) +static IpsOption* ber_skip_ctor(Module* p, IpsInfo&) { BerSkipModule* m = (BerSkipModule*)p; return new BerSkipOption(m->type, m->optional); diff --git a/src/ips_options/ips_bufferlen.cc b/src/ips_options/ips_bufferlen.cc index 1d7769e05..fbfbcd84a 100644 --- a/src/ips_options/ips_bufferlen.cc +++ b/src/ips_options/ips_bufferlen.cc @@ -162,7 +162,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* len_ctor(Module* p, OptTreeNode*) +static IpsOption* len_ctor(Module* p, IpsInfo&) { LenModule* m = (LenModule*)p; return new LenOption(m->data, m->relative); diff --git a/src/ips_options/ips_byte_extract.cc b/src/ips_options/ips_byte_extract.cc index 26cb745e6..5f94cb05d 100644 --- a/src/ips_options/ips_byte_extract.cc +++ b/src/ips_options/ips_byte_extract.cc @@ -22,9 +22,10 @@ #include "config.h" #endif -#include "detection/treenodes.h" +#include "detection/extract.h" #include "framework/cursor.h" #include "framework/endianness.h" +#include "framework/ips_info.h" #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_key_operations.h" @@ -33,8 +34,6 @@ #include "protocols/packet.h" #include "utils/util.h" -#include "extract.h" - #ifdef UNIT_TEST #include #include "service_inspectors/dce_rpc/dce_common.h" @@ -386,7 +385,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* byte_extract_ctor(Module* p, OptTreeNode*) +static IpsOption* byte_extract_ctor(Module* p, IpsInfo&) { ExtractModule* m = (ExtractModule*)p; ByteExtractData& data = m->data; @@ -878,17 +877,19 @@ TEST_CASE("Test of byte_extract_ctor", "[ips_byte_extract]") "~name", Parameter::PT_STRING, nullptr, nullptr, "name of the variable that will be used in other rule options"}; v.set(&p); + obj.set(nullptr, v, nullptr); + IpsInfo info(nullptr, nullptr); if (i < NUM_IPS_OPTIONS_VARS) { - IpsOption* res = byte_extract_ctor(&obj, nullptr); + IpsOption* res = byte_extract_ctor(&obj, info); delete res; } else { - IpsOption* res_null = byte_extract_ctor(&obj, nullptr); - CHECK(nullptr == res_null); + IpsOption* res_null = byte_extract_ctor(&obj, info); + CHECK(res_null == nullptr); delete[] obj.data.name; } } diff --git a/src/ips_options/ips_byte_jump.cc b/src/ips_options/ips_byte_jump.cc index 1ddd416b4..7f203f4df 100644 --- a/src/ips_options/ips_byte_jump.cc +++ b/src/ips_options/ips_byte_jump.cc @@ -77,6 +77,7 @@ #include "config.h" #endif +#include "detection/extract.h" #include "framework/cursor.h" #include "framework/endianness.h" #include "framework/ips_option.h" @@ -86,8 +87,6 @@ #include "profiler/profiler.h" #include "protocols/packet.h" -#include "extract.h" - using namespace snort; using namespace std; @@ -499,7 +498,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* byte_jump_ctor(Module* p, OptTreeNode*) +static IpsOption* byte_jump_ctor(Module* p, IpsInfo&) { ByteJumpModule* m = (ByteJumpModule*)p; return new ByteJumpOption(m->data); diff --git a/src/ips_options/ips_byte_math.cc b/src/ips_options/ips_byte_math.cc index 08f030c0f..d8932c4fd 100644 --- a/src/ips_options/ips_byte_math.cc +++ b/src/ips_options/ips_byte_math.cc @@ -23,8 +23,10 @@ #include "config.h" #endif +#include "detection/extract.h" #include "framework/cursor.h" #include "framework/endianness.h" +#include "framework/ips_info.h" #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_key_operations.h" @@ -33,8 +35,6 @@ #include "protocols/packet.h" #include "utils/util.h" -#include "extract.h" - #ifdef UNIT_TEST #include "catch/snort_catch.h" #include "service_inspectors/dce_rpc/dce_common.h" @@ -492,7 +492,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* byte_math_ctor(Module* p, OptTreeNode*) +static IpsOption* byte_math_ctor(Module* p, IpsInfo&) { ByteMathModule* m = (ByteMathModule*)p; ByteMathData& data = m->data; @@ -1233,16 +1233,19 @@ TEST_CASE("Test of byte_math_ctor", "[ips_byte_math]") Parameter p{"result", Parameter::PT_STRING, nullptr, nullptr, "name of the variable to store the result"}; v.set(&p); + obj.set(nullptr, v, nullptr); + IpsInfo info(nullptr, nullptr); + if (i < NUM_IPS_OPTIONS_VARS) { - IpsOption* res = byte_math_ctor(&obj, nullptr); + IpsOption* res = byte_math_ctor(&obj, info); delete res; } else { - IpsOption* res_null = byte_math_ctor(&obj, nullptr); - CHECK(nullptr == res_null); + IpsOption* res_null = byte_math_ctor(&obj, info); + CHECK(res_null == nullptr); delete[] obj.data.result_name; } } diff --git a/src/ips_options/ips_byte_test.cc b/src/ips_options/ips_byte_test.cc index 6de64ada2..4a5bb078e 100644 --- a/src/ips_options/ips_byte_test.cc +++ b/src/ips_options/ips_byte_test.cc @@ -93,6 +93,7 @@ #include "config.h" #endif +#include "detection/extract.h" #include "framework/cursor.h" #include "framework/endianness.h" #include "framework/ips_option.h" @@ -108,8 +109,6 @@ #include "catch/snort_catch.h" #endif -#include "extract.h" - using namespace snort; using namespace std; @@ -564,7 +563,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* byte_test_ctor(Module* p, OptTreeNode*) +static IpsOption* byte_test_ctor(Module* p, IpsInfo&) { ByteTestModule* m = (ByteTestModule*)p; return new ByteTestOption(m->data); diff --git a/src/ips_options/ips_classtype.cc b/src/ips_options/ips_classtype.cc index 2594ae987..b582f46db 100644 --- a/src/ips_options/ips_classtype.cc +++ b/src/ips_options/ips_classtype.cc @@ -21,7 +21,8 @@ #include "config.h" #endif -#include "detection/treenodes.h" +#include + #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -56,21 +57,14 @@ public: { return DETECT; } public: - const ClassType* type = nullptr; + std::string classtype; }; -bool ClassTypeModule::set(const char*, Value& v, SnortConfig* sc) +bool ClassTypeModule::set(const char*, Value& v, SnortConfig*) { assert(v.is("~")); - type = get_classification(sc, v.get_string()); - - if ( !type and sc->dump_rule_info() ) - { - const char* s = v.get_string(); - add_classification(sc, s, s, 1); - type = get_classification(sc, s); - } - return type != nullptr; + classtype = v.get_string(); + return true; } //------------------------------------------------------------------------- @@ -87,16 +81,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* classtype_ctor(Module* p, OptTreeNode* otn) +static IpsOption* classtype_ctor(Module* p, IpsInfo& info) { ClassTypeModule* m = (ClassTypeModule*)p; - otn->sigInfo.class_type = m->type; - - if ( m->type ) - { - otn->sigInfo.class_id = m->type->id; - otn->sigInfo.priority = m->type->priority; - } + IpsOption::set_classtype(info, m->classtype.c_str()); return nullptr; } @@ -125,5 +113,13 @@ static const IpsApi classtype_api = nullptr }; -const BaseApi* ips_classtype = &classtype_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_classtype[] = +#endif +{ + &classtype_api.base, + nullptr +}; diff --git a/src/ips_options/ips_content.cc b/src/ips_options/ips_content.cc index a81da9268..e394bb10d 100644 --- a/src/ips_options/ips_content.cc +++ b/src/ips_options/ips_content.cc @@ -22,8 +22,8 @@ #include "config.h" #endif +#include "detection/extract.h" #include "detection/pattern_match_data.h" -#include "detection/treenodes.h" #include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -34,9 +34,6 @@ #include "parser/parse_utils.h" #include "profiler/profiler.h" #include "utils/util.h" -#include "utils/stats.h" - -#include "extract.h" using namespace snort; @@ -147,7 +144,7 @@ public: bool is_relative() override { return config->pmd.is_relative(); } - bool retry(Cursor&, const Cursor&) override; + bool retry(Cursor&) override; ContentData* get_data() { return config; } @@ -180,7 +177,7 @@ static inline bool retry(const PatternMatchData& pmd, const Cursor& c) return c.get_delta() + pmd.pattern_size <= pmd.depth; } -bool ContentOption::retry(Cursor& c, const Cursor&) +bool ContentOption::retry(Cursor& c) { return ::retry(config->pmd, c); } @@ -794,7 +791,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* content_ctor(Module* p, OptTreeNode*) +static IpsOption* content_ctor(Module* p, IpsInfo&) { ContentModule* m = (ContentModule*)p; ContentData* cd = m->get_data(); @@ -831,15 +828,13 @@ static const IpsApi content_api = nullptr }; -// FIXIT-L need boyer_moore.cc funcs but they -// aren't otherwise called -//#ifdef BUILDING_SO -//SO_PUBLIC const BaseApi* snort_plugins[] = -//{ -// &content_api.base, -// nullptr -//}; -//#else -const BaseApi* ips_content = &content_api.base; -//#endif +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_content[] = +#endif +{ + &content_api.base, + nullptr +}; diff --git a/src/ips_options/ips_cvs.cc b/src/ips_options/ips_cvs.cc index 65a7aa6e4..367a6d4a0 100644 --- a/src/ips_options/ips_cvs.cc +++ b/src/ips_options/ips_cvs.cc @@ -409,7 +409,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* cvs_ctor(Module* p, OptTreeNode*) +static IpsOption* cvs_ctor(Module* p, IpsInfo&) { CvsModule* m = (CvsModule*)p; return new CvsOption(m->data); @@ -465,9 +465,7 @@ const BaseApi* ips_cvs[] = class StubIpsOption : public IpsOption { public: - StubIpsOption(const char* name, option_type_t option_type) : - IpsOption(name, option_type) - {} + StubIpsOption(const char* name) : IpsOption(name) { } }; TEST_CASE("CvsOption test", "[ips_cvs]") @@ -479,8 +477,7 @@ TEST_CASE("CvsOption test", "[ips_cvs]") SECTION("not equal as IpsOptions") { - StubIpsOption opt_other("not_cvs", - option_type_t::RULE_OPTION_TYPE_OTHER); + StubIpsOption opt_other("not_cvs"); REQUIRE_FALSE(cvs_opt == opt_other); } diff --git a/src/ips_options/ips_detection_filter.cc b/src/ips_options/ips_detection_filter.cc index 9576025d2..edd18c8d7 100644 --- a/src/ips_options/ips_detection_filter.cc +++ b/src/ips_options/ips_detection_filter.cc @@ -1,7 +1,5 @@ //-------------------------------------------------------------------------- // Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2002-2013 Sourcefire, Inc. -// Copyright (C) 1998-2002 Martin Roesch // // This program is free software; you can redistribute it and/or modify it // under the terms of the GNU General Public License Version 2 as published @@ -24,7 +22,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "filters/detection_filter.h" #include "filters/sfthd.h" #include "framework/decode_data.h" @@ -62,7 +59,6 @@ class DetectionFilterModule : public Module public: DetectionFilterModule() : Module(s_name, s_help, s_params) { } bool set(const char*, Value&, SnortConfig*) override; - bool begin(const char*, int, SnortConfig*) override; ProfileStats* get_profile() const override { return &detectionFilterPerfStats; } @@ -71,28 +67,20 @@ public: { return DETECT; } public: - THDX_STRUCT thdx = {}; - DetectionFilterConfig* dfc = nullptr; + bool trk_src = false; + uint32_t count = 0, seconds = 0; }; -bool DetectionFilterModule::begin(const char*, int, SnortConfig* sc) -{ - memset(&thdx, 0, sizeof(thdx)); - thdx.type = THD_TYPE_DETECT; - dfc = sc->detection_filter_config; - return true; -} - bool DetectionFilterModule::set(const char*, Value& v, SnortConfig*) { if ( v.is("track") ) - thdx.tracking = v.get_uint8() ? THD_TRK_DST : THD_TRK_SRC; + trk_src = v.get_uint8() == 0; else if ( v.is("count") ) - thdx.count = v.get_uint32(); + count = v.get_uint32(); else if ( v.is("seconds") ) - thdx.seconds = v.get_uint32(); + seconds = v.get_uint32(); return true; } @@ -111,10 +99,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* detection_filter_ctor(Module* p, OptTreeNode* otn) +static IpsOption* detection_filter_ctor(Module* p, IpsInfo& info) { DetectionFilterModule* m = (DetectionFilterModule*)p; - otn->detection_filter = detection_filter_create(m->dfc, &m->thdx); + IpsOption::set_detection_filter(info, m->trk_src, m->count, m->seconds); return nullptr; } @@ -143,5 +131,9 @@ static const IpsApi detection_filter_api = nullptr }; -const BaseApi* ips_detection_filter = &detection_filter_api.base; +const BaseApi* ips_detection_filter[] = +{ + &detection_filter_api.base, + nullptr +}; diff --git a/src/ips_options/ips_dsize.cc b/src/ips_options/ips_dsize.cc index 532b7a501..813d84f41 100644 --- a/src/ips_options/ips_dsize.cc +++ b/src/ips_options/ips_dsize.cc @@ -152,7 +152,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* dsize_ctor(Module* p, OptTreeNode*) +static IpsOption* dsize_ctor(Module* p, IpsInfo&) { DsizeModule* m = (DsizeModule*)p; return new DsizeOption(m->data); diff --git a/src/ips_options/ips_enable.cc b/src/ips_options/ips_enable.cc index f310a96a7..68d4256ea 100644 --- a/src/ips_options/ips_enable.cc +++ b/src/ips_options/ips_enable.cc @@ -21,8 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" -#include "detection/rules.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -58,22 +56,19 @@ public: { return DETECT; } public: - IpsPolicy::Enable enable = IpsPolicy::Enable::ENABLED; + IpsOption::Enable enable = IpsOption::NO; }; -bool EnableModule::begin(const char*, int, SnortConfig* sc) +bool EnableModule::begin(const char*, int, SnortConfig*) { - if ( !sc->rule_states ) - sc->rule_states = new RuleStateMap; - - enable = IpsPolicy::Enable::ENABLED; + enable = IpsOption::YES; return true; } bool EnableModule::set(const char*, Value& v, SnortConfig*) { assert(v.is("~enable")); - enable = IpsPolicy::Enable(v.get_uint8()); + enable = IpsOption::Enable(v.get_uint8()); return true; } @@ -91,10 +86,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* enable_ctor(Module* p, OptTreeNode* otn) +static IpsOption* enable_ctor(Module* p, IpsInfo& info) { EnableModule* m = (EnableModule*)p; - otn->set_enabled(m->enable); + IpsOption::set_enabled(info, m->enable); return nullptr; } diff --git a/src/ips_options/ips_file_data.cc b/src/ips_options/ips_file_data.cc index 8eb2cb4a6..db591bf19 100644 --- a/src/ips_options/ips_file_data.cc +++ b/src/ips_options/ips_file_data.cc @@ -105,7 +105,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* file_data_ctor(Module*, OptTreeNode*) +static IpsOption* file_data_ctor(Module*, IpsInfo&) { return new FileDataOption; } diff --git a/src/ips_options/ips_file_meta.cc b/src/ips_options/ips_file_meta.cc index b23e52371..3b57698b0 100644 --- a/src/ips_options/ips_file_meta.cc +++ b/src/ips_options/ips_file_meta.cc @@ -22,17 +22,9 @@ #include "config.h" #endif -#include - -#include "detection/detection_engine.h" -#include "detection/treenodes.h" #include "file_api/file_flows.h" -#include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" -#include "main/thread_config.h" -#include "profiler/profiler.h" -#include "protocols/packet.h" using namespace snort; @@ -127,7 +119,7 @@ bool FileMetaModule::set(const char*, Value& v, SnortConfig*) bool FileMetaModule::end(const char*, int, SnortConfig* sc) { - set_rule_id_from_type(sc, fmc.file_id, fmc.file_type,fmc.category, fmc.version, fmc.groups); + set_rule_id_from_type(sc, fmc.file_id, fmc.file_type, fmc.category, fmc.version, fmc.groups); return true; } @@ -145,10 +137,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* file_meta_ctor(Module* p, OptTreeNode* otn) +static IpsOption* file_meta_ctor(Module* p, IpsInfo& info) { FileMetaModule* m = (FileMetaModule*)p; - otn->sigInfo.file_id = m->fmc.file_id; + IpsOption::set_file_id(info, m->fmc.file_id); return nullptr; } @@ -178,5 +170,13 @@ static const IpsApi file_meta_api = nullptr }; -const BaseApi* ips_file_meta = &file_meta_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_file_meta[] = +#endif +{ + &file_meta_api.base, + nullptr +}; diff --git a/src/ips_options/ips_file_type.cc b/src/ips_options/ips_file_type.cc index ad6edd005..f63521b32 100644 --- a/src/ips_options/ips_file_type.cc +++ b/src/ips_options/ips_file_type.cc @@ -237,7 +237,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* file_type_ctor(Module* m, OptTreeNode*) +static IpsOption* file_type_ctor(Module* m, IpsInfo&) { FileTypeModule* mod = (FileTypeModule*)m; return new FileTypeOption(mod->types); diff --git a/src/ips_options/ips_flags.cc b/src/ips_options/ips_flags.cc index 37c891ca2..4b75f2699 100644 --- a/src/ips_options/ips_flags.cc +++ b/src/ips_options/ips_flags.cc @@ -387,7 +387,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* flags_ctor(Module* p, OptTreeNode*) +static IpsOption* flags_ctor(Module* p, IpsInfo&) { FlagsModule* m = (FlagsModule*)p; return new TcpFlagOption(m->data); diff --git a/src/ips_options/ips_flow.cc b/src/ips_options/ips_flow.cc index 7cdc5c49f..15986db8e 100644 --- a/src/ips_options/ips_flow.cc +++ b/src/ips_options/ips_flow.cc @@ -22,7 +22,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_key_operations.h" @@ -376,20 +375,20 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* flow_ctor(Module* p, OptTreeNode* otn) +static IpsOption* flow_ctor(Module* p, IpsInfo& info) { FlowModule* m = (FlowModule*)p; if ( m->data.stateless ) - otn->set_stateless(); + IpsOption::set_stateless(info); if ( m->data.from_server ) - otn->set_to_client(); + IpsOption::set_to_client(info); else if ( m->data.from_client ) - otn->set_to_server(); + IpsOption::set_to_server(info); - if (otn->snort_protocol_id == SNORT_PROTO_ICMP) + if (IpsOption::get_protocol_id(info) == SNORT_PROTO_ICMP) { if ( (m->data.only_reassembled != ONLY_FRAG) && (m->data.ignore_reassembled != IGNORE_FRAG) ) @@ -431,5 +430,13 @@ static const IpsApi flow_api = nullptr }; -const BaseApi* ips_flow = &flow_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_flow[] = +#endif +{ + &flow_api.base, + nullptr +}; diff --git a/src/ips_options/ips_flowbits.cc b/src/ips_options/ips_flowbits.cc index 51efe5b0c..c38bb3963 100644 --- a/src/ips_options/ips_flowbits.cc +++ b/src/ips_options/ips_flowbits.cc @@ -26,7 +26,6 @@ #include -#include "detection/treenodes.h" #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_defs.h" @@ -35,8 +34,6 @@ #include "log/messages.h" #include "protocols/packet.h" #include "profiler/profiler.h" -#include "utils/sflsq.h" -#include "utils/util.h" using namespace snort; @@ -509,14 +506,14 @@ static void mod_dtor(Module* m) delete fb; } -static IpsOption* flowbits_ctor(Module* p, OptTreeNode* otn) +static IpsOption* flowbits_ctor(Module* p, IpsInfo& info) { FlowbitsModule* m = (FlowbitsModule*)p; FlowBitCheck* fbc = m->get_data(); FlowBitsOption* opt = new FlowBitsOption(fbc); if ( opt->is_checker() ) - otn->set_flowbits_check(); + IpsOption::set_flowbits_check(info); return opt; } @@ -551,5 +548,9 @@ static const IpsApi flowbits_api = nullptr }; -const BaseApi* ips_flowbits = &flowbits_api.base; +const BaseApi* ips_flowbits[] = +{ + &flowbits_api.base, + nullptr +}; diff --git a/src/ips_options/ips_fragbits.cc b/src/ips_options/ips_fragbits.cc index 7b82e652d..0679e05b0 100644 --- a/src/ips_options/ips_fragbits.cc +++ b/src/ips_options/ips_fragbits.cc @@ -400,7 +400,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* fragbits_ctor(Module* p, OptTreeNode*) +static IpsOption* fragbits_ctor(Module* p, IpsInfo&) { FragBitsModule* fragBitsModule = (FragBitsModule*)p; return new FragBitsOption( fragBitsModule->get_fragBits_data() ); diff --git a/src/ips_options/ips_fragoffset.cc b/src/ips_options/ips_fragoffset.cc index 7ec3ec906..3ba31fd6c 100644 --- a/src/ips_options/ips_fragoffset.cc +++ b/src/ips_options/ips_fragoffset.cc @@ -149,7 +149,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* fragoffset_ctor(Module* p, OptTreeNode*) +static IpsOption* fragoffset_ctor(Module* p, IpsInfo&) { FragOffsetModule* m = (FragOffsetModule*)p; return new FragOffsetOption(m->data); diff --git a/src/ips_options/ips_gid.cc b/src/ips_options/ips_gid.cc index c4ba1211a..b96f2369a 100644 --- a/src/ips_options/ips_gid.cc +++ b/src/ips_options/ips_gid.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -79,10 +78,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* gid_ctor(Module* p, OptTreeNode* otn) +static IpsOption* gid_ctor(Module* p, IpsInfo& info) { GidModule* m = (GidModule*)p; - otn->sigInfo.gid = m->gid; + IpsOption::set_gid(info, m->gid); return nullptr; } diff --git a/src/ips_options/ips_hash.cc b/src/ips_options/ips_hash.cc index a58835b4e..a796be33e 100644 --- a/src/ips_options/ips_hash.cc +++ b/src/ips_options/ips_hash.cc @@ -23,6 +23,7 @@ #include #include +#include "detection/extract.h" #include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -32,8 +33,6 @@ #include "parser/parse_utils.h" #include "profiler/profiler.h" -#include "extract.h" - using namespace snort; enum HashPsIdx @@ -366,7 +365,7 @@ static Module* md5_mod_ctor() return new HashModule(IPS_OPT, HPI_MD5); } -static IpsOption* md5_opt_ctor(Module* p, OptTreeNode*) +static IpsOption* md5_opt_ctor(Module* p, IpsInfo&) { HashModule* m = (HashModule*)p; HashMatchData* hmd = m->get_data(); @@ -410,7 +409,7 @@ static Module* sha256_mod_ctor() return new HashModule(IPS_OPT, HPI_SHA256); } -static IpsOption* sha256_opt_ctor(Module* p, OptTreeNode*) +static IpsOption* sha256_opt_ctor(Module* p, IpsInfo&) { HashModule* m = (HashModule*)p; HashMatchData* hmd = m->get_data(); @@ -454,7 +453,7 @@ static Module* sha512_mod_ctor() return new HashModule(IPS_OPT, HPI_SHA512); } -static IpsOption* sha512_opt_ctor(Module* p, OptTreeNode*) +static IpsOption* sha512_opt_ctor(Module* p, IpsInfo&) { HashModule* m = (HashModule*)p; HashMatchData* hmd = m->get_data(); @@ -490,20 +489,17 @@ static const IpsApi sha512_api = // plugins //------------------------------------------------------------------------- -// can't be linked dynamically yet -//#ifdef BUILDING_SO -//SO_PUBLIC const BaseApi* snort_plugins[] = -//{ -// &md5_api.base, -// &sha256_api.base, -// &sha512_api.base, -// nullptr -//}; -//#else -const BaseApi* ips_md5 = &md5_api.base; -const BaseApi* ips_sha256 = &sha256_api.base; -const BaseApi* ips_sha512 = &sha512_api.base; -//#endif +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_hash[] = +#endif +{ + &md5_api.base, + &sha256_api.base, + &sha512_api.base, + nullptr +}; //------------------------------------------------------------------------- // UNIT TESTS diff --git a/src/ips_options/ips_icmp_id.cc b/src/ips_options/ips_icmp_id.cc index 7a7b159d7..7608e562d 100644 --- a/src/ips_options/ips_icmp_id.cc +++ b/src/ips_options/ips_icmp_id.cc @@ -178,7 +178,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* icmp_id_ctor(Module* p, OptTreeNode*) +static IpsOption* icmp_id_ctor(Module* p, IpsInfo&) { IcmpIdModule* m = (IcmpIdModule*)p; return new IcmpIdOption(m->data); diff --git a/src/ips_options/ips_icmp_seq.cc b/src/ips_options/ips_icmp_seq.cc index 53ac6a5b4..d9b3b78e2 100644 --- a/src/ips_options/ips_icmp_seq.cc +++ b/src/ips_options/ips_icmp_seq.cc @@ -179,7 +179,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* icmp_seq_ctor(Module* p, OptTreeNode*) +static IpsOption* icmp_seq_ctor(Module* p, IpsInfo&) { IcmpSeqModule* m = (IcmpSeqModule*)p; return new IcmpSeqOption(m->data); diff --git a/src/ips_options/ips_icode.cc b/src/ips_options/ips_icode.cc index 597a1601e..c770bd932 100644 --- a/src/ips_options/ips_icode.cc +++ b/src/ips_options/ips_icode.cc @@ -150,7 +150,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* icode_ctor(Module* p, OptTreeNode*) +static IpsOption* icode_ctor(Module* p, IpsInfo&) { IcodeModule* m = (IcodeModule*)p; return new IcodeOption(m->data); diff --git a/src/ips_options/ips_id.cc b/src/ips_options/ips_id.cc index 33bcb60a1..d04fa4f91 100644 --- a/src/ips_options/ips_id.cc +++ b/src/ips_options/ips_id.cc @@ -152,7 +152,7 @@ static void mod_dtor(Module* m) // api methods //------------------------------------------------------------------------- -static IpsOption* id_ctor(Module* p, OptTreeNode*) +static IpsOption* id_ctor(Module* p, IpsInfo&) { IpIdModule* m = (IpIdModule*)p; return new IpIdOption(m->data); diff --git a/src/ips_options/ips_ip_proto.cc b/src/ips_options/ips_ip_proto.cc index d4a9c373f..21cd2f0fe 100644 --- a/src/ips_options/ips_ip_proto.cc +++ b/src/ips_options/ips_ip_proto.cc @@ -259,7 +259,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ip_proto_ctor(Module* p, OptTreeNode*) +static IpsOption* ip_proto_ctor(Module* p, IpsInfo&) { IpProtoModule* m = (IpProtoModule*)p; return new IpProtoOption(m->data); diff --git a/src/ips_options/ips_ipopts.cc b/src/ips_options/ips_ipopts.cc index 109d1536f..24e72bbee 100644 --- a/src/ips_options/ips_ipopts.cc +++ b/src/ips_options/ips_ipopts.cc @@ -236,7 +236,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ipopts_ctor(Module* p, OptTreeNode*) +static IpsOption* ipopts_ctor(Module* p, IpsInfo&) { IpOptModule* m = (IpOptModule*)p; return new IpOptOption(m->data); diff --git a/src/ips_options/ips_isdataat.cc b/src/ips_options/ips_isdataat.cc index 07685ae70..91846bc77 100644 --- a/src/ips_options/ips_isdataat.cc +++ b/src/ips_options/ips_isdataat.cc @@ -39,6 +39,7 @@ #include +#include "detection/extract.h" #include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -47,8 +48,6 @@ #include "profiler/profiler.h" #include "utils/snort_bounds.h" -#include "extract.h" - using namespace snort; #define s_name "isdataat" @@ -280,7 +279,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* isdataat_ctor(Module* p, OptTreeNode*) +static IpsOption* isdataat_ctor(Module* p, IpsInfo&) { IsDataAtModule* m = (IsDataAtModule*)p; return new IsDataAtOption(m->data); diff --git a/src/ips_options/ips_itype.cc b/src/ips_options/ips_itype.cc index 623260857..42f76274a 100644 --- a/src/ips_options/ips_itype.cc +++ b/src/ips_options/ips_itype.cc @@ -150,7 +150,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* itype_ctor(Module* p, OptTreeNode*) +static IpsOption* itype_ctor(Module* p, IpsInfo&) { ItypeModule* m = (ItypeModule*)p; return new IcmpTypeOption(m->data); diff --git a/src/ips_options/ips_js_data.cc b/src/ips_options/ips_js_data.cc index bf3d48d67..d27bce9dd 100644 --- a/src/ips_options/ips_js_data.cc +++ b/src/ips_options/ips_js_data.cc @@ -87,7 +87,7 @@ static Module* mod_ctor() static void mod_dtor(Module* m) { delete m; } -static IpsOption* js_data_ctor(Module*, OptTreeNode*) +static IpsOption* js_data_ctor(Module*, IpsInfo&) { return new JSDataOption; } static void js_data_dtor(IpsOption* opt) diff --git a/src/ips_options/ips_luajit.cc b/src/ips_options/ips_luajit.cc index 654c355a8..49afe0bf7 100644 --- a/src/ips_options/ips_luajit.cc +++ b/src/ips_options/ips_luajit.cc @@ -25,7 +25,6 @@ #include "framework/decode_data.h" #include "framework/module.h" #include "hash/hash_key_operations.h" -#include "helpers/chunk.h" #include "lua/lua.h" #include "log/messages.h" #include "main/thread_config.h" @@ -34,6 +33,7 @@ #include "managers/plugin_manager.h" #include "managers/script_manager.h" #include "profiler/profiler.h" +#include "utils/chunk.h" #include "utils/util.h" using namespace snort; @@ -211,7 +211,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, struct OptTreeNode*) +static IpsOption* opt_ctor(Module* m, struct IpsInfo&) { const char* key = IpsManager::get_option_keyword(); std::string* chunk = ScriptManager::get_chunk(key); diff --git a/src/ips_options/ips_metadata.cc b/src/ips_options/ips_metadata.cc index 47b7eeec7..5868e579b 100644 --- a/src/ips_options/ips_metadata.cc +++ b/src/ips_options/ips_metadata.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -91,11 +90,13 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* metadata_ctor(Module* p, OptTreeNode* otn) +static IpsOption* metadata_ctor(Module* p, IpsInfo& info) { MetadataModule* m = (MetadataModule*)p; + if ( m->match ) - otn->set_metadata_match(); + IpsOption::set_metadata_match(info); + return nullptr; } @@ -124,5 +125,13 @@ static const IpsApi metadata_api = nullptr }; -const BaseApi* ips_metadata = &metadata_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_metadata[] = +#endif +{ + &metadata_api.base, + nullptr +}; diff --git a/src/ips_options/ips_msg.cc b/src/ips_options/ips_msg.cc index 4b2b850dd..a49eccc3e 100644 --- a/src/ips_options/ips_msg.cc +++ b/src/ips_options/ips_msg.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -80,10 +79,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* msg_ctor(Module* p, OptTreeNode* otn) +static IpsOption* msg_ctor(Module* p, IpsInfo& info) { MsgModule* m = (MsgModule*)p; - otn->sigInfo.message = m->msg; + IpsOption::set_message(info, m->msg.c_str()); return nullptr; } diff --git a/src/ips_options/ips_options.cc b/src/ips_options/ips_options.cc index e6cdd3713..9181aea05 100644 --- a/src/ips_options/ips_options.cc +++ b/src/ips_options/ips_options.cc @@ -27,42 +27,37 @@ using namespace snort; -extern const BaseApi* ips_classtype; -extern const BaseApi* ips_content; -extern const BaseApi* ips_detection_filter; -extern const BaseApi* ips_dsize; -extern const BaseApi* ips_file_data; -extern const BaseApi* ips_file_meta; -extern const BaseApi* ips_flow; -extern const BaseApi* ips_flowbits; -extern const BaseApi* ips_js_data; -extern const BaseApi* ips_md5; -extern const BaseApi* ips_metadata; -extern const BaseApi* ips_pkt_data; -extern const BaseApi* ips_reference; -extern const BaseApi* ips_replace; -extern const BaseApi* ips_service; -extern const BaseApi* ips_sha256; -extern const BaseApi* ips_sha512; -extern const BaseApi* ips_so; -extern const BaseApi* ips_vba_data; +// these have various dependencies: +extern const BaseApi* ips_detection_filter[]; // perf stats +extern const BaseApi* ips_flowbits[]; // public methods like flowbits_setter +extern const BaseApi* ips_replace[]; // needs snort::SFDAQ::can_replace +extern const BaseApi* ips_so[]; // needs SO manager +extern const BaseApi* ips_vba_data[]; // FIXIT-L some trace dependency #ifdef STATIC_IPS_OPTIONS extern const BaseApi* ips_ack[]; extern const BaseApi* ips_base64[]; extern const BaseApi* ips_ber_data[]; extern const BaseApi* ips_ber_skip[]; +extern const BaseApi* ips_bufferlen[]; extern const BaseApi* ips_byte_extract[]; extern const BaseApi* ips_byte_jump[]; extern const BaseApi* ips_byte_math[]; extern const BaseApi* ips_byte_test[]; +extern const BaseApi* ips_classtype[]; +extern const BaseApi* ips_content[]; extern const BaseApi* ips_cvs[]; +extern const BaseApi* ips_dsize[]; extern const BaseApi* ips_enable[]; +extern const BaseApi* ips_file_data[]; +extern const BaseApi* ips_file_meta[]; extern const BaseApi* ips_file_type[]; extern const BaseApi* ips_flags[]; +extern const BaseApi* ips_flow[]; extern const BaseApi* ips_fragbits[]; extern const BaseApi* ips_fragoffset[]; extern const BaseApi* ips_gid[]; +extern const BaseApi* ips_hash[]; extern const BaseApi* ips_icmp_id[]; extern const BaseApi* ips_icmp_seq[]; extern const BaseApi* ips_icode[]; @@ -71,72 +66,65 @@ extern const BaseApi* ips_ipopts[]; extern const BaseApi* ips_ip_proto[]; extern const BaseApi* ips_isdataat[]; extern const BaseApi* ips_itype[]; +extern const BaseApi* ips_js_data[]; +extern const BaseApi* ips_metadata[]; extern const BaseApi* ips_msg[]; extern const BaseApi* ips_pcre[]; +extern const BaseApi* ips_pkt_data[]; extern const BaseApi* ips_priority[]; extern const BaseApi* ips_raw_data[]; +extern const BaseApi* ips_reference[]; extern const BaseApi* ips_rem[]; extern const BaseApi* ips_rev[]; extern const BaseApi* ips_rpc[]; extern const BaseApi* ips_seq[]; +extern const BaseApi* ips_service[]; extern const BaseApi* ips_sid[]; extern const BaseApi* ips_soid[]; extern const BaseApi* ips_target[]; extern const BaseApi* ips_tag[]; extern const BaseApi* ips_tos[]; extern const BaseApi* ips_ttl[]; -extern const BaseApi* ips_bufferlen[]; extern const BaseApi* ips_window[]; + #ifdef HAVE_HYPERSCAN extern const BaseApi* ips_regex[]; extern const BaseApi* ips_sd_pattern[]; #endif #endif -static const BaseApi* ips_options[] = -{ - ips_classtype, - ips_content, - ips_detection_filter, - ips_dsize, - ips_file_data, - ips_file_meta, - ips_flow, - ips_flowbits, - ips_js_data, - ips_md5, - ips_metadata, - ips_pkt_data, - ips_reference, - ips_replace, - ips_service, - ips_sha256, - ips_sha512, - ips_so, - ips_vba_data, - nullptr -}; - void load_ips_options() { - PluginManager::load_plugins(ips_options); + PluginManager::load_plugins(ips_detection_filter); + PluginManager::load_plugins(ips_flowbits); + PluginManager::load_plugins(ips_replace); + PluginManager::load_plugins(ips_so); + PluginManager::load_plugins(ips_vba_data); #ifdef STATIC_IPS_OPTIONS + PluginManager::load_plugins(ips_content); PluginManager::load_plugins(ips_ack); PluginManager::load_plugins(ips_base64); PluginManager::load_plugins(ips_ber_data); PluginManager::load_plugins(ips_ber_skip); + PluginManager::load_plugins(ips_bufferlen); PluginManager::load_plugins(ips_byte_extract); PluginManager::load_plugins(ips_byte_jump); PluginManager::load_plugins(ips_byte_math); PluginManager::load_plugins(ips_byte_test); + PluginManager::load_plugins(ips_classtype); PluginManager::load_plugins(ips_cvs); + PluginManager::load_plugins(ips_dsize); PluginManager::load_plugins(ips_enable); + PluginManager::load_plugins(ips_file_data); + PluginManager::load_plugins(ips_file_meta); PluginManager::load_plugins(ips_file_type); PluginManager::load_plugins(ips_flags); + PluginManager::load_plugins(ips_flow); PluginManager::load_plugins(ips_fragbits); PluginManager::load_plugins(ips_fragoffset); PluginManager::load_plugins(ips_gid); + PluginManager::load_plugins(ips_hash); PluginManager::load_plugins(ips_icmp_id); PluginManager::load_plugins(ips_icmp_seq); PluginManager::load_plugins(ips_icode); @@ -145,21 +133,25 @@ void load_ips_options() PluginManager::load_plugins(ips_ip_proto); PluginManager::load_plugins(ips_isdataat); PluginManager::load_plugins(ips_itype); + PluginManager::load_plugins(ips_js_data); + PluginManager::load_plugins(ips_metadata); PluginManager::load_plugins(ips_msg); PluginManager::load_plugins(ips_pcre); + PluginManager::load_plugins(ips_pkt_data); PluginManager::load_plugins(ips_priority); PluginManager::load_plugins(ips_raw_data); + PluginManager::load_plugins(ips_reference); PluginManager::load_plugins(ips_rem); PluginManager::load_plugins(ips_rev); PluginManager::load_plugins(ips_rpc); PluginManager::load_plugins(ips_seq); + PluginManager::load_plugins(ips_service); PluginManager::load_plugins(ips_sid); PluginManager::load_plugins(ips_soid); PluginManager::load_plugins(ips_target); PluginManager::load_plugins(ips_tag); PluginManager::load_plugins(ips_tos); PluginManager::load_plugins(ips_ttl); - PluginManager::load_plugins(ips_bufferlen); PluginManager::load_plugins(ips_window); #ifdef HAVE_HYPERSCAN PluginManager::load_plugins(ips_regex); diff --git a/src/ips_options/ips_pcre.cc b/src/ips_options/ips_pcre.cc index 56c063706..731fef9ed 100644 --- a/src/ips_options/ips_pcre.cc +++ b/src/ips_options/ips_pcre.cc @@ -32,6 +32,7 @@ #include "framework/ips_option.h" #include "framework/module.h" #include "framework/parameter.h" +#include "framework/pig_pen.h" #include "hash/hash_key_operations.h" #include "helpers/scratch_allocator.h" #include "log/messages.h" @@ -39,6 +40,7 @@ #include "managers/ips_manager.h" #include "managers/module_manager.h" #include "profiler/profiler.h" +#include "utils/stats.h" #include "utils/util.h" using namespace snort; @@ -88,6 +90,40 @@ static ScratchAllocator* scratcher = nullptr; static THREAD_LOCAL ProfileStats pcrePerfStats; +//------------------------------------------------------------------------- +// stats foo +//------------------------------------------------------------------------- + +struct PcreStats +{ + PegCount pcre_rules; +#ifdef HAVE_HYPERSCAN + PegCount pcre_to_hyper; +#endif + PegCount pcre_native; + PegCount pcre_negated; + PegCount pcre_match_limit; + PegCount pcre_recursion_limit; + PegCount pcre_error; +}; + +const PegInfo pcre_pegs[] = +{ + { CountType::SUM, "pcre_rules", "total rules processed with pcre option" }, +#ifdef HAVE_HYPERSCAN + { CountType::SUM, "pcre_to_hyper", "total pcre rules by hyperscan engine" }, +#endif + { CountType::SUM, "pcre_native", "total pcre rules compiled by pcre engine" }, + { CountType::SUM, "pcre_negated", "total pcre rules using negation syntax" }, + { CountType::SUM, "pcre_match_limit", "total number of times pcre hit the match limit" }, + { CountType::SUM, "pcre_recursion_limit", "total number of times pcre hit the recursion limit" }, + { CountType::SUM, "pcre_error", "total number of times pcre returns error" }, + + { CountType::END, nullptr, nullptr } +}; + +PcreStats pcre_stats; + //------------------------------------------------------------------------- // implementation foo //------------------------------------------------------------------------- @@ -398,17 +434,17 @@ static bool pcre_search( } else if (result == PCRE_ERROR_MATCHLIMIT) { - pc.pcre_match_limit++; + pcre_stats.pcre_match_limit++; matched = false; } else if (result == PCRE_ERROR_RECURSIONLIMIT) { - pc.pcre_recursion_limit++; + pcre_stats.pcre_recursion_limit++; matched = false; } else { - pc.pcre_error++; + pcre_stats.pcre_error++; return false; } @@ -444,7 +480,7 @@ public: { return (config->options & SNORT_PCRE_RELATIVE) != 0; } EvalStatus eval(Cursor&, Packet*) override; - bool retry(Cursor&, const Cursor&) override; + bool retry(Cursor&) override; PcreData* get_data() { return config; } @@ -595,7 +631,7 @@ IpsOption::EvalStatus PcreOption::eval(Cursor& c, Packet* p) // using content, but more advanced pcre won't work for the relative / // overlap case. -bool PcreOption::retry(Cursor&, const Cursor&) +bool PcreOption::retry(Cursor&) { if ((config->options & (SNORT_PCRE_INVERT | SNORT_PCRE_ANCHORED))) { @@ -616,29 +652,6 @@ static const Parameter s_params[] = { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; -struct PcreStats -{ - PegCount pcre_rules; -#ifdef HAVE_HYPERSCAN - PegCount pcre_to_hyper; -#endif - PegCount pcre_native; - PegCount pcre_negated; -}; - -const PegInfo pcre_pegs[] = -{ - { CountType::SUM, "pcre_rules", "total rules processed with pcre option" }, -#ifdef HAVE_HYPERSCAN - { CountType::SUM, "pcre_to_hyper", "total pcre rules by hyperscan engine" }, -#endif - { CountType::SUM, "pcre_native", "total pcre rules compiled by pcre engine" }, - { CountType::SUM, "pcre_negated", "total pcre rules using negation syntax" }, - { CountType::END, nullptr, nullptr } -}; - -PcreStats pcre_stats; - #define s_help \ "rule option for matching payload data with pcre" @@ -785,7 +798,7 @@ static Module* mod_ctor() static void mod_dtor(Module* m) { delete m; } -static IpsOption* pcre_ctor(Module* p, OptTreeNode* otn) +static IpsOption* pcre_ctor(Module* p, IpsInfo& info) { pcre_stats.pcre_rules++; PcreModule* m = (PcreModule*)p; @@ -796,11 +809,11 @@ static IpsOption* pcre_ctor(Module* p, OptTreeNode* otn) { pcre_stats.pcre_to_hyper++; const IpsApi* opt_api = IpsManager::get_option_api(mod_regex_name); - return opt_api->ctor(mod_regex, otn); + return opt_api->ctor(mod_regex, info); } else #else - UNUSED(otn); + UNUSED(info); #endif { pcre_stats.pcre_native++; diff --git a/src/ips_options/ips_pkt_data.cc b/src/ips_options/ips_pkt_data.cc index 2efb8c287..74aaf7c21 100644 --- a/src/ips_options/ips_pkt_data.cc +++ b/src/ips_options/ips_pkt_data.cc @@ -89,7 +89,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* pkt_data_ctor(Module*, OptTreeNode*) +static IpsOption* pkt_data_ctor(Module*, IpsInfo&) { return new PktDataOption; } @@ -124,5 +124,13 @@ static const IpsApi pkt_data_api = nullptr }; -const BaseApi* ips_pkt_data = &pkt_data_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_pkt_data[] = +#endif +{ + &pkt_data_api.base, + nullptr +}; diff --git a/src/ips_options/ips_priority.cc b/src/ips_options/ips_priority.cc index c27ad0b20..a1256dd28 100644 --- a/src/ips_options/ips_priority.cc +++ b/src/ips_options/ips_priority.cc @@ -55,7 +55,7 @@ public: { return DETECT; } public: - int priority = 0; + uint32_t priority = 0; }; bool PriorityModule::set(const char*, Value& v, SnortConfig*) @@ -79,10 +79,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* priority_ctor(Module* p, OptTreeNode* otn) +static IpsOption* priority_ctor(Module* p, IpsInfo& info) { PriorityModule* m = (PriorityModule*)p; - otn->sigInfo.priority = m->priority; + IpsOption::set_priority(info, m->priority); return nullptr; } diff --git a/src/ips_options/ips_raw_data.cc b/src/ips_options/ips_raw_data.cc index 669f3cf66..e76ebc70c 100644 --- a/src/ips_options/ips_raw_data.cc +++ b/src/ips_options/ips_raw_data.cc @@ -86,7 +86,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* raw_data_ctor(Module*, OptTreeNode*) +static IpsOption* raw_data_ctor(Module*, IpsInfo&) { return new RawDataOption; } diff --git a/src/ips_options/ips_reference.cc b/src/ips_options/ips_reference.cc index d25edf83a..cad93069f 100644 --- a/src/ips_options/ips_reference.cc +++ b/src/ips_options/ips_reference.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -59,14 +58,12 @@ public: public: std::string scheme; std::string id; - SnortConfig* snort_config = nullptr; }; -bool ReferenceModule::begin(const char*, int, SnortConfig* sc) +bool ReferenceModule::begin(const char*, int, SnortConfig*) { scheme.clear(); id.clear(); - snort_config = sc; return true; } @@ -100,10 +97,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* reference_ctor(Module* p, OptTreeNode* otn) +static IpsOption* reference_ctor(Module* p, IpsInfo& info) { ReferenceModule* m = (ReferenceModule*)p; - add_reference(m->snort_config, otn, m->scheme, m->id); + IpsOption::add_reference(info, m->scheme.c_str(), m->id.c_str()); return nullptr; } @@ -132,5 +129,13 @@ static const IpsApi reference_api = nullptr }; -const BaseApi* ips_reference = &reference_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_reference[] = +#endif +{ + &reference_api.base, + nullptr +}; diff --git a/src/ips_options/ips_regex.cc b/src/ips_options/ips_regex.cc index 16236b2e8..8221b7ffa 100644 --- a/src/ips_options/ips_regex.cc +++ b/src/ips_options/ips_regex.cc @@ -29,7 +29,6 @@ #include #include "detection/pattern_match_data.h" -#include "detection/treenodes.h" #include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -87,7 +86,7 @@ public: bool is_relative() override { return config.pmd.is_relative(); } - bool retry(Cursor&, const Cursor&) override; + bool retry(Cursor&) override; PatternMatchData* get_pattern(SnortProtocolId, RuleDirection) override { return &config.pmd; } @@ -145,11 +144,14 @@ bool RegexOption::operator==(const IpsOption& ips) const return false; } +namespace +{ struct ScanContext { unsigned index; bool found = false; }; +} static int hs_match( unsigned int /*id*/, unsigned long long /*from*/, unsigned long long to, @@ -190,7 +192,7 @@ IpsOption::EvalStatus RegexOption::eval(Cursor& c, Packet*) return NO_MATCH; } -bool RegexOption::retry(Cursor&, const Cursor&) +bool RegexOption::retry(Cursor&) { return !is_relative(); } //------------------------------------------------------------------------- @@ -405,7 +407,7 @@ static Module* mod_ctor() static void mod_dtor(Module* p) { delete p; } -static IpsOption* regex_ctor(Module* m, OptTreeNode*) +static IpsOption* regex_ctor(Module* m, IpsInfo&) { RegexModule* mod = (RegexModule*)m; RegexConfig c; diff --git a/src/ips_options/ips_rem.cc b/src/ips_options/ips_rem.cc index 1efb89c04..2d304aefd 100644 --- a/src/ips_options/ips_rem.cc +++ b/src/ips_options/ips_rem.cc @@ -67,7 +67,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* rem_ctor(Module*, OptTreeNode*) +static IpsOption* rem_ctor(Module*, IpsInfo&) { return nullptr; } diff --git a/src/ips_options/ips_replace.cc b/src/ips_options/ips_replace.cc index b5655bd8e..6cd63d537 100644 --- a/src/ips_options/ips_replace.cc +++ b/src/ips_options/ips_replace.cc @@ -23,7 +23,6 @@ #endif #include "detection/detection_engine.h" -#include "detection/treenodes.h" #include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -240,7 +239,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* replace_ctor(Module* p, OptTreeNode*) +static IpsOption* replace_ctor(Module* p, IpsInfo&) { ReplModule* m = (ReplModule*)p; return new ReplaceOption(m->data); diff --git a/src/ips_options/ips_rev.cc b/src/ips_options/ips_rev.cc index 876dd8121..2eeb3851d 100644 --- a/src/ips_options/ips_rev.cc +++ b/src/ips_options/ips_rev.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -79,10 +78,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* rev_ctor(Module* p, OptTreeNode* otn) +static IpsOption* rev_ctor(Module* p, IpsInfo& info) { RevModule* m = (RevModule*)p; - otn->sigInfo.rev = m->rev; + IpsOption::set_rev(info, m->rev); return nullptr; } diff --git a/src/ips_options/ips_rpc.cc b/src/ips_options/ips_rpc.cc index d019ac57c..5b26f0f2f 100644 --- a/src/ips_options/ips_rpc.cc +++ b/src/ips_options/ips_rpc.cc @@ -310,7 +310,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* rpc_ctor(Module* p, OptTreeNode*) +static IpsOption* rpc_ctor(Module* p, IpsInfo&) { RpcModule* m = (RpcModule*)p; return new RpcOption(m->data); diff --git a/src/ips_options/ips_sd_pattern.cc b/src/ips_options/ips_sd_pattern.cc index 371653016..f02dc7443 100644 --- a/src/ips_options/ips_sd_pattern.cc +++ b/src/ips_options/ips_sd_pattern.cc @@ -29,7 +29,6 @@ #include #include "detection/pattern_match_data.h" -#include "detection/treenodes.h" #include "framework/cursor.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -488,7 +487,7 @@ static void mod_dtor(Module* p) delete p; } -static IpsOption* sd_pattern_ctor(Module* m, OptTreeNode*) +static IpsOption* sd_pattern_ctor(Module* m, IpsInfo&) { SdPatternModule* mod = (SdPatternModule*)m; SdPatternConfig c; diff --git a/src/ips_options/ips_seq.cc b/src/ips_options/ips_seq.cc index c7fccac5c..593e330f9 100644 --- a/src/ips_options/ips_seq.cc +++ b/src/ips_options/ips_seq.cc @@ -149,7 +149,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* seq_ctor(Module* p, OptTreeNode*) +static IpsOption* seq_ctor(Module* p, IpsInfo&) { SeqModule* m = (SeqModule*)p; return new TcpSeqOption(m->data); diff --git a/src/ips_options/ips_service.cc b/src/ips_options/ips_service.cc index 7d4718129..13c554249 100644 --- a/src/ips_options/ips_service.cc +++ b/src/ips_options/ips_service.cc @@ -50,8 +50,7 @@ static const Parameter s_params[] = class ServiceModule : public Module { public: - ServiceModule() : Module(s_name, s_help, s_params) - { snort_config = nullptr; } + ServiceModule() : Module(s_name, s_help, s_params) { } bool set(const char*, Value&, SnortConfig*) override; bool begin(const char*, int, SnortConfig*) override; @@ -60,13 +59,11 @@ public: { return DETECT; } public: - struct SnortConfig* snort_config; vector services; }; -bool ServiceModule::begin(const char*, int, SnortConfig* sc) +bool ServiceModule::begin(const char*, int, SnortConfig*) { - snort_config = sc; services.clear(); return true; } @@ -99,12 +96,12 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* service_ctor(Module* p, OptTreeNode* otn) +static IpsOption* service_ctor(Module* p, IpsInfo& info) { ServiceModule* m = (ServiceModule*)p; for ( const auto& service : m->services ) - add_service_to_otn(m->snort_config, otn, service.c_str()); + IpsOption::add_service(info, service.c_str()); return nullptr; } @@ -134,5 +131,13 @@ static const IpsApi service_api = nullptr }; -const BaseApi* ips_service = &service_api.base; +#ifdef BUILDING_SO +SO_PUBLIC const BaseApi* snort_plugins[] = +#else +const BaseApi* ips_service[] = +#endif +{ + &service_api.base, + nullptr +}; diff --git a/src/ips_options/ips_sid.cc b/src/ips_options/ips_sid.cc index d4572622b..6e9f8dff1 100644 --- a/src/ips_options/ips_sid.cc +++ b/src/ips_options/ips_sid.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -79,10 +78,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* sid_ctor(Module* p, OptTreeNode* otn) +static IpsOption* sid_ctor(Module* p, IpsInfo& info) { SidModule* m = (SidModule*)p; - otn->sigInfo.sid = m->sid; + IpsOption::set_sid(info, m->sid); return nullptr; } diff --git a/src/ips_options/ips_so.cc b/src/ips_options/ips_so.cc index 41ecb353b..4f309d382 100644 --- a/src/ips_options/ips_so.cc +++ b/src/ips_options/ips_so.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/ips_option.h" #include "framework/module.h" #include "framework/so_rule.h" @@ -41,7 +40,7 @@ static THREAD_LOCAL ProfileStats soPerfStats; class SoOption : public IpsOption { public: - SoOption(const char*, const char*, bool, SoEvalFunc f, void* v, SnortConfig*); + SoOption(const char*, const char*, bool, SoEvalFunc f, void* v, SoRules*); ~SoOption() override; uint32_t hash() const override; @@ -65,7 +64,7 @@ private: }; SoOption::SoOption( - const char* id, const char* s, bool r, SoEvalFunc f, void* v, SnortConfig* sc) + const char* id, const char* s, bool r, SoEvalFunc f, void* v, SoRules* sos) : IpsOption(s_name) { soid = id; @@ -73,7 +72,7 @@ SoOption::SoOption( relative_flag = r; func = f; data = v; - so_rules = sc->so_rules; + so_rules = sos; } SoOption::~SoOption() @@ -151,14 +150,12 @@ public: public: string name; bool relative_flag = false; - SnortConfig* cfg = nullptr; }; -bool SoModule::begin(const char*, int, SnortConfig* sc) +bool SoModule::begin(const char*, int, SnortConfig*) { name.clear(); relative_flag = false; - cfg = sc; return true; } @@ -187,26 +184,29 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* so_ctor(Module* p, OptTreeNode* otn) +static IpsOption* so_ctor(Module* p, IpsInfo& info) { void* data = nullptr; SoModule* m = (SoModule*)p; const char* name = m->name.c_str(); bool relative_flag = m->relative_flag; + const char* soid = IpsOption::get_soid(info); - if ( !otn->soid ) + if ( !soid ) { ParseError("no soid before so:%s", name); return nullptr; } - SoEvalFunc func = SoManager::get_so_eval(otn->soid, name, &data, m->cfg); + SoEvalFunc func = IpsOption::get_so_eval(info, name, data); if ( !func ) { ParseError("can't link so:%s", name); return nullptr; } - return new SoOption(otn->soid, name, relative_flag, func, data, m->cfg); + SoRules* sos = IpsOption::get_so_rules(info); + + return new SoOption(soid, name, relative_flag, func, data, sos); } static void so_dtor(IpsOption* p) @@ -239,5 +239,9 @@ static const IpsApi so_api = nullptr }; -const BaseApi* ips_so = &so_api.base; +const BaseApi* ips_so[] = +{ + &so_api.base, + nullptr +}; diff --git a/src/ips_options/ips_soid.cc b/src/ips_options/ips_soid.cc index e8d668dc5..4c78d57b3 100644 --- a/src/ips_options/ips_soid.cc +++ b/src/ips_options/ips_soid.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -80,10 +79,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* soid_ctor(Module* p, OptTreeNode* otn) +static IpsOption* soid_ctor(Module* p, IpsInfo& info) { SoidModule* m = (SoidModule*)p; - otn->soid = snort_strdup(m->soid.c_str()); + IpsOption::set_soid(info, m->soid.c_str()); return nullptr; } diff --git a/src/ips_options/ips_tag.cc b/src/ips_options/ips_tag.cc index 2e0be3fe1..6495f10e7 100644 --- a/src/ips_options/ips_tag.cc +++ b/src/ips_options/ips_tag.cc @@ -23,7 +23,6 @@ #endif #include "detection/tag.h" -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -154,10 +153,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* tag_ctor(Module* p, OptTreeNode* otn) +static IpsOption* tag_ctor(Module* p, IpsInfo& info) { TagModule* m = (TagModule*)p; - otn->tag = m->get_data(); + IpsOption::set_tag(info, m->get_data()); return nullptr; } diff --git a/src/ips_options/ips_target.cc b/src/ips_options/ips_target.cc index 29d38ac26..c7d2f7579 100644 --- a/src/ips_options/ips_target.cc +++ b/src/ips_options/ips_target.cc @@ -21,7 +21,6 @@ #include "config.h" #endif -#include "detection/treenodes.h" #include "framework/decode_data.h" #include "framework/ips_option.h" #include "framework/module.h" @@ -55,14 +54,13 @@ public: { return DETECT; } public: - Target target = Target::TARGET_NONE; + bool target = false; }; bool TargetModule::set(const char*, Value& v, SnortConfig*) { assert(v.is("~")); - assert(v.get_uint8() <= TARGET_MAX); - target = static_cast(v.get_uint8() + 1); + target = v.get_uint8() ? false : true; return true; } @@ -80,10 +78,10 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* target_ctor(Module* p, OptTreeNode* otn) +static IpsOption* target_ctor(Module* p, IpsInfo& info) { TargetModule* m = (TargetModule*)p; - otn->sigInfo.target = m->target; + IpsOption::set_target(info, m->target); return nullptr; } diff --git a/src/ips_options/ips_tos.cc b/src/ips_options/ips_tos.cc index e4daa8d6c..ccf0c3d61 100644 --- a/src/ips_options/ips_tos.cc +++ b/src/ips_options/ips_tos.cc @@ -152,7 +152,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* tos_ctor(Module* p, OptTreeNode*) +static IpsOption* tos_ctor(Module* p, IpsInfo&) { TosModule* m = (TosModule*)p; return new IpTosOption(m->data); diff --git a/src/ips_options/ips_ttl.cc b/src/ips_options/ips_ttl.cc index 526a23721..422c59e5e 100644 --- a/src/ips_options/ips_ttl.cc +++ b/src/ips_options/ips_ttl.cc @@ -149,7 +149,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ttl_ctor(Module* p, OptTreeNode*) +static IpsOption* ttl_ctor(Module* p, IpsInfo&) { TtlModule* m = (TtlModule*)p; return new TtlOption(m->data); diff --git a/src/ips_options/ips_vba_data.cc b/src/ips_options/ips_vba_data.cc index 82753a30e..511ae1819 100644 --- a/src/ips_options/ips_vba_data.cc +++ b/src/ips_options/ips_vba_data.cc @@ -106,7 +106,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* vba_data_ctor(Module*, OptTreeNode*) +static IpsOption* vba_data_ctor(Module*, IpsInfo&) { return new VbaDataOption; } @@ -141,11 +141,7 @@ static const IpsApi vba_data_api = nullptr }; -#ifdef BUILDING_SO -SO_PUBLIC const BaseApi* snort_plugins[] = -#else const BaseApi* ips_vba_data[] = -#endif { &vba_data_api.base, nullptr diff --git a/src/ips_options/ips_window.cc b/src/ips_options/ips_window.cc index 1e79249ea..7e391e294 100644 --- a/src/ips_options/ips_window.cc +++ b/src/ips_options/ips_window.cc @@ -149,7 +149,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* window_ctor(Module* p, OptTreeNode*) +static IpsOption* window_ctor(Module* p, IpsInfo&) { WindowModule* m = (WindowModule*)p; return new TcpWinOption(m->data); diff --git a/src/ips_options/test/CMakeLists.txt b/src/ips_options/test/CMakeLists.txt index 7c2c4fb34..246876bd4 100644 --- a/src/ips_options/test/CMakeLists.txt +++ b/src/ips_options/test/CMakeLists.txt @@ -3,11 +3,11 @@ if ( HAVE_HYPERSCAN ) add_cpputest( ips_regex_test SOURCES ../ips_regex.cc - ../../framework/module.cc ../../framework/ips_option.cc + ../../framework/module.cc ../../framework/value.cc - ../../helpers/scratch_allocator.cc ../../helpers/hyper_scratch_allocator.cc + ../../helpers/scratch_allocator.cc ../../sfip/sf_ip.cc $ LIBS diff --git a/src/ips_options/test/ips_regex_test.cc b/src/ips_options/test/ips_regex_test.cc index f040d1ae7..97f33c3f4 100644 --- a/src/ips_options/test/ips_regex_test.cc +++ b/src/ips_options/test/ips_regex_test.cc @@ -26,11 +26,13 @@ #include "framework/base_api.h" #include "framework/counts.h" #include "framework/cursor.h" +#include "framework/ips_info.h" #include "framework/ips_option.h" #include "framework/module.h" #include "log/messages.h" #include "main/snort_config.h" #include "main/thread_config.h" +#include "managers/so_manager.h" #include "ports/port_group.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" @@ -104,8 +106,6 @@ char* snort_strdup(const char* s) MemoryContext::MemoryContext(MemoryTracker&) { } MemoryContext::~MemoryContext() = default; - -THREAD_LOCAL bool TimeProfilerStats::enabled = false; } extern const BaseApi* ips_regex; @@ -114,10 +114,34 @@ Cursor::Cursor(Packet* p) { set("pkt_data", p->data, p->dsize); } void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } OptTreeNode::~OptTreeNode() = default; +SO_PUBLIC bool snort::otn_has_plugin(OptTreeNode*, const char*) +{ return false; } + +const ClassType* get_classification(snort::SnortConfig*, const char*) +{ return nullptr; } + +void add_classification(snort::SnortConfig*, const char*, const char*, unsigned) +{ } + +struct THD_NODE* detection_filter_create(DetectionFilterConfig*, struct THDX_STRUCT*) +{ return nullptr; } + +void add_reference(snort::SnortConfig*, OptTreeNode*, const std::string&, const std::string&) +{ } + +void add_reference(IpsInfo&, const char*, const char*) +{ } + +void add_service_to_otn(snort::SnortConfig*, OptTreeNode*, const char*) +{ } + +SoEvalFunc SoManager::get_so_eval(const char*, const char*, void**, snort::SnortConfig*) +{ return nullptr; } + //------------------------------------------------------------------------- // helpers //------------------------------------------------------------------------- @@ -145,10 +169,10 @@ static IpsOption* get_option(Module* mod, const char* pat) mod->set(ips_regex->name, vs, nullptr); mod->end(ips_regex->name, 0, nullptr); - OptTreeNode otn; + IpsInfo info(nullptr, nullptr); const IpsApi* api = (const IpsApi*) ips_regex; - IpsOption* opt = api->ctor(mod, &otn); + IpsOption* opt = api->ctor(mod, info); return opt; } @@ -308,7 +332,7 @@ TEST(ips_regex_option, match_absolute) Cursor c(&pkt); CHECK(opt->eval(c, &pkt) == IpsOption::MATCH); CHECK(!strcmp((const char*) c.start(), " stew *")); - CHECK(opt->retry(c,c)); + CHECK(opt->retry(c)); } TEST(ips_regex_option, no_match_delta) @@ -363,7 +387,7 @@ TEST(ips_regex_option_relative, no_match) CHECK(opt->is_relative()); CHECK(opt->eval(c, &pkt) == IpsOption::NO_MATCH); - CHECK(!opt->retry(c,c)); + CHECK(!opt->retry(c)); } //------------------------------------------------------------------------- diff --git a/src/js_norm/js_enum.h b/src/js_norm/js_enum.h index fecd9613b..9fb7c6e1e 100644 --- a/src/js_norm/js_enum.h +++ b/src/js_norm/js_enum.h @@ -20,7 +20,7 @@ #ifndef JS_ENUM_H #define JS_ENUM_H -#include "utils/event_gen.h" +#include "helpers/event_gen.h" namespace jsn { diff --git a/src/js_norm/js_norm.h b/src/js_norm/js_norm.h index 5c90cd20e..b3cf3aae5 100644 --- a/src/js_norm/js_norm.h +++ b/src/js_norm/js_norm.h @@ -20,7 +20,7 @@ #ifndef JS_NORM_H #define JS_NORM_H -#include "utils/event_gen.h" +#include "helpers/event_gen.h" #include "js_config.h" #include "js_enum.h" diff --git a/src/js_norm/js_normalizer.h b/src/js_norm/js_normalizer.h index 63cbc6636..911d255ac 100644 --- a/src/js_norm/js_normalizer.h +++ b/src/js_norm/js_normalizer.h @@ -24,10 +24,9 @@ #include +#include "helpers/streambuf.h" #include "js_tokenizer.h" -#include "utils/streambuf.h" - namespace jsn { diff --git a/src/js_norm/js_pdf_norm.h b/src/js_norm/js_pdf_norm.h index 74b92f2e3..edc54fadf 100644 --- a/src/js_norm/js_pdf_norm.h +++ b/src/js_norm/js_pdf_norm.h @@ -23,9 +23,9 @@ #include #include +#include "helpers/streambuf.h" #include "js_norm/js_norm.h" #include "js_norm/pdf_tokenizer.h" -#include "utils/streambuf.h" namespace snort { diff --git a/src/js_norm/test/CMakeLists.txt b/src/js_norm/test/CMakeLists.txt index 66d0ff0b6..5ba935362 100644 --- a/src/js_norm/test/CMakeLists.txt +++ b/src/js_norm/test/CMakeLists.txt @@ -13,7 +13,7 @@ add_catch_test( js_normalizer_test ${js_tokenizer_OUTPUTS} ../js_identifier_ctx.cc ../js_normalizer.cc - ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc + ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc ${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc js_test_options.cc js_test_stubs.cc @@ -25,7 +25,7 @@ add_catch_test( js_dealias_test ${js_tokenizer_OUTPUTS} ../js_identifier_ctx.cc ../js_normalizer.cc - ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc + ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc ${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc js_test_options.cc js_test_stubs.cc @@ -37,7 +37,7 @@ add_catch_test( js_unescape_test ${js_tokenizer_OUTPUTS} ../js_identifier_ctx.cc ../js_normalizer.cc - ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc + ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc ${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc js_test_options.cc js_test_stubs.cc @@ -56,7 +56,7 @@ add_catch_test( jsn_test ../js_identifier_ctx.cc ../js_norm.cc ../js_normalizer.cc - ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc + ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc js_test_stubs.cc ) @@ -73,7 +73,7 @@ if (ENABLE_BENCHMARK_TESTS) ${js_tokenizer_OUTPUTS} ../js_identifier_ctx.cc ../js_normalizer.cc - ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc + ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc ${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc js_test_options.cc js_test_stubs.cc @@ -83,7 +83,7 @@ if (ENABLE_BENCHMARK_TESTS) add_catch_test( pdf_tokenizer_benchmark SOURCES ${pdf_tokenizer_OUTPUTS} - ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc + ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc ${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc js_test_stubs.cc ) diff --git a/src/js_norm/test/pdf_tokenizer_benchmark.cc b/src/js_norm/test/pdf_tokenizer_benchmark.cc index c99162fda..f484fe1bd 100644 --- a/src/js_norm/test/pdf_tokenizer_benchmark.cc +++ b/src/js_norm/test/pdf_tokenizer_benchmark.cc @@ -29,8 +29,8 @@ #include #include "catch/catch.hpp" +#include "helpers/streambuf.h" #include "js_norm/pdf_tokenizer.h" -#include "utils/streambuf.h" using namespace jsn; using namespace snort; diff --git a/src/latency/latency_stats.h b/src/latency/latency_stats.h index 0865d7066..1ecb689d9 100644 --- a/src/latency/latency_stats.h +++ b/src/latency/latency_stats.h @@ -21,7 +21,6 @@ #ifndef LATENCY_STATS_H #define LATENCY_STATS_H -#include "main/thread.h" #include "framework/counts.h" struct LatencyStats diff --git a/src/latency/rule_latency.cc b/src/latency/rule_latency.cc index fffe97a96..7ba03f048 100644 --- a/src/latency/rule_latency.cc +++ b/src/latency/rule_latency.cc @@ -28,6 +28,7 @@ #include "detection/detection_options.h" #include "detection/treenodes.h" #include "main/snort_config.h" +#include "main/thread.h" #include "log/messages.h" #include "protocols/packet.h" #include "utils/stats.h" diff --git a/src/log/CMakeLists.txt b/src/log/CMakeLists.txt index 6a6209355..99de682d2 100644 --- a/src/log/CMakeLists.txt +++ b/src/log/CMakeLists.txt @@ -1,6 +1,6 @@ set (LOG_INCLUDES - log.h + log_stats.h log_text.h messages.h obfuscator.h @@ -12,6 +12,9 @@ set (LOG_INCLUDES add_library ( log OBJECT ${LOG_INCLUDES} log.cc + log.h + log_errors.h + log_stats.cc log_text.cc messages.cc obfuscator.cc diff --git a/src/log/log.cc b/src/log/log.cc index 47b4cd083..d963f941a 100644 --- a/src/log/log.cc +++ b/src/log/log.cc @@ -24,10 +24,11 @@ #include "log.h" +#include #include +#include "main/thread.h" #include "protocols/packet.h" -#include "protocols/tcp.h" #include "utils/util.h" #include "utils/util_cstring.h" @@ -38,25 +39,6 @@ using namespace snort; #define DEFAULT_DAEMON_ALERT_FILE "alert" -namespace snort -{ -// Input is packet and an nine-byte (including null) character array. Results -// are put into the character array. -void CreateTCPFlagString(const tcp::TCPHdr* const tcph, char* flagBuffer) -{ - /* parse TCP flags */ - *flagBuffer++ = (char)((tcph->th_flags & TH_RES1) ? '1' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_RES2) ? '2' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_URG) ? 'U' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_ACK) ? 'A' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_PUSH) ? 'P' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_RST) ? 'R' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_SYN) ? 'S' : '*'); - *flagBuffer++ = (char)((tcph->th_flags & TH_FIN) ? 'F' : '*'); - *flagBuffer = '\0'; -} -} - /**************************************************************************** * * Function: OpenAlertFile(char *) @@ -172,3 +154,57 @@ void LogNetData(const uint8_t* data, const int len, Packet* p) log_mutex.unlock(); } +//-------------------------------------------------------------------- +// protocol translation +//-------------------------------------------------------------------- + +static char** protocol_names = nullptr; + +const char* get_protocol_name(uint8_t ip_proto) +{ + assert(protocol_names and protocol_names[ip_proto]); + return protocol_names[ip_proto]; +} + +void InitProtoNames() +{ + if ( !protocol_names ) + protocol_names = (char**)snort_calloc(NUM_IP_PROTOS, sizeof(char*)); + + for ( int i = 0; i < NUM_IP_PROTOS; i++ ) + { + struct protoent* pt = getprotobynumber(i); // main thread only + + if (pt != nullptr) + { + protocol_names[i] = snort_strdup(pt->p_name); + + for ( size_t j = 0; j < strlen(protocol_names[i]); j++ ) + protocol_names[i][j] = toupper(protocol_names[i][j]); + } + else + { + char protoname[10]; + SnortSnprintf(protoname, sizeof(protoname), "PROTO:%03d", i); + protocol_names[i] = snort_strdup(protoname); + } + } +} + +void CleanupProtoNames() +{ + if (protocol_names != nullptr) + { + int i; + + for (i = 0; i < NUM_IP_PROTOS; i++) + { + if (protocol_names[i] != nullptr) + snort_free(protocol_names[i]); + } + + snort_free(protocol_names); + protocol_names = nullptr; + } +} + diff --git a/src/log/log.h b/src/log/log.h index 8fbd38f14..937bc9cf3 100644 --- a/src/log/log.h +++ b/src/log/log.h @@ -21,16 +21,17 @@ #ifndef LOG_H #define LOG_H +// this is for legacy logging like stream_ip debug and stream_tcp show rebuilt. +// it should not be used for new code. existing uses should be converted to the +// trace logger system or directly call TextLog which this wraps. + #include #include "main/snort_types.h" namespace snort { -namespace tcp { struct TCPHdr; } -struct Packet; - -SO_PUBLIC void CreateTCPFlagString(const tcp::TCPHdr* const, char*); + struct Packet; } FILE* OpenAlertFile(const char*, bool is_critical=true); @@ -42,5 +43,10 @@ void LogIPPkt(snort::Packet*); void LogFlow(snort::Packet*); void LogNetData(const uint8_t* data, const int len, snort::Packet*); +void InitProtoNames(); +void CleanupProtoNames(); + +const char* get_protocol_name(uint8_t ip_proto); + #endif diff --git a/src/log/log_errors.h b/src/log/log_errors.h new file mode 100644 index 000000000..b088058cf --- /dev/null +++ b/src/log/log_errors.h @@ -0,0 +1,30 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifndef LOG_ERRORS_H +#define LOG_ERRORS_H + +void reset_parse_errors(); +unsigned get_parse_errors(); +unsigned get_parse_warnings(); +void reset_reload_errors(); +unsigned get_reload_errors(); +std::string& get_reload_errors_description(); + +#endif + diff --git a/src/log/log_stats.cc b/src/log/log_stats.cc new file mode 100644 index 000000000..2c050431f --- /dev/null +++ b/src/log/log_stats.cc @@ -0,0 +1,114 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "log_stats.h" + +#include "control/control.h" + +#include "messages.h" + +//using namespace snort; + +//------------------------------------------------------------------------- + +static THREAD_LOCAL ControlConn* s_ctrlcon = nullptr; + +void snort::set_log_conn(ControlConn* cc) +{ s_ctrlcon = cc; } + +//------------------------------------------------------------------------- + +#define STATS_SEPARATOR \ + "--------------------------------------------------" + +static inline void LogSeparator(FILE* fh = stdout) +{ + LogfRespond(s_ctrlcon, fh, "%s\n", STATS_SEPARATOR); +} + +static double CalcPct(uint64_t cnt, uint64_t total) +{ + double pct = 0.0; + + if (total == 0.0) + { + pct = (double)cnt; + } + else + { + pct = (double)cnt / (double)total; + } + + pct *= 100.0; + + return pct; +} + +//------------------------------------------------------------------------- + +void snort::LogText(const char* s, FILE* fh) +{ + LogfRespond(s_ctrlcon, fh, "%s\n", s); +} + +void snort::LogLabel(const char* s, FILE* fh) +{ + if ( *s == ' ' ) + { + LogfRespond(s_ctrlcon, fh, "%s\n", s); + } + else + { + LogSeparator(fh); + LogfRespond(s_ctrlcon, fh, "%s\n", s); + } +} + +void snort::LogValue(const char* s, const char* v, FILE* fh) +{ + LogfRespond(s_ctrlcon, fh, "%25.25s: %s\n", s, v); +} + +void snort::LogCount(const char* s, uint64_t c, FILE* fh) +{ + if ( c ) + { + LogfRespond(s_ctrlcon, fh, "%25.25s: " STDu64 "\n", s, c); + } +} + +void snort::LogStat(const char* s, uint64_t n, uint64_t tot, FILE* fh) +{ + if ( n ) + { + LogfRespond(s_ctrlcon, fh, "%25.25s: " FMTu64("-12") "\t(%7.3f%%)\n", s, n, CalcPct(n, tot)); + } +} + +void snort::LogStat(const char* s, double d, FILE* fh) +{ + if ( d ) + { + LogfRespond(s_ctrlcon, fh, "%25.25s: %g\n", s, d); + } +} + diff --git a/src/log/log_stats.h b/src/log/log_stats.h new file mode 100644 index 000000000..6246cb2e5 --- /dev/null +++ b/src/log/log_stats.h @@ -0,0 +1,45 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifndef LOG_STATS_H +#define LOG_STATS_H + +// used for logging pegs + +#include +#include + +#include "main/snort_types.h" + +class ControlConn; + +namespace snort +{ +void set_log_conn(ControlConn*); + +SO_PUBLIC void LogLabel(const char*, FILE* = stdout); +SO_PUBLIC void LogText(const char*, FILE* = stdout); +SO_PUBLIC void LogValue(const char*, const char*, FILE* = stdout); +SO_PUBLIC void LogCount(const char*, uint64_t, FILE* = stdout); + +SO_PUBLIC void LogStat(const char*, uint64_t n, uint64_t tot, FILE* = stdout); +SO_PUBLIC void LogStat(const char*, double, FILE* = stdout); +} + +#endif + diff --git a/src/log/log_text.cc b/src/log/log_text.cc index ab9f3f516..faf09fbdd 100644 --- a/src/log/log_text.cc +++ b/src/log/log_text.cc @@ -31,6 +31,7 @@ #include "detection/detection_engine.h" #include "detection/signature.h" #include "events/event.h" +#include "framework/pig_pen.h" #include "main/snort_config.h" #include "network_inspectors/appid/appid_api.h" #include "packet_io/sfdaq.h" @@ -45,7 +46,6 @@ #include "utils/util.h" #include "utils/util_net.h" -#include "log.h" #include "messages.h" #include "obfuscator.h" @@ -72,10 +72,12 @@ void LogTimeStamp(TextLog* log, Packet* p) */ void LogPriorityData(TextLog* log, const Event& e) { - if ( e.sig_info->class_type and !e.sig_info->class_type->text.empty() ) - TextLog_Print(log, "[Classification: %s] ", e.sig_info->class_type->text.c_str()); + const char* ct = e.get_class_type(); - TextLog_Print(log, "[Priority: %d] ", e.sig_info->priority); + if ( ct ) + TextLog_Print(log, "[Classification: %s] ", ct); + + TextLog_Print(log, "[Priority: %d] ", e.get_priority()); } /*-------------------------------------------------------------------- @@ -343,13 +345,10 @@ void LogIPHeader(TextLog* log, Packet* p) { const ip::IP6Hdr* const ip6h = p->ptrs.ip_api.get_ip6h(); // nullptr if ipv4 const ip::IP6Frag* const ip6_frag = layer::get_inner_ip6_frag(); + const char* proto = PigPen::get_protocol_name(to_utype(p->get_ip_proto_next())); TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u", - protocol_names[to_utype(p->get_ip_proto_next())], - ip6h->hop_lim(), - ip6h->tos(), - (ip6_frag ? ip6_frag->id() : 0), - ip::IP6_HEADER_LEN, + proto, ip6h->hop_lim(), ip6h->tos(), (ip6_frag ? ip6_frag->id() : 0), ip::IP6_HEADER_LEN, (ip6h->len() + ip::IP6_HEADER_LEN)); if (!ip6_frag) @@ -369,13 +368,10 @@ void LogIPHeader(TextLog* log, Packet* p) } else { + const char* proto = PigPen::get_protocol_name(to_utype(ip4h->proto())); + TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u", - protocol_names[to_utype(ip4h->proto())], - ip4h->ttl(), - ip4h->tos(), - ip4h->id(), - ip4h->hlen(), - ip4h->len()); + proto, ip4h->ttl(), ip4h->tos(), ip4h->id(), ip4h->hlen(), ip4h->len()); if (ip4h->rb()) TextLog_Puts(log, " RB"); @@ -582,8 +578,8 @@ void LogTCPHeader(TextLog* log, Packet* p) return; } /* print TCP flags */ - CreateTCPFlagString(tcph, tcpFlags); - TextLog_Puts(log, tcpFlags); /* We don't care about the null */ + tcph->stringify_flags(tcpFlags); + TextLog_Puts(log, tcpFlags); /* print other TCP info */ TextLog_Print(log, " Seq: 0x%lX Ack: 0x%lX Win: 0x%X TcpLen: %d", @@ -1024,7 +1020,9 @@ void LogICMPHeader(TextLog* log, Packet* p) void LogXrefs(TextLog* log, const Event& e) { - for ( const auto ref : e.sig_info->refs ) + const SigInfo& sig_info = e.get_sig_info(); + + for ( const auto ref : sig_info.refs ) { if ( !ref->system ) TextLog_Print(log, "[Xref => %s]", ref->id.c_str()); diff --git a/src/log/log_text.h b/src/log/log_text.h index 92313def8..14b4262f9 100644 --- a/src/log/log_text.h +++ b/src/log/log_text.h @@ -26,7 +26,7 @@ #include "log/text_log.h" -struct Event; +class Event; namespace snort { diff --git a/src/log/messages.cc b/src/log/messages.cc index c21f5140d..dbe5083b4 100644 --- a/src/log/messages.cc +++ b/src/log/messages.cc @@ -22,6 +22,7 @@ #endif #include "messages.h" +#include "log_errors.h" #include @@ -29,6 +30,7 @@ #include #include "main/snort_config.h" +#include "main/thread.h" #include "parser/parser.h" #include "time/packet_time.h" #include "utils/util_cstring.h" diff --git a/src/log/messages.h b/src/log/messages.h index 0e91f0cda..33ec292db 100644 --- a/src/log/messages.h +++ b/src/log/messages.h @@ -45,13 +45,6 @@ enum WarningGroup WARN_MAX }; -void reset_parse_errors(); -unsigned get_parse_errors(); -unsigned get_parse_warnings(); -void reset_reload_errors(); -unsigned get_reload_errors(); -std::string& get_reload_errors_description(); - namespace snort { SO_PUBLIC void ParseWarning(WarningGroup, const char*, ...) __attribute__((format (printf, 2, 3))); diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc index 22bc0e89a..7a6a1b4f4 100644 --- a/src/loggers/alert_csv.cc +++ b/src/loggers/alert_csv.cc @@ -30,13 +30,11 @@ #include "detection/detection_engine.h" #include "detection/ips_context.h" -#include "detection/signature.h" #include "events/event.h" #include "flow/flow_key.h" #include "framework/logger.h" #include "framework/module.h" #include "helpers/base64_encoder.h" -#include "log/log.h" #include "log/log_text.h" #include "log/text_log.h" #include "packet_io/active.h" @@ -48,7 +46,6 @@ #include "protocols/udp.h" #include "protocols/vlan.h" #include "protocols/geneve.h" -#include "utils/stats.h" using namespace snort; using namespace std; @@ -64,12 +61,15 @@ static THREAD_LOCAL TextLog* csv_log; // field formatting functions //------------------------------------------------------------------------- +namespace +{ struct Args { Packet* pkt; const char* msg; const Event& event; }; +} static void ff_action(const Args& a) { @@ -78,9 +78,8 @@ static void ff_action(const Args& a) static void ff_class(const Args& a) { - const char* cls = "none"; - if ( a.event.sig_info->class_type and !a.event.sig_info->class_type->text.empty() ) - cls = a.event.sig_info->class_type->text.c_str(); + const char* cls = a.event.get_class_type(); + if ( !cls ) cls = "none"; TextLog_Puts(csv_log, cls); } @@ -219,7 +218,7 @@ static void ff_geneve_vni(const Args& a) static void ff_gid(const Args& a) { - TextLog_Print(csv_log, "%u", a.event.sig_info->gid); + TextLog_Print(csv_log, "%u", a.event.get_gid()); } static void ff_icmp_code(const Args& a) @@ -304,7 +303,7 @@ static void ff_pkt_num(const Args& a) static void ff_priority(const Args& a) { - TextLog_Print(csv_log, "%u", a.event.sig_info->priority); + TextLog_Print(csv_log, "%u", a.event.get_priority()); } static void ff_proto(const Args& a) @@ -314,13 +313,14 @@ static void ff_proto(const Args& a) static void ff_rev(const Args& a) { - TextLog_Print(csv_log, "%u", a.event.sig_info->rev); + TextLog_Print(csv_log, "%u", a.event.get_rev()); } static void ff_rule(const Args& a) { - TextLog_Print(csv_log, "%u:%u:%u", - a.event.sig_info->gid, a.event.sig_info->sid, a.event.sig_info->rev); + uint32_t gid, sid, rev; + a.event.get_sig_ids(gid, sid, rev); + TextLog_Print(csv_log, "%u:%u:%u", gid, sid, rev); } static void ff_seconds(const Args& a) @@ -359,7 +359,7 @@ static void ff_sgt(const Args& a) static void ff_sid(const Args& a) { - TextLog_Print(csv_log, "%u", a.event.sig_info->sid); + TextLog_Print(csv_log, "%u", a.event.get_sid()); } static void ff_src_addr(const Args& a) @@ -394,15 +394,15 @@ static void ff_src_port(const Args& a) static void ff_target(const Args& a) { SfIpString addr = ""; + bool src; - if ( a.event.sig_info->target == TARGET_SRC ) - a.pkt->ptrs.ip_api.get_src()->ntop(addr); - - else if ( a.event.sig_info->target == TARGET_DST ) - a.pkt->ptrs.ip_api.get_dst()->ntop(addr); + if ( !a.event.get_target(src) ) + return; + if ( src ) + a.pkt->ptrs.ip_api.get_src()->ntop(addr); else - return; + a.pkt->ptrs.ip_api.get_dst()->ntop(addr); TextLog_Print(csv_log, "%s", addr); } @@ -418,7 +418,7 @@ static void ff_tcp_flags(const Args& a) if (a.pkt->ptrs.tcph ) { char tcpFlags[9]; - CreateTCPFlagString(a.pkt->ptrs.tcph, tcpFlags); + a.pkt->ptrs.tcph->stringify_flags(tcpFlags); TextLog_Print(csv_log, "%s", tcpFlags); } } diff --git a/src/loggers/alert_fast.cc b/src/loggers/alert_fast.cc index 40d98457a..cb2d4a30c 100644 --- a/src/loggers/alert_fast.cc +++ b/src/loggers/alert_fast.cc @@ -27,7 +27,6 @@ #include #include "detection/detection_engine.h" -#include "detection/signature.h" #include "events/event.h" #include "flow/flow.h" #include "flow/session.h" @@ -303,8 +302,9 @@ void FastLogger::alert(Packet* p, const char* msg, const Event& event) TextLog_Puts(fast_log, " [**] "); - TextLog_Print(fast_log, "[%u:%u:%u] ", - event.sig_info->gid, event.sig_info->sid, event.sig_info->rev); + uint32_t gid, sid, rev; + event.get_sig_ids(gid, sid, rev); + TextLog_Print(fast_log, "[%u:%u:%u] ", gid, sid, rev); if (p->context->conf->alert_interface()) TextLog_Print(fast_log, " <%s> ", SFDAQ::get_input_spec()); @@ -386,11 +386,11 @@ void FastLogger::log_data(Packet* p, const Event& event) const DataPointer& buf = DetectionEngine::get_alt_buffer(p); - if ( buf.len and event.sig_info->gid != 116 ) + if ( buf.len and event.get_gid() != 116 ) LogNetData(fast_log, buf.data, buf.len, p, "alt"); if ( log_buffers ) - log_ips_buffers(p, event.buffs_to_dump, buffers_depth); + log_ips_buffers(p, event.get_buffers(), buffers_depth); } //------------------------------------------------------------------------- diff --git a/src/loggers/alert_full.cc b/src/loggers/alert_full.cc index ae5aeaaee..5104b85ba 100644 --- a/src/loggers/alert_full.cc +++ b/src/loggers/alert_full.cc @@ -38,7 +38,6 @@ #endif #include "detection/ips_context.h" -#include "detection/signature.h" #include "events/event.h" #include "framework/logger.h" #include "framework/module.h" @@ -147,8 +146,9 @@ void FullLogger::alert(Packet* p, const char* msg, const Event& event) { TextLog_Puts(full_log, "[**] "); - TextLog_Print(full_log, "[%u:%u:%u] ", - event.sig_info->gid, event.sig_info->sid, event.sig_info->rev); + uint32_t gid, sid, rev; + event.get_sig_ids(gid, sid, rev); + TextLog_Print(full_log, "[%u:%u:%u] ", gid, sid, rev); if (p->context->conf->alert_interface()) { diff --git a/src/loggers/alert_json.cc b/src/loggers/alert_json.cc index 5358b4f05..119614938 100644 --- a/src/loggers/alert_json.cc +++ b/src/loggers/alert_json.cc @@ -31,13 +31,11 @@ #endif #include "detection/detection_engine.h" -#include "detection/signature.h" #include "events/event.h" #include "flow/flow_key.h" #include "framework/logger.h" #include "framework/module.h" #include "helpers/base64_encoder.h" -#include "log/log.h" #include "log/log_text.h" #include "log/text_log.h" #include "packet_io/active.h" @@ -48,7 +46,6 @@ #include "protocols/tcp.h" #include "protocols/udp.h" #include "protocols/vlan.h" -#include "utils/stats.h" using namespace snort; using namespace std; @@ -64,6 +61,8 @@ static THREAD_LOCAL TextLog* json_log; // field formatting functions //------------------------------------------------------------------------- +namespace +{ struct Args { Packet* pkt; @@ -71,6 +70,7 @@ struct Args const Event& event; bool comma; }; +} static void print_label(const Args& a, const char* label) { @@ -89,10 +89,8 @@ static bool ff_action(const Args& a) static bool ff_class(const Args& a) { - const char* cls = "none"; - - if ( a.event.sig_info->class_type and !a.event.sig_info->class_type->text.empty() ) - cls = a.event.sig_info->class_type->text.c_str(); + const char* cls = a.event.get_class_type(); + if ( !cls ) cls = "none"; print_label(a, "class"); TextLog_Quote(json_log, cls); @@ -281,7 +279,7 @@ static bool ff_geneve_vni(const Args& a) static bool ff_gid(const Args& a) { print_label(a, "gid"); - TextLog_Print(json_log, "%u", a.event.sig_info->gid); + TextLog_Print(json_log, "%u", a.event.get_gid()); return true; } @@ -412,7 +410,7 @@ static bool ff_pkt_num(const Args& a) static bool ff_priority(const Args& a) { print_label(a, "priority"); - TextLog_Print(json_log, "%u", a.event.sig_info->priority); + TextLog_Print(json_log, "%u", a.event.get_priority()); return true; } @@ -426,7 +424,7 @@ static bool ff_proto(const Args& a) static bool ff_rev(const Args& a) { print_label(a, "rev"); - TextLog_Print(json_log, "%u", a.event.sig_info->rev); + TextLog_Print(json_log, "%u", a.event.get_rev()); return true; } @@ -434,9 +432,10 @@ static bool ff_rule(const Args& a) { print_label(a, "rule"); - TextLog_Print(json_log, "\"%u:%u:%u\"", - a.event.sig_info->gid, a.event.sig_info->sid, a.event.sig_info->rev); + uint32_t gid, sid, rev; + a.event.get_sig_ids(gid, sid, rev); + TextLog_Print(json_log, "\"%u:%u:%u\"", gid, sid, rev); return true; } @@ -496,7 +495,7 @@ static bool ff_sgt(const Args& a) static bool ff_sid(const Args& a) { print_label(a, "sid"); - TextLog_Print(json_log, "%u", a.event.sig_info->sid); + TextLog_Print(json_log, "%u", a.event.get_sid()); return true; } @@ -542,15 +541,16 @@ static bool ff_src_port(const Args& a) static bool ff_target(const Args& a) { SfIpString addr = ""; + bool src; - if ( a.event.sig_info->target == TARGET_SRC ) - a.pkt->ptrs.ip_api.get_src()->ntop(addr); + if ( !a.event.get_target(src) ) + return false; - else if ( a.event.sig_info->target == TARGET_DST ) - a.pkt->ptrs.ip_api.get_dst()->ntop(addr); + if ( src ) + a.pkt->ptrs.ip_api.get_src()->ntop(addr); else - return false; + a.pkt->ptrs.ip_api.get_dst()->ntop(addr); print_label(a, "target"); TextLog_Quote(json_log, addr); @@ -573,7 +573,7 @@ static bool ff_tcp_flags(const Args& a) if (a.pkt->ptrs.tcph ) { char tcpFlags[9]; - CreateTCPFlagString(a.pkt->ptrs.tcph, tcpFlags); + a.pkt->ptrs.tcph->stringify_flags(tcpFlags); print_label(a, "tcp_flags"); TextLog_Quote(json_log, tcpFlags); diff --git a/src/loggers/alert_luajit.cc b/src/loggers/alert_luajit.cc index 61cc5b7f2..d4eef4fd3 100644 --- a/src/loggers/alert_luajit.cc +++ b/src/loggers/alert_luajit.cc @@ -22,11 +22,9 @@ #endif #include "detection/ips_context.h" -#include "detection/signature.h" #include "events/event.h" #include "framework/logger.h" #include "framework/module.h" -#include "helpers/chunk.h" #include "log/messages.h" #include "lua/lua.h" #include "main/thread_config.h" @@ -35,6 +33,7 @@ #include "managers/script_manager.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" +#include "utils/chunk.h" using namespace snort; @@ -49,18 +48,13 @@ static THREAD_LOCAL SnortPacket lua_packet; SO_PUBLIC const SnortEvent* get_event() { assert(event); - - lua_event.gid = event->sig_info->gid; - lua_event.sid = event->sig_info->sid; - lua_event.rev = event->sig_info->rev; + event->get_sig_ids(lua_event.gid, lua_event.sid, lua_event.rev); lua_event.event_id = event->get_event_id(); lua_event.event_ref = event->get_event_reference(); - if ( !event->sig_info->message.empty() ) - lua_event.msg = event->sig_info->message.c_str(); - else - lua_event.msg = ""; + lua_event.msg = event->get_msg(); + if ( !lua_event.msg ) lua_event.msg = ""; return &lua_event; } diff --git a/src/loggers/alert_syslog.cc b/src/loggers/alert_syslog.cc index 92e06a33c..ae092fff2 100644 --- a/src/loggers/alert_syslog.cc +++ b/src/loggers/alert_syslog.cc @@ -25,10 +25,10 @@ #include #include "detection/ips_context.h" -#include "detection/signature.h" #include "events/event.h" #include "framework/logger.h" #include "framework/module.h" +#include "framework/pig_pen.h" #include "log/messages.h" #include "main/snort_config.h" #include "packet_io/sfdaq.h" @@ -203,24 +203,25 @@ static void AlertSyslog( if ((p != nullptr) && p->ptrs.ip_api.is_valid()) { - SnortSnprintfAppend(event_string, sizeof(event_string), - "[%u:%u:%u] ", event.sig_info->gid, event.sig_info->sid, event.sig_info->rev); + uint32_t gid, sid, rev; + event.get_sig_ids(gid, sid, rev); + SnortSnprintfAppend(event_string, sizeof(event_string), "[%u:%u:%u] ", gid, sid, rev); if (msg != nullptr) SnortSnprintfAppend(event_string, sizeof(event_string), "%s ", msg); else SnortSnprintfAppend(event_string, sizeof(event_string), "ALERT "); - if ( event.sig_info->class_type and !event.sig_info->class_type->text.empty() ) + if ( auto cls = event.get_class_type() ) { SnortSnprintfAppend(event_string, sizeof(event_string), - "[Classification: %s] ", event.sig_info->class_type->text.c_str()); + "[Classification: %s] ", cls); } - if (event.sig_info->priority != 0) + if (event.get_priority() != 0) { SnortSnprintfAppend(event_string, sizeof(event_string), - "[Priority: %u] ", event.sig_info->priority); + "[Priority: %u] ", event.get_priority()); } if (p->context->conf->alert_interface()) @@ -229,17 +230,10 @@ static void AlertSyslog( "<%s> ", SFDAQ::get_input_spec()); } - IpProtocol ip_proto = p->get_ip_proto_next(); - if (protocol_names[to_utype(ip_proto)] != nullptr) - { - SnortSnprintfAppend(event_string, sizeof(event_string), - "{%s} ", protocol_names[to_utype(ip_proto)]); - } - else - { - SnortSnprintfAppend(event_string, sizeof(event_string), - "{%d} ", static_cast(ip_proto)); - } + IpProtocol ip_proto = p->get_ip_proto_next(); + + const char* proto = PigPen::get_protocol_name(to_utype(ip_proto)); + SnortSnprintfAppend(event_string, sizeof(event_string), "{%s} ", proto); if ((p->ptrs.decode_flags & DECODE_FRAG) || ((ip_proto != IpProtocol::TCP) diff --git a/src/loggers/alert_talos.cc b/src/loggers/alert_talos.cc index d040dac55..70fd8b2e3 100644 --- a/src/loggers/alert_talos.cc +++ b/src/loggers/alert_talos.cc @@ -28,7 +28,6 @@ #include #include -#include "detection/signature.h" #include "events/event.h" #include "framework/logger.h" #include "framework/module.h" @@ -162,11 +161,9 @@ void TalosLogger::alert(Packet*, const char* msg, const Event& event) stringstream key; string message; - key << "[" - << event.sig_info->gid << ":" - << event.sig_info->sid << ":" - << event.sig_info->rev - << "]"; + uint32_t gid, sid, rev; + event.get_sig_ids(gid, sid, rev); + key << "[" << gid << ":" << sid << ":" << rev << "]"; auto rule_iter = alerts.find(key.str()); @@ -189,9 +186,9 @@ void TalosLogger::alert(Packet*, const char* msg, const Event& event) rule.key = key.str(); rule.msg = message; - rule.gid = event.sig_info->gid; - rule.sid = event.sig_info->sid; - rule.rev = event.sig_info->rev; + rule.gid = gid; + rule.sid = sid; + rule.rev = rev; rule.count = 1; // rule not in map, add it diff --git a/src/loggers/alert_unixsock.cc b/src/loggers/alert_unixsock.cc index eb86d004a..bd9339423 100644 --- a/src/loggers/alert_unixsock.cc +++ b/src/loggers/alert_unixsock.cc @@ -24,11 +24,11 @@ #include -#include "detection/signature.h" #include "events/event.h" #include "framework/logger.h" #include "framework/module.h" #include "log/messages.h" +#include "main/thread.h" #include "protocols/packet.h" #include "utils/util.h" #include "utils/util_cstring.h" @@ -41,7 +41,8 @@ using namespace snort; */ struct pcap_pkthdr32 { - struct sf_timeval32 ts; /* packet timestamp */ + uint32_t ts_sec; /* packet timestamp */ + uint32_t ts_usec; uint32_t caplen; /* packet capture length */ uint32_t len; /* packet "real" length */ }; @@ -73,7 +74,9 @@ struct Alertpkt uint32_t event_id; uint32_t event_ref; - struct sf_timeval32 ref_time; + + uint32_t ts_sec; + uint32_t ts_usec; }; struct UnixSock @@ -121,21 +124,20 @@ static void get_alert_pkt( // FIXIT-L minimize or eliminate memset memset((char*)&us.alert,0,sizeof(us.alert)); - us.alert.gid = event.sig_info->gid; - us.alert.sid = event.sig_info->sid; - us.alert.rev = event.sig_info->rev; + event.get_sig_ids(us.alert.gid, us.alert.sid, us.alert.rev); - us.alert.class_id = event.sig_info->class_id; - us.alert.priority = event.sig_info->priority; + us.alert.class_id = event.get_class_id(); + us.alert.priority = event.get_priority(); us.alert.event_id = event.get_event_id(); us.alert.event_ref = event.get_event_reference(); - us.alert.ref_time = event.ref_time; + + event.get_timestamp(us.alert.ts_sec, us.alert.ts_usec); if (p && p->pkt) { - us.alert.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec; - us.alert.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec; + us.alert.pkth.ts_sec = (uint32_t)p->pkth->ts.tv_sec; + us.alert.pkth.ts_usec = (uint32_t)p->pkth->ts.tv_usec; us.alert.pkth.caplen = p->pktlen; us.alert.pkth.len = p->pkth->pktlen; memmove(us.alert.pkt, (const void*)p->pkt, us.alert.pkth.caplen); diff --git a/src/loggers/log_codecs.cc b/src/loggers/log_codecs.cc index f749e33d4..0855957ab 100644 --- a/src/loggers/log_codecs.cc +++ b/src/loggers/log_codecs.cc @@ -23,7 +23,6 @@ #endif #include "detection/ips_context.h" -#include "detection/signature.h" #include "events/event.h" #include "framework/logger.h" #include "framework/module.h" @@ -139,8 +138,9 @@ void CodecLogger::log(Packet* p, const char* msg, Event* e) if (e != nullptr) { - TextLog_Print(test_file, " gid:%u sid:%u rev:%u\t", - e->sig_info->gid, e->sig_info->sid, e->sig_info->rev); + uint32_t gid, sid, rev; + e->get_sig_ids(gid, sid, rev); + TextLog_Print(test_file, " gid:%u sid:%u rev:%u\t", gid, sid, rev); } if (flags & ALERT_FLAG_MSG) diff --git a/src/loggers/log_pcap.cc b/src/loggers/log_pcap.cc index a5ca5488b..89d4e9d33 100644 --- a/src/loggers/log_pcap.cc +++ b/src/loggers/log_pcap.cc @@ -29,6 +29,7 @@ #include "framework/module.h" #include "log/messages.h" #include "main/snort_config.h" +#include "main/thread.h" #include "packet_io/sfdaq.h" #include "packet_io/sfdaq_config.h" #include "protocols/packet.h" diff --git a/src/loggers/unified2.cc b/src/loggers/unified2.cc index 022ec4799..fd3596393 100644 --- a/src/loggers/unified2.cc +++ b/src/loggers/unified2.cc @@ -31,8 +31,6 @@ #include -#include "detection/signature.h" -#include "detection/detection_util.h" #include "detection/detection_engine.h" #include "events/event.h" #include "framework/logger.h" @@ -42,6 +40,7 @@ #include "log/unified2.h" #include "log/u2_packet.h" #include "main/snort_config.h" +#include "main/thread.h" #include "network_inspectors/appid/appid_api.h" #include "packet_io/active.h" #include "packet_io/sfdaq.h" @@ -170,14 +169,21 @@ static void alert_event(Packet* p, const char*, Unified2Config* config, const Ev u2_event.snort_id = 0; // FIXIT-H alert_event define / use u2_event.event_id = htonl(event->get_event_id()); - u2_event.event_second = htonl(event->ref_time.tv_sec); - u2_event.event_microsecond = htonl(event->ref_time.tv_usec); - u2_event.rule_gid = htonl(event->sig_info->gid); - u2_event.rule_sid = htonl(event->sig_info->sid); - u2_event.rule_rev = htonl(event->sig_info->rev); - u2_event.rule_class = htonl(event->sig_info->class_id); - u2_event.rule_priority = htonl(event->sig_info->priority); + uint32_t sec, usec; + event->get_timestamp(sec, usec); + u2_event.event_second = htonl(sec); + u2_event.event_microsecond = htonl(usec); + + uint32_t gid, sid, rev; + event->get_sig_ids(gid, sid, rev); + + u2_event.rule_gid = htonl(gid); + u2_event.rule_sid = htonl(sid); + u2_event.rule_rev = htonl(rev); + + u2_event.rule_class = htonl(event->get_class_id()); + u2_event.rule_priority = htonl(event->get_priority()); if ( p ) { @@ -380,10 +386,11 @@ static void _Unified2LogPacketAlert( logheader.linktype = u2.base_proto; logheader.event_id = htonl(event->get_event_reference()); - logheader.event_second = htonl(event->ref_time.tv_sec); + logheader.event_second = htonl(event->get_seconds()); logheader.packet_second = htonl((uint32_t)p->pkth->ts.tv_sec); logheader.packet_microsecond = htonl((uint32_t)p->pkth->ts.tv_usec); + pkt_length = ( p->is_rebuilt() ) ? p->dsize : p->pktlen; logheader.packet_length = htonl(pkt_length + u2h_len); write_len += pkt_length + u2h_len; @@ -637,13 +644,21 @@ static void _AlertIP4_v2(Packet* p, const char*, Unified2Config* config, const E memset(&alertdata, 0, sizeof(alertdata)); alertdata.event_id = htonl(event->get_event_id()); - alertdata.event_second = htonl(event->ref_time.tv_sec); - alertdata.event_microsecond = htonl(event->ref_time.tv_usec); - alertdata.generator_id = htonl(event->sig_info->gid); - alertdata.signature_id = htonl(event->sig_info->sid); - alertdata.signature_revision = htonl(event->sig_info->rev); - alertdata.classification_id = htonl(event->sig_info->class_id); - alertdata.priority_id = htonl(event->sig_info->priority); + + uint32_t sec, usec; + event->get_timestamp(sec, usec); + alertdata.event_second = htonl(sec); + alertdata.event_microsecond = htonl(usec); + + uint32_t gid, sid, rev; + event->get_sig_ids(gid, sid, rev); + + alertdata.generator_id = htonl(gid); + alertdata.signature_id = htonl(sid); + alertdata.signature_revision = htonl(rev); + + alertdata.classification_id = htonl(event->get_class_id()); + alertdata.priority_id = htonl(event->get_priority()); if (p) { @@ -724,13 +739,21 @@ static void _AlertIP6_v2(Packet* p, const char*, Unified2Config* config, const E memset(&alertdata, 0, sizeof(alertdata)); alertdata.event_id = htonl(event->get_event_id()); - alertdata.event_second = htonl(event->ref_time.tv_sec); - alertdata.event_microsecond = htonl(event->ref_time.tv_usec); - alertdata.generator_id = htonl(event->sig_info->gid); - alertdata.signature_id = htonl(event->sig_info->sid); - alertdata.signature_revision = htonl(event->sig_info->rev); - alertdata.classification_id = htonl(event->sig_info->class_id); - alertdata.priority_id = htonl(event->sig_info->priority); + + uint32_t sec, usec; + event->get_timestamp(sec, usec); + alertdata.event_second = htonl(sec); + alertdata.event_microsecond = htonl(usec); + + uint32_t gid, sid, rev; + event->get_sig_ids(gid, sid, rev); + + alertdata.generator_id = htonl(gid); + alertdata.signature_id = htonl(sid); + alertdata.signature_revision = htonl(rev); + + alertdata.classification_id = htonl(event->get_class_id()); + alertdata.priority_id = htonl(event->get_priority()); if (p) { @@ -940,11 +963,14 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if (p->ptrs.ip_api.is_ip6()) { uint32_t tenant_id = p->pkth->tenant_id; + uint32_t sec = event.get_seconds(); + const SfIp* ip = p->ptrs.ip_api.get_src(); - _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, event.ref_time.tv_sec, + _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, sec, (const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC); + ip = p->ptrs.ip_api.get_dst(); - _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, event.ref_time.tv_sec, + _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, sec, (const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_DST); } } @@ -954,18 +980,20 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) } if ( p->flow ) - Stream::update_flow_alert( - p->flow, p, event.sig_info->gid, event.sig_info->sid, - event.get_event_id(), event.ref_time.tv_sec); + { + uint32_t sec = event.get_seconds(); + Stream::update_flow_alert(p->flow, p, event.get_gid(), event.get_sid(), event.get_event_id(), sec); + } if ( p->xtradata_mask ) { LogFunction* log_funcs; uint32_t max_count = Stream::get_xtra_data_map(log_funcs); + uint32_t sec = event.get_seconds(); if ( max_count > 0 ) AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask, - { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec }); + { /* gid */ 0, /* sid */ 0, event.get_event_id(), sec }); } } @@ -977,11 +1005,13 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) return; } alert_event(p, msg, &config, &event); + uint32_t sec = event.get_seconds(); + if ( p->flow ) - Stream::update_flow_alert( - p->flow, p, event.sig_info->gid, event.sig_info->sid, - event.get_event_id(), event.ref_time.tv_sec); + { + Stream::update_flow_alert( p->flow, p, event.get_gid(), event.get_sid(), event.get_event_id(), sec); + } if ( p->xtradata_mask ) { @@ -990,7 +1020,7 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) if ( max_count > 0 ) AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask, - { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec }); + { /* gid */ 0, /* sid */ 0, event.get_event_id(), sec }); } } diff --git a/src/main.cc b/src/main.cc index b6f21df8a..229235fd5 100644 --- a/src/main.cc +++ b/src/main.cc @@ -28,12 +28,13 @@ #include "control/control.h" #include "detection/signature.h" #include "framework/module.h" -#include "helpers/process.h" #include "helpers/ring.h" +#include "log/log_errors.h" #include "log/messages.h" #include "lua/lua.h" #include "main/analyzer.h" #include "main/analyzer_command.h" +#include "main/process.h" #include "main/reload_tracker.h" #include "main/shell.h" #include "main/snort.h" @@ -54,8 +55,9 @@ #include "trace/trace_api.h" #include "trace/trace_config.h" #include "trace/trace_logger.h" -#include "utils/util.h" #include "utils/safec.h" +#include "utils/stats.h" +#include "utils/util.h" #if defined(UNIT_TEST) || defined(BENCHMARK_TEST) #include "catch/unit_test.h" diff --git a/src/main/CMakeLists.txt b/src/main/CMakeLists.txt index 1c7d59edb..94c06f1f8 100644 --- a/src/main/CMakeLists.txt +++ b/src/main/CMakeLists.txt @@ -1,14 +1,11 @@ set (INCLUDES - analyzer.h analyzer_command.h policy.h reload_tracker.h reload_tuner.h - snort.h snort_config.h snort_types.h - swapper.h thread.h thread_config.h ) @@ -26,6 +23,7 @@ add_subdirectory(test) add_library (main OBJECT analyzer.cc + analyzer.h analyzer_command.cc help.cc help.h @@ -33,9 +31,12 @@ add_library (main OBJECT modules.h network_module.cc network_module.h + numa.h oops_handler.cc oops_handler.h policy.cc + process.cc + process.h reload_tracker.cc shell.h shell.cc @@ -45,6 +46,7 @@ add_library (main OBJECT snort_module.h snort_module.cc swapper.cc + swapper.h thread.cc thread_config.h thread_config.cc diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index 7a951acd8..af72e6e9a 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -35,6 +35,7 @@ #include "detection/detect.h" #include "detection/detection_engine.h" #include "detection/ips_context.h" +#include "detection/event_trace.h" #include "detection/tag.h" #include "file_api/file_service.h" #include "filters/detection_filter.h" @@ -50,18 +51,19 @@ #include "main/swapper.h" #include "main.h" #include "managers/action_manager.h" +#include "managers/codec_manager.h" #include "managers/inspector_manager.h" #include "managers/ips_manager.h" #include "managers/event_manager.h" #include "managers/module_manager.h" #include "memory/memory_cap.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "packet_io/sfdaq.h" #include "packet_io/sfdaq_config.h" #include "packet_io/sfdaq_instance.h" #include "packet_io/sfdaq_module.h" -#include "packet_tracer/packet_tracer.h" -#include "profiler/profiler.h" +#include "profiler/profiler_impl.h" #include "pub_sub/daq_message_event.h" #include "pub_sub/finalize_packet_event.h" #include "side_channel/side_channel.h" @@ -407,7 +409,7 @@ void Analyzer::process_daq_pkt_msg(DAQ_Msg_h msg, bool retry) Packet* p = switcher->get_context()->packet; p->context->wire_packet = p; - p->context->packet_number = get_packet_number(); + p->context->packet_number = pc.analyzed_pkts; select_default_policy(*pkthdr, p->context->conf); DetectionEngine::reset(); @@ -497,12 +499,6 @@ void Analyzer::process_retry_queue() /* * Public packet processing methods */ -bool Analyzer::inspect_rebuilt(Packet* p) -{ - DetectionEngine de; - return main_hook(p); -} - bool Analyzer::process_rebuilt_packet(Packet* p, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt, uint32_t pktlen) { @@ -631,7 +627,7 @@ void Analyzer::init_unprivileged() // to handle all trace log messages TraceApi::thread_init(sc->trace_config); - CodecManager::thread_init(sc); + CodecManager::thread_init(); // this depends on instantiated daq capabilities // so it is done here instead of init() diff --git a/src/main/analyzer.h b/src/main/analyzer.h index 54c28420a..e868d7334 100644 --- a/src/main/analyzer.h +++ b/src/main/analyzer.h @@ -76,7 +76,7 @@ public: NUM_STATES }; - SO_PUBLIC static Analyzer* get_local_analyzer(); + static Analyzer* get_local_analyzer(); static ContextSwitcher* get_switcher(); static void set_main_hook(MainHook_f); @@ -97,7 +97,6 @@ public: void post_process_packet(snort::Packet*); bool process_rebuilt_packet(snort::Packet*, const DAQ_PktHdr_t*, const uint8_t* pkt, uint32_t pktlen); - SO_PUBLIC bool inspect_rebuilt(snort::Packet*); void finalize_daq_message(DAQ_Msg_h, DAQ_Verdict); void add_to_retry_queue(DAQ_Msg_h, snort::Flow*); diff --git a/src/main/help.cc b/src/main/help.cc index fc0e4e9af..25278c10b 100644 --- a/src/main/help.cc +++ b/src/main/help.cc @@ -27,7 +27,7 @@ #include "framework/module.h" #include "helpers/markup.h" -#include "helpers/process.h" +#include "main/process.h" #include "managers/event_manager.h" #include "managers/inspector_manager.h" #include "managers/module_manager.h" diff --git a/src/main/modules.cc b/src/main/modules.cc index e6db41f74..448a5b984 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -32,6 +32,8 @@ #include "detection/fp_config.h" #include "detection/rules.h" #include "detection/tag.h" +#include "events/event_queue.h" +#include "file_api/file_policy.h" #include "file_api/file_service.h" #include "filters/detection_filter.h" #include "filters/rate_filter.h" @@ -39,7 +41,6 @@ #include "filters/sfthd.h" #include "filters/sfthreshold.h" #include "flow/ha_module.h" -#include "framework/file_policy.h" #include "framework/module.h" #include "host_tracker/host_tracker_module.h" #include "host_tracker/host_cache_module.h" @@ -50,8 +51,9 @@ #include "managers/plugin_manager.h" #include "memory/memory_module.h" #include "packet_io/active.h" +#include "packet_io/active_counts.h" +#include "packet_io/packet_tracer_module.h" #include "packet_io/sfdaq_module.h" -#include "packet_tracer/packet_tracer_module.h" #include "parser/config_file.h" #include "parser/parse_conf.h" #include "parser/parse_ip.h" @@ -225,7 +227,6 @@ const PegInfo mpse_pegs[] = { CountType::SUM, "total_unique", "total unique fast pattern hits" }, { CountType::SUM, "non_qualified_events", "total non-qualified events" }, { CountType::SUM, "qualified_events", "total qualified events" }, - { CountType::SUM, "searched_bytes", "total bytes searched" }, { CountType::END, nullptr, nullptr } }; @@ -699,7 +700,7 @@ public: { return active_pegs; } PegCount* get_counts() const override - { return (PegCount*) &active_counts; } + { return (PegCount*) get_active_counts(); } Usage get_usage() const override { return GLOBAL; } @@ -1649,9 +1650,9 @@ bool RateFilterModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("new_action") ) { - thdx.newAction = Actions::get_type(v.get_string()); + thdx.newAction = IpsAction::get_type(v.get_string()); - if ( !Actions::is_valid_action(thdx.newAction) ) + if ( !IpsAction::is_valid_action(thdx.newAction) ) ParseError("unknown new_action type rate_filter configuration %s", v.get_string()); } diff --git a/src/main/modules.h b/src/main/modules.h index 02edb222e..dc607a07c 100644 --- a/src/main/modules.h +++ b/src/main/modules.h @@ -25,8 +25,6 @@ // ideally, modules.cc would be refactored into several files. #include "framework/counts.h" -#include "main/thread.h" - void module_init(); const char* get_lua_defaults(); diff --git a/src/utils/util_numa.h b/src/main/numa.h similarity index 93% rename from src/utils/util_numa.h rename to src/main/numa.h index 95019f67c..2d9063f30 100644 --- a/src/utils/util_numa.h +++ b/src/main/numa.h @@ -15,12 +15,10 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// util_numa.h author Raza Shafiq +// numa.h author Raza Shafiq -#ifndef NUMA_UTILS_H -#define NUMA_UTILS_H - -#ifdef HAVE_NUMA +#ifndef NUMA_H +#define NUMA_H #include #include @@ -49,6 +47,7 @@ public: return set_mempolicy(mode, nodemask, maxnode); } }; + class HwlocWrapper { public: @@ -70,5 +69,5 @@ public: return hwloc_bitmap_intersects(set1, set2); } }; -#endif // HAVE_NUMA -#endif // NUMA_UTILS_H +#endif + diff --git a/src/main/policy.cc b/src/main/policy.cc index 312c37141..c6c3e10dd 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -25,9 +25,9 @@ #include "daq_common.h" -#include "actions/actions.h" #include "detection/detection_engine.h" -#include "framework/file_policy.h" +#include "file_api/file_policy.h" +#include "framework/ips_action.h" #include "framework/policy_selector.h" #include "js_norm/js_config.h" #include "log/messages.h" @@ -188,7 +188,7 @@ void InspectionPolicy::configure() // detection policy //------------------------------------------------------------------------- -IpsPolicy::IpsPolicy(PolicyId id) : action(Actions::get_max_types(), nullptr) +IpsPolicy::IpsPolicy(PolicyId id) : action(IpsAction::get_max_types(), nullptr) { policy_id = id; policy_mode = POLICY_MODE__MAX; diff --git a/src/helpers/process.cc b/src/main/process.cc similarity index 61% rename from src/helpers/process.cc rename to src/main/process.cc index 6540aa191..50b8cbbe1 100644 --- a/src/helpers/process.cc +++ b/src/main/process.cc @@ -23,6 +23,28 @@ #include "process.h" #include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_HYPERSCAN +#include +#endif + +#ifdef HAVE_LZMA +#include +#endif + +#ifdef HAVE_JEMALLOC +#include +#endif #ifdef HAVE_LIBUNWIND #define UNW_LOCAL_ONLY @@ -34,20 +56,27 @@ #include #endif +extern "C" { +#include +} + #include +#include #include #include "log/messages.h" -#include "main.h" -#include "main/oops_handler.h" -#include "main/snort_config.h" +#include "helpers/markup.h" +#include "helpers/ring.h" +#include "helpers/sigsafe.h" +#include "packet_io/sfdaq.h" +#include "protocols/packet.h" // For NUM_IP_PROTOS #include "utils/cpp_macros.h" #include "utils/stats.h" #include "utils/util.h" -#include "markup.h" -#include "ring.h" -#include "sigsafe.h" +#include "main.h" +#include "oops_handler.h" +#include "snort_config.h" using namespace snort; @@ -604,3 +633,381 @@ void trim_heap() malloc_trim(0); #endif } + +//------------------------------------------------------------------------- +// other foo +//------------------------------------------------------------------------- + +// Store interesting data in memory that would not otherwise be visible +// in a CORE(5) file + +#ifdef BUILD + #define SNORT_VERSION_STRING ("### Snort Version " VERSION " Build " BUILD "\n") +#else + #define SNORT_VERSION_STRING ("### Snort Version " VERSION "\n") +#endif +#define SNORT_VERSION_STRLEN sizeof(SNORT_VERSION_STRING) +char __snort_version_string[SNORT_VERSION_STRLEN]; + +void StoreSnortInfoStrings() +{ + strncpy(__snort_version_string, SNORT_VERSION_STRING, + sizeof(__snort_version_string)); +} + +#undef SNORT_VERSION_STRING +#undef SNORT_VERSION_STRLEN + +int DisplayBanner() +{ + const char* ljv = LUAJIT_VERSION; + while ( *ljv && !isdigit(*ljv) ) + ++ljv; + + LogMessage("\n"); + LogMessage(" ,,_ -*> Snort++ <*-\n"); +#ifdef BUILD + LogMessage(" o\" )~ Version %s (Build %s)\n", VERSION, BUILD); +#else + LogMessage(" o\" )~ Version %s\n", VERSION); +#endif + LogMessage(" '''' By Martin Roesch & The Snort Team\n"); + LogMessage(" http://snort.org/contact#team\n"); + LogMessage(" Copyright (C) 2014-2024 Cisco and/or its affiliates." + " All rights reserved.\n"); + LogMessage(" Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n"); + LogMessage(" Using DAQ version %s\n", daq_version_string()); +#ifdef HAVE_HYPERSCAN + LogMessage(" Using Hyperscan version %s\n", hs_version()); +#endif +#ifdef HAVE_JEMALLOC + const char* jv; + size_t sz = sizeof(jv); + mallctl("version", &jv, &sz, NULL, 0); + LogMessage(" Using Jemalloc version %s\n", jv); +#endif + LogMessage(" Using %s\n", pcap_lib_version()); + LogMessage(" Using LuaJIT version %s\n", ljv); +#ifdef HAVE_LZMA + LogMessage(" Using LZMA version %s\n", lzma_version_string()); +#endif + LogMessage(" Using %s\n", OpenSSL_version(SSLEAY_VERSION)); + LogMessage(" Using PCRE version %s\n", pcre_version()); + LogMessage(" Using ZLIB version %s\n", zlib_version); + + LogMessage("\n"); + + return 0; +} + +// get offset seconds from GMT +int gmt2local(time_t t) +{ + if (t == 0) + t = time(nullptr); + + struct tm gmt; + struct tm* lt = gmtime_r(&t, &gmt); + if (lt == nullptr) + return 0; + + struct tm loc; + localtime_r(&t, &loc); + + int dt = (loc.tm_hour - gmt.tm_hour) * 60 * 60 + + (loc.tm_min - gmt.tm_min) * 60; + + int dir = loc.tm_year - gmt.tm_year; + + if (dir == 0) + dir = loc.tm_yday - gmt.tm_yday; + + dt += dir * 24 * 60 * 60; + + return(dt); +} + +static FILE* pid_lockfile = nullptr; +static FILE* pid_file = nullptr; + +void CreatePidFile(pid_t pid) +{ + SnortConfig* sc = SnortConfig::get_main_conf(); + + sc->pid_filename = sc->log_dir; + sc->pid_filename += "/snort.pid"; + + std::string pid_lockfilename; + + if ( !sc->no_lock_pid_file() ) + { + pid_lockfilename = sc->pid_filename; + pid_lockfilename += ".lck"; + + /* First, lock the PID file */ + pid_lockfile = fopen(pid_lockfilename.c_str(), "w"); + + if ( pid_lockfile ) + { + struct flock lock; + int lock_fd = fileno(pid_lockfile); + + lock.l_type = F_WRLCK; + lock.l_whence = SEEK_SET; + lock.l_start = 0; + lock.l_len = 0; + + if (fcntl(lock_fd, F_SETLK, &lock) == -1) + { + ClosePidFile(); + ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"", + sc->pid_filename.c_str(), (int)pid); + return; + } + } + } + + /* Okay, were able to lock PID file, now open and write PID */ + pid_file = fopen(sc->pid_filename.c_str(), "w"); + if (pid_file) + { + LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid, + sc->pid_filename.c_str()); + fprintf(pid_file, "%d\n", (int)pid); + fflush(pid_file); + } + else + { + if (pid_lockfile) + { + fclose(pid_lockfile); + pid_lockfile = nullptr; + } + const char* error = get_error(errno); + ErrorMessage("Failed to create pid file %s, Error: %s\n", + sc->pid_filename.c_str(), error); + sc->pid_filename.clear(); + } + if ( !pid_lockfilename.empty() ) + unlink(pid_lockfilename.c_str()); +} + +void ClosePidFile() +{ + if (pid_file) + { + fclose(pid_file); + pid_file = nullptr; + } + if (pid_lockfile) + { + fclose(pid_lockfile); + pid_lockfile = nullptr; + } +} + +// set safe UserID and GroupID, if needed +bool SetUidGid(int user_id, int group_id) +{ + // Were any changes requested? + if (group_id == -1 && user_id == -1) + return true; + + if (group_id != -1) + { + if (setgid(group_id) < 0) + { + ParseError("Cannot set GID: %d", group_id); + return false; + } + LogMessage("Set GID to %d\n", group_id); + } + + if (user_id != -1) + { + if (setuid(user_id) < 0) + { + ParseError("Cannot set UID: %d", user_id); + return false; + } + LogMessage("Set UID to %d\n", user_id); + } + + return true; +} + +// set the groups of the process based on the UserID with the GroupID added +void InitGroups(int user_id, int group_id) +{ + if ((user_id != -1) && (getuid() == 0)) + { + struct passwd* pw = getpwuid(user_id); // main thread only + + if (pw != nullptr) + { + /* getpwuid and initgroups may use the same static buffers */ + char* username = snort_strdup(pw->pw_name); + + if (initgroups(username, group_id) < 0) + ParseError("Can not initgroups(%s,%d)", username, group_id); + + snort_free(username); + } + + /** Just to be on the safe side... **/ + endgrent(); + endpwent(); + } +} + +//------------------------------------------------------------------------- + +// read the BPF filters in from a file, return the processed BPF string +std::string read_infile(const char* key, const char* fname) +{ + int fd = open(fname, O_RDONLY); + struct stat buf; + + if (fd < 0) + { + ErrorMessage("Failed to open file: %s with error: %s", fname, get_error(errno)); + return ""; + } + + if (fstat(fd, &buf) < 0) + { + ParseError("can't stat %s: %s", fname, get_error(errno)); + close(fd); + return ""; + } + + //check that its a regular file and not a directory or special file + if (!S_ISREG(buf.st_mode) ) + { + ParseError("not a regular file: %s", fname); + close(fd); + return ""; + } + + std::string line; + std::ifstream bpf_file(fname); + + if (bpf_file.is_open()) + { + std::stringstream file_content; + file_content << bpf_file.rdbuf(); + line = file_content.str(); + + bpf_file.close(); + } + else + { + ParseError("can't open file %s = %s: %s", key, fname, get_error(errno)); + close(fd); + return ""; + } + close(fd); + return line; +} + +typedef char PathBuf[PATH_MAX+1]; + +static const char* CurrentWorkingDir(PathBuf& buf) +{ + if ( !getcwd(buf, sizeof(buf)-1) ) + return nullptr; + + buf[sizeof(buf)-1] = '\0'; + return buf; +} + +static char* GetAbsolutePath(const char* dir, PathBuf& buf) +{ + assert(dir); + errno = 0; + + if ( !realpath(dir, buf) ) + { + LogMessage("Couldn't determine absolute path for '%s': %s\n", dir, get_error(errno)); + return nullptr; + } + + return buf; +} + +// Chroot and adjust the log_dir reference +bool EnterChroot(std::string& root_dir, std::string& log_dir) +{ + if (log_dir.empty()) + { + ParseError("Log directory not specified"); + return false; + } + PathBuf pwd; + PathBuf abs_log_dir; + + if ( !GetAbsolutePath(log_dir.c_str(), abs_log_dir) ) + return false; + + /* change to the desired root directory */ + if (chdir(root_dir.c_str()) != 0) + { + ParseError("EnterChroot: Can not chdir to \"%s\": %s", root_dir.c_str(), + get_error(errno)); + return false; + } + + /* always returns an absolute pathname */ + const char* abs_root_dir = CurrentWorkingDir(pwd); + if (!abs_root_dir) + { + ParseError("Couldn't retrieve current working directory"); + return false; + } + size_t abs_root_dir_len = strlen(abs_root_dir); + + if (strncmp(abs_root_dir, abs_log_dir, abs_root_dir_len)) + { + ParseError("Specified log directory is not contained with the chroot jail"); + return false; + } + + if (chroot(abs_root_dir) < 0) + { + ParseError("Can not chroot to \"%s\": absolute: %s: %s", + root_dir.c_str(), abs_root_dir, get_error(errno)); + return false; + } + + + /* Immediately change to the root directory of the jail. */ + if (chdir("/") < 0) + { + ParseError("Can not chdir to \"/\" after chroot: %s", + get_error(errno)); + return false; + } + + + if (abs_root_dir_len >= strlen(abs_log_dir)) + log_dir = "/"; + else + log_dir = abs_log_dir + abs_root_dir_len; + + + LogMessage("Chroot directory = %s\n", root_dir.c_str()); + + return true; +} + +#if defined(NOCOREFILE) +void SetNoCores() +{ + struct rlimit rlim; + + getrlimit(RLIMIT_CORE, &rlim); + rlim.rlim_max = 0; + setrlimit(RLIMIT_CORE, &rlim); +} +#endif + diff --git a/src/helpers/process.h b/src/main/process.h similarity index 77% rename from src/helpers/process.h rename to src/main/process.h index 60a6b3e78..77c236676 100644 --- a/src/helpers/process.h +++ b/src/main/process.h @@ -19,8 +19,11 @@ #ifndef PROCESS_H #define PROCESS_H +#include +#include #include "main/snort_types.h" + // process oriented services like signal handling, heap info, etc. enum PigSignal @@ -41,8 +44,8 @@ const char* get_signal_name(PigSignal); void init_signals(); void term_signals(); -SO_PUBLIC void install_oops_handler(); -SO_PUBLIC void remove_oops_handler(); +void install_oops_handler(); +void remove_oops_handler(); void help_signals(); void daemonize(); @@ -51,5 +54,23 @@ void set_main_thread(); void trim_heap(); +void StoreSnortInfoStrings(); +int DisplayBanner(); + +int gmt2local(time_t); +std::string read_infile(const char* key, const char* fname); + +void CreatePidFile(pid_t); +void ClosePidFile(); + +bool SetUidGid(int, int); +void InitGroups(int, int); + +bool EnterChroot(std::string& root_dir, std::string& log_dir); + +#if defined(NOCOREFILE) +void SetNoCores(); +#endif + #endif diff --git a/src/main/snort.cc b/src/main/snort.cc index 55e3a5c15..67590c2b7 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -38,15 +38,15 @@ #include "filters/sfthreshold.h" #include "flow/ha.h" #include "framework/mpse.h" -#include "helpers/process.h" #include "host_tracker/host_cache.h" #include "host_tracker/host_cache_segmented.h" #include "host_tracker/host_tracker_module.h" #include "ips_options/ips_options.h" #include "log/log.h" -#include "log/messages.h" +#include "log/log_errors.h" #include "loggers/loggers.h" #include "main.h" +#include "main/process.h" #include "main/shell.h" #include "managers/codec_manager.h" #include "managers/inspector_manager.h" @@ -76,6 +76,7 @@ #include "trace/trace_api.h" #include "trace/trace_config.h" #include "trace/trace_logger.h" +#include "utils/stats.h" #include "utils/util.h" #ifdef SHELL @@ -176,7 +177,7 @@ void Snort::init(int argc, char** argv) ModuleManager::reset_stats(sc); if (sc->alert_before_pass()) - sc->rule_order = Actions::get_default_priorities(true); + sc->rule_order = IpsAction::get_default_priorities(true); sc->setup(); @@ -210,6 +211,7 @@ void Snort::init(int argc, char** argv) /* Need to do this after dynamic detection stuff is initialized, too */ IpsManager::global_init(sc); + PacketManager::global_init(sc->num_layers); sc->post_setup(); sc->update_reload_id(); @@ -219,9 +221,10 @@ void Snort::init(int argc, char** argv) const MpseApi* search_api = sc->fast_pattern_config->get_search_api(); const MpseApi* offload_search_api = sc->fast_pattern_config->get_offload_search_api(); - MpseManager::activate_search_engine(search_api, sc); + if ( search_api ) + MpseManager::activate_search_engine(search_api, sc); - if ((offload_search_api != nullptr) and (offload_search_api != search_api)) + if ( offload_search_api and offload_search_api != search_api ) MpseManager::activate_search_engine(offload_search_api, sc); /* Finish up the pcap list and put in the queues */ @@ -361,7 +364,6 @@ void Snort::term() detection_filter_term(); term_signals(); - } void Snort::clean_exit(int) @@ -604,12 +606,3 @@ SnortConfig* Snort::get_updated_policy( return sc; } -OopsHandlerSuspend::OopsHandlerSuspend() -{ - remove_oops_handler(); -} - -OopsHandlerSuspend::~OopsHandlerSuspend() -{ - install_oops_handler(); -} diff --git a/src/main/snort.h b/src/main/snort.h index d04fccc80..0ce5186d7 100644 --- a/src/main/snort.h +++ b/src/main/snort.h @@ -24,8 +24,6 @@ // Snort is the top-level application class. #include -#include "main/snort_types.h" - class ContextSwitcher; namespace snort @@ -47,8 +45,8 @@ public: static void cleanup(); static bool has_dropped_privileges(); - SO_PUBLIC static bool is_reloading(); - inline SO_PUBLIC static bool is_exiting() { return already_exiting; } + static bool is_exiting() { return already_exiting; } + static bool is_reloading(); private: static void init(int, char**); @@ -62,14 +60,6 @@ private: static bool privileges_dropped; static bool already_exiting; }; - -// RAII-style mechanism for removal and reinstallation of Snort's crash handler -class SO_PUBLIC OopsHandlerSuspend -{ -public: - OopsHandlerSuspend(); - ~OopsHandlerSuspend(); -}; } #endif diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index afcd762b1..7464a2920 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -36,6 +36,7 @@ #include "detection/fp_create.h" #include "dump_config/json_config_output.h" #include "dump_config/text_config_output.h" +#include "events/event_queue.h" #include "file_api/file_service.h" #include "filters/detection_filter.h" #include "filters/rate_filter.h" @@ -44,10 +45,11 @@ #include "flow/ha_module.h" #include "framework/policy_selector.h" #include "hash/xhash.h" -#include "helpers/process.h" #include "host_tracker/host_cache_segmented.h" #include "latency/latency_config.h" #include "log/messages.h" +#include "main/policy.h" +#include "main/process.h" #include "managers/action_manager.h" #include "managers/event_manager.h" #include "managers/inspector_manager.h" @@ -265,7 +267,8 @@ SnortConfig::~SnortConfig() (fast_pattern_config->get_search_api() != get_conf()->fast_pattern_config->get_search_api())) ) { - MpseManager::stop_search_engine(fast_pattern_config->get_search_api()); + if ( fast_pattern_config->get_search_api() ) + MpseManager::stop_search_engine(fast_pattern_config->get_search_api()); } delete fast_pattern_config; @@ -308,7 +311,7 @@ void SnortConfig::setup() ParseRules(this); // Allocate evalOrder before calling the OrderRuleLists - evalOrder = new int[Actions::get_max_types()](); + evalOrder = new int[IpsAction::get_max_types()](); OrderRuleLists(this); @@ -1082,3 +1085,15 @@ const char* SnortConfig::get_static_name(const char* name) static_names.emplace(name, name); return static_names[name].c_str(); } + +int SnortConfig::get_classification_id(const char* name) +{ + auto& cls = get_conf()->classifications; + auto itr = cls.find(name); + + if (itr != cls.end()) + return itr->second->id; + + return 0; +} + diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 5e661a690..52e713b10 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -30,13 +30,12 @@ #include #include -#include "actions/actions.h" -#include "events/event_queue.h" -#include "framework/bits.h" +#include "framework/inspector.h" +#include "framework/ips_action.h" #include "helpers/scratch_allocator.h" #include "main/policy.h" -#include "main/thread.h" #include "sfip/sf_cidr.h" +#include "utils/bits.h" #define DEFAULT_LOG_DIR "." @@ -544,10 +543,7 @@ public: uint16_t get_event_log_id() const { return event_log_id; } - bool process_all_events() const - { return event_queue_config->process_all_events; } - - int get_eval_index(Actions::Type type) const + int get_eval_index(IpsAction::Type type) const { return evalOrder[type]; } // output stuff @@ -739,6 +735,7 @@ public: { return logging_flags & LOGGING_FLAG__SHOW_PLUGINS; } SO_PUBLIC static const char* get_static_name(const char* name); + SO_PUBLIC static int get_classification_id(const char* name); }; } diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index 3c7069d28..1d9032b0b 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -42,6 +42,7 @@ #include "parser/vars.h" #include "trace/trace_api.h" #include "trace/trace_config.h" +#include "utils/stats.h" #if defined(UNIT_TEST) || defined(BENCHMARK_TEST) #include "catch/unit_test.h" diff --git a/src/main/snort_module.h b/src/main/snort_module.h index a353da2f3..ffb27a34c 100644 --- a/src/main/snort_module.h +++ b/src/main/snort_module.h @@ -24,7 +24,7 @@ // the snort module is for handling command line args, // shell commands, and basic application stats -#include "main/thread.h" +#include "main/snort_types.h" namespace snort { diff --git a/src/main/snort_types.h b/src/main/snort_types.h index 823937fc8..c9567c537 100644 --- a/src/main/snort_types.h +++ b/src/main/snort_types.h @@ -65,6 +65,14 @@ typedef uint16_t Port; #endif #endif +// `__thread` is a gnu extension that at present is slightly faster than +// `thread_local` (possibly due to the lack of dynamic initialization) +#ifdef USE_THREAD_LOCAL +# define THREAD_LOCAL thread_local +#else +# define THREAD_LOCAL __thread +#endif + #if !defined(__GNUC__) || __GNUC__ < 2 || \ (__GNUC__ == 2 && __GNUC_MINOR__ < 5) #define __attribute__(x) /* delete __attribute__ if non-gcc or gcc1 */ diff --git a/src/main/swapper.h b/src/main/swapper.h index 844940876..34ced393f 100644 --- a/src/main/swapper.h +++ b/src/main/swapper.h @@ -31,7 +31,7 @@ struct SnortConfig; class Analyzer; -class SO_PUBLIC Swapper +class Swapper { public: Swapper(snort::SnortConfig*); diff --git a/src/main/test/distill_verdict_stubs.h b/src/main/test/distill_verdict_stubs.h index 5613c64c0..7bc5e90ad 100644 --- a/src/main/test/distill_verdict_stubs.h +++ b/src/main/test/distill_verdict_stubs.h @@ -18,8 +18,8 @@ // distill_verdict_stubs.h author Ron Dempster #include "detection/context_switcher.h" +#include "detection/detection_buf.h" #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "detection/ips_context.h" #include "detection/tag.h" #include "file_api/file_service.h" @@ -46,13 +46,13 @@ #include "main/swapper.h" #include "main/thread_config.h" #include "memory/memory_cap.h" -#include "network_inspectors/packet_tracer/packet_tracer.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "packet_io/sfdaq.h" #include "packet_io/sfdaq_instance.h" #include "packet_io/sfdaq_module.h" -#include "profiler/profiler.h" -#include "profiler/profiler_defs.h" +#include "profiler/profiler_impl.h" +#include "profiler/time_profiler_defs.h" #include "protocols/packet.h" #include "protocols/packet_manager.h" #include "side_channel/side_channel.h" @@ -65,6 +65,8 @@ THREAD_LOCAL DAQStats daq_stats; THREAD_LOCAL bool RuleContext::enabled = false; +THREAD_LOCAL bool snort::TimeProfilerStats::enabled; +THREAD_LOCAL snort::PacketTracer* snort::PacketTracer::s_pkt_trace; void Profiler::start() { } void Profiler::stop(uint64_t) { } @@ -97,7 +99,7 @@ void RuleLatency::tterm() { } void PacketLatency::tterm() { } void SideChannelManager::thread_init() { } void SideChannelManager::thread_term() { } -void CodecManager::thread_init(const snort::SnortConfig*) { } +void CodecManager::thread_init() { } void CodecManager::thread_term() { } void EventManager::open_outputs() { } void EventManager::close_outputs() { } @@ -126,9 +128,6 @@ void select_default_policy(const _daq_flow_stats&, const snort::SnortConfig*) { namespace snort { static struct timeval s_packet_time = { 0, 0 }; -THREAD_LOCAL PacketTracer* s_pkt_trace; -THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr; -THREAD_LOCAL bool TimeProfilerStats::enabled = false; THREAD_LOCAL PacketCount pc; void packet_gettimeofday(struct timeval* tv) { *tv = s_packet_time; } diff --git a/src/main/thread.h b/src/main/thread.h index a0f03377f..972e41a37 100644 --- a/src/main/thread.h +++ b/src/main/thread.h @@ -26,17 +26,6 @@ #include "main/snort_types.h" -#define THREAD_LOCAL_TBD -//#define THREAD_LOCAL // for single-threaded debugging - -// `__thread` is a gnu extension that at present is slightly faster than -// `thread_local` (possibly due to the lack of dynamic initialization) -#ifdef USE_THREAD_LOCAL -# define THREAD_LOCAL thread_local -#else -# define THREAD_LOCAL __thread -#endif - enum SThreadType { STHREAD_TYPE_OTHER, diff --git a/src/main/thread_config.cc b/src/main/thread_config.cc index 07c7249ca..072816f0b 100644 --- a/src/main/thread_config.cc +++ b/src/main/thread_config.cc @@ -31,14 +31,14 @@ #include "time/periodic.h" #include "utils/util.h" -#ifdef HAVE_NUMA -#include "utils/util_numa.h" -#endif - #ifdef UNIT_TEST #include "catch/snort_catch.h" #endif +#ifdef HAVE_NUMA +#include "numa.h" +#endif + using namespace snort; using namespace std; diff --git a/src/managers/CMakeLists.txt b/src/managers/CMakeLists.txt index f4db4a872..d748f99e4 100644 --- a/src/managers/CMakeLists.txt +++ b/src/managers/CMakeLists.txt @@ -8,23 +8,19 @@ set (CPP_INCLUDES ${CMAKE_CURRENT_BINARY_DIR}/lua_coreinit.h ) -set( MANAGERS_INCLUDES - codec_manager.h - event_manager.h - inspector_manager.h -) - add_subdirectory(test) add_library( managers OBJECT ${LUA_INCLUDES} - ${MANAGERS_INCLUDES} ${CPP_INCLUDES} action_manager.h action_manager.cc codec_manager.cc + codec_manager.h event_manager.cc + event_manager.h inspector_manager.cc + inspector_manager.h ips_manager.cc ips_manager.h lua_plugin_defs.h @@ -58,10 +54,6 @@ add_custom_command ( include_directories (${CMAKE_CURRENT_BINARY_DIR}) -install (FILES ${MANAGERS_INCLUDES} - DESTINATION "${INCLUDE_INSTALL_PATH}/managers" -) - install (FILES ${LUA_INCLUDES} DESTINATION "${INCLUDE_INSTALL_PATH}/lua" ) diff --git a/src/managers/action_manager.cc b/src/managers/action_manager.cc index 939c0abac..0537684c0 100644 --- a/src/managers/action_manager.cc +++ b/src/managers/action_manager.cc @@ -59,13 +59,13 @@ struct IpsActionsConfig }; using ACList = vector; -using ACTypeList = unordered_map; +using ACTypeList = unordered_map; using ACPriorityList = map>; static ACList s_actors; static ACTypeList s_act_types; static ACPriorityList s_act_priorities; -static Actions::Type s_act_index = 0; +static IpsAction::Type s_act_index = 0; static THREAD_LOCAL ACList* s_tl_actors = nullptr; @@ -81,12 +81,12 @@ void ActionManager::add_plugin(const ActionApi* api) s_act_priorities.emplace(api->priority, api->base.name); } -std::string ActionManager::get_action_string(Actions::Type action) +std::string ActionManager::get_action_string(IpsAction::Type action) { if ( action < s_act_index ) { auto it = std::find_if(s_act_types.cbegin(), s_act_types.cend(), - [action](const std::pair& type){ return type.second == action; }); + [action](const std::pair& type){ return type.second == action; }); if ( it != s_act_types.cend()) return (*it).first; } @@ -94,7 +94,7 @@ std::string ActionManager::get_action_string(Actions::Type action) return "ERROR"; } -Actions::Type ActionManager::get_action_type(const char* s) +IpsAction::Type ActionManager::get_action_type(const char* s) { auto type = s_act_types.find(s); @@ -104,7 +104,7 @@ Actions::Type ActionManager::get_action_type(const char* s) return get_max_action_types(); } -Actions::Type ActionManager::get_max_action_types() +IpsAction::Type ActionManager::get_max_action_types() { return s_act_index; } @@ -218,7 +218,7 @@ void ActionManager::instantiate(const ActionApi* api, Module* mod, SnortConfig* if ( !ips ) ips = get_ips_policy(); - Actions::Type idx = rln->mode; + IpsAction::Type idx = rln->mode; if (ips->action[idx] == nullptr) { ips->action[idx] = act; diff --git a/src/managers/action_manager.h b/src/managers/action_manager.h index 987a38077..13e1be934 100644 --- a/src/managers/action_manager.h +++ b/src/managers/action_manager.h @@ -24,14 +24,12 @@ // which is just a single response deferred until end of current packet // processing. -#include "actions/actions.h" #include "framework/ips_action.h" #include "framework/module.h" namespace snort { struct ActionApi; -class IpsAction; struct SnortConfig; struct Packet; } @@ -54,9 +52,9 @@ public: snort::SnortConfig*, IpsPolicy* ips = nullptr ); static void initialize_policies(snort::SnortConfig*); - static std::string get_action_string(Actions::Type); - static Actions::Type get_action_type(const char*); - static Actions::Type get_max_action_types(); + static std::string get_action_string(snort::IpsAction::Type); + static snort::IpsAction::Type get_action_type(const char*); + static snort::IpsAction::Type get_max_action_types(); static std::string get_action_priorities(bool); static void thread_init(const snort::SnortConfig*); diff --git a/src/managers/codec_manager.cc b/src/managers/codec_manager.cc index 9580882b7..8bcadf2ab 100644 --- a/src/managers/codec_manager.cc +++ b/src/managers/codec_manager.cc @@ -49,7 +49,6 @@ std::array CodecManager::s_protocols { THREAD_LOCAL ProtocolId CodecManager::grinder_id = ProtocolId::ETHERTYPE_NOT_SET; THREAD_LOCAL uint8_t CodecManager::grinder = 0; -THREAD_LOCAL uint8_t CodecManager::max_layers = DEFAULT_LAYERMAX; // This is hardcoded into Snort++ extern const CodecApi* default_codec; @@ -134,7 +133,7 @@ void CodecManager::release_plugins() s_proto_map.fill(0); } -void CodecManager::instantiate(CodecApiWrapper& wrap, Module* m, SnortConfig*) +void CodecManager::instantiate(CodecApiWrapper& wrap, Module* m) { if (!wrap.init) { @@ -168,10 +167,10 @@ void CodecManager::instantiate(CodecApiWrapper& wrap, Module* m, SnortConfig*) } } -void CodecManager::instantiate(const CodecApi* cd_api, Module* m, SnortConfig* sc) +void CodecManager::instantiate(const CodecApi* cd_api, Module* m) { CodecApiWrapper& wrap = get_api_wrapper(cd_api); - instantiate(wrap, m, sc); + instantiate(wrap, m); } void CodecManager::instantiate() @@ -179,20 +178,18 @@ void CodecManager::instantiate() CodecApiWrapper tmp_wrap; tmp_wrap.api = default_codec; tmp_wrap.init = false; - instantiate(tmp_wrap, nullptr, nullptr); + instantiate(tmp_wrap, nullptr); // default codec is the api ... I want the codec. s_protocols[0] = s_protocols[get_codec(default_codec->base.name)]; // and instantiate every codec which does not have a module for (CodecApiWrapper& wrap : s_codecs) - instantiate(wrap, nullptr, nullptr); + instantiate(wrap, nullptr); } -void CodecManager::thread_init(const SnortConfig* sc) +void CodecManager::thread_init() { - max_layers = sc->num_layers; - for ( CodecApiWrapper& wrap : s_codecs ) if (wrap.api->tinit) wrap.api->tinit(); diff --git a/src/managers/codec_manager.h b/src/managers/codec_manager.h index 1faa8fec7..302e27d4e 100644 --- a/src/managers/codec_manager.h +++ b/src/managers/codec_manager.h @@ -26,7 +26,7 @@ #include #include -#include "main/thread.h" +#include "main/snort_types.h" #include "protocols/protocol_ids.h" namespace snort @@ -36,7 +36,6 @@ struct CodecApi; class Module; class PacketManager; struct ProfileStats; -struct SnortConfig; } //------------------------------------------------------------------------- @@ -54,31 +53,27 @@ public: // global plugin initializer static void add_plugin(const struct snort::CodecApi*); // instantiate a specific codec with a codec specific Module - static void instantiate(const snort::CodecApi*, snort::Module*, snort::SnortConfig*); + static void instantiate(const snort::CodecApi*, snort::Module*); // instantiate any codec for which a module has not been provided. static void instantiate(); // destroy all global codec related information static void release_plugins(); // initialize the current threads DLT and Packet struct - static void thread_init(const snort::SnortConfig*); + static void thread_init(); // destroy thread_local data static void thread_term(); // print all of the codec plugins static void dump_plugins(); - static uint8_t get_max_layers() - { return max_layers; } - private: struct CodecApiWrapper; static std::vector s_codecs; static std::array s_proto_map; - static std::array s_protocols; + static std::array s_protocols; static THREAD_LOCAL ProtocolId grinder_id; static THREAD_LOCAL ProtocolIndex grinder; - static THREAD_LOCAL uint8_t max_layers; /* * Private helper functions. These are all declared here @@ -86,7 +81,7 @@ private: */ // Private struct defined in an anonymous namespace. - static void instantiate(CodecApiWrapper&, snort::Module*, snort::SnortConfig*); + static void instantiate(CodecApiWrapper&, snort::Module*); static CodecApiWrapper& get_api_wrapper(const snort::CodecApi* cd_api); static uint8_t get_codec(const char* const keyword); }; diff --git a/src/managers/event_manager.h b/src/managers/event_manager.h index 4b5173678..bc9dd4af9 100644 --- a/src/managers/event_manager.h +++ b/src/managers/event_manager.h @@ -37,7 +37,7 @@ struct LogApi; struct Packet; struct SnortConfig; } -struct Event; +class Event; struct OutputSet; //------------------------------------------------------------------------- diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index aa58eb756..e07d19a28 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -28,12 +28,12 @@ #include #include "binder/bind_module.h" -#include "detection/detect.h" #include "detection/detection_engine.h" #include "detection/fp_utils.h" -#include "flow/expect_cache.h" +#include "flow/expect_flow.h" #include "flow/flow.h" #include "flow/session.h" +#include "log/log_stats.h" #include "log/messages.h" #include "main/shell.h" #include "main/snort.h" @@ -293,7 +293,7 @@ void InspectorList::tterm(PHObjectList* handlers) void InspectorList::tterm_removed() { for ( auto& ri : removed_ilist ) - ri.instance->tterm(ri.handlers[Inspector::slot]); + ri.instance->tterm(ri.handlers[Inspector::get_slot()]); } static PHInstance* get_instance(InspectorList* il, const char* keyword); @@ -459,12 +459,13 @@ void TrafficPolicy::vectorize(SnortConfig*) PHObjectList* TrafficPolicy::get_specific_handlers() { + unsigned slot = Inspector::get_slot(); assert(ts_handlers); - PHObjectList* handlers = ts_handlers->olists[Inspector::slot]; + PHObjectList* handlers = ts_handlers->olists[slot]; if (!handlers) { handlers = new PHObjectList; - ts_handlers->olists[Inspector::slot] = handlers; + ts_handlers->olists[slot] = handlers; } return handlers; } @@ -606,7 +607,7 @@ void SingleInstanceInspectorPolicy::tterm(PHObjectList* handlers) void SingleInstanceInspectorPolicy::tterm_removed() { if (removed_instance) - removed_instance->tterm(s_tl_handlers[Inspector::slot]); + removed_instance->tterm(s_tl_handlers[Inspector::get_slot()]); } void SingleInstanceInspectorPolicy::print_config(SnortConfig* sc, const char* title) @@ -1120,17 +1121,6 @@ void InspectorManager::update_policy(SnortConfig* sc) } } -Binder* InspectorManager::get_binder() -{ - InspectionPolicy* pi = get_inspection_policy(); - - if ( !pi ) - return nullptr; - - assert(pi->framework_policy); - return (Binder*)pi->framework_policy->binder; -} - void InspectorManager::clear_removed_inspectors(SnortConfig* sc) { SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); @@ -1210,158 +1200,7 @@ void InspectorManager::reconcile_inspectors(const SnortConfig* old, SnortConfig* } } -Inspector* InspectorManager::get_file_inspector(const SnortConfig* sc) -{ - if ( !sc ) - sc = SnortConfig::get_conf(); - SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); - return fid->instance ? fid->instance->handler : nullptr; -} - -// FIXIT-P cache get_inspector() returns or provide indexed lookup -Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, const SnortConfig* snort_config) -{ - InspectionPolicy* pi; - NetworkPolicy* ni; - - const SnortConfig* sc = snort_config; - if ( !sc ) - sc = SnortConfig::get_conf(); - assert(sc); - if ( dflt_only ) - { - ni = get_default_network_policy(sc); - pi = ni->get_inspection_policy(0); - } - else - { - pi = get_inspection_policy(); - // During reload, get_network_policy will return the network policy from the new snort config - // for a given tenant - ni = get_network_policy(); - if (!snort_config) - { - // If no snort config is passed in, it means that this is either a normally running system with - // the correct network policy set or that get_inspector is being called from Inspector::configure - // and it is expecting the inspector from the running configuration and not the new snort config - if (ni) - { - PolicyMap* pm = sc->policy_map; - NetworkPolicy* np = pm->get_user_network(ni->user_policy_id); - if (np) - { - // If network policy is correct, then no need to change the inspection policy - if (np != ni && pi) - pi = np->get_user_inspection_policy(pi->user_policy_id); - ni = np; - } - else - pi = nullptr; - } - else - pi = nullptr; - } - } - - if ( pi ) - { - PHInstance* p = get_instance(pi->framework_policy, key); - if ( p ) - return p->handler; - } - - if ( ni && ni->traffic_policy ) - { - PHInstance* p = get_instance(ni->traffic_policy, key); - if ( p ) - return p->handler; - } - - GlobalInspectorPolicy* pp = sc->policy_map->get_global_inspector_policy(); - PHInstance* p = get_instance(pp, key); - if ( p ) - return p->handler; - - SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking(); - if ( ft->instance && ft->instance->name == key ) - return ft->instance->handler; - - SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); - if ( fid->instance && fid->instance->name == key ) - return fid->instance->handler; - - return nullptr; -} - -Inspector* InspectorManager::get_inspector(const char* key, Module::Usage usage, InspectorType type) -{ - const SnortConfig* sc = SnortConfig::get_conf(); - if (!sc) - return nullptr; - - if (Module::GLOBAL == usage && IT_FILE == type) - { - SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); - assert(fid); - return (fid->instance && fid->instance->name == key) ? fid->instance->handler : nullptr; - } - else if (Module::GLOBAL == usage && IT_STREAM == type) - { - SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking(); - assert(ft); - return (ft->instance && ft->instance->name == key) ? ft->instance->handler : nullptr; - } - else - { - if (Module::GLOBAL == usage && IT_SERVICE != type) - { - GlobalInspectorPolicy* il = sc->policy_map->get_global_inspector_policy(); - assert(il); - PHInstance* p = il->get_instance_by_type(key, type); - return p ? p->handler : nullptr; - } - else if (Module::CONTEXT == usage) - { - NetworkPolicy* np = get_network_policy(); - if (!np) - return nullptr; - PolicyMap* pm = sc->policy_map; - np = pm->get_user_network(np->user_policy_id); - if (!np) - return nullptr; - TrafficPolicy* il = np->traffic_policy; - assert(il); - PHInstance* p = il->get_instance_by_type(key, type); - return p ? p->handler : nullptr; - } - else - { - NetworkPolicy* orig_np = get_network_policy(); - if (!orig_np) - return nullptr; - PolicyMap* pm = sc->policy_map; - NetworkPolicy* np = pm->get_user_network(orig_np->user_policy_id); - if (!np) - return nullptr; - InspectionPolicy* ip = get_inspection_policy(); - if (!ip) - return nullptr; - // If network policy is correct, then no need to change the inspection policy - if (np != orig_np) - { - ip = np->get_user_inspection_policy(ip->user_policy_id); - if (!ip) - return nullptr; - } - FrameworkPolicy* il = ip->framework_policy; - assert(il); - PHInstance* p = il->get_instance_by_type(key, type); - return p ? p->handler : nullptr; - } - } -} - -Inspector* InspectorManager::get_service_inspector_by_service(const char* key) +Inspector* InspectorManager::get_service_inspector(const char* key) { InspectionPolicy* pi = get_inspection_policy(); @@ -1373,7 +1212,7 @@ Inspector* InspectorManager::get_service_inspector_by_service(const char* key) return (g != pi->framework_policy->inspector_cache_by_service.end()) ? g->second : nullptr; } -Inspector* InspectorManager::get_service_inspector_by_id(const SnortProtocolId protocol_id) +Inspector* InspectorManager::get_service_inspector(const SnortProtocolId protocol_id) { InspectionPolicy* pi = get_inspection_policy(); @@ -1504,11 +1343,13 @@ void PHInstance::tterm(PHObjectList* handlers) void InspectorManager::thread_init(const SnortConfig* sc) { SnortConfig::update_thread_reload_id(); +#ifndef _WIN64 Inspector::slot = get_instance_id(); +#endif // Initial build out of this thread's configured plugin registry PHObjectList* g_handlers = new PHObjectList; - s_tl_handlers[Inspector::slot] = g_handlers; + s_tl_handlers[Inspector::get_slot()] = g_handlers; for ( auto* p : sc->framework_config->clist ) { PHObject& phg = get_thread_local_plugin(p->api, g_handlers); @@ -1551,7 +1392,7 @@ void InspectorManager::thread_reinit(const SnortConfig* sc) sc->policy_map->set_inspector_tinit_complete(instance_id, true); // Update this thread's configured plugin registry with any newly configured inspectors - PHObjectList* g_handlers = s_tl_handlers[Inspector::slot]; + PHObjectList* g_handlers = s_tl_handlers[Inspector::get_slot()]; for ( auto* p : sc->framework_config->clist ) { PHObject& phg = get_thread_local_plugin(p->api, g_handlers); @@ -1621,7 +1462,7 @@ void InspectorManager::thread_stop_removed(const SnortConfig* sc) void InspectorManager::thread_stop(const SnortConfig* sc) { // If thread_init() was never called, we have nothing to do. - PHObjectList* g_handlers = s_tl_handlers[Inspector::slot]; + PHObjectList* g_handlers = s_tl_handlers[Inspector::get_slot()]; if ( !g_handlers ) return; @@ -1653,7 +1494,7 @@ void InspectorManager::thread_stop(const SnortConfig* sc) void InspectorManager::thread_term() { // If thread_init() was never called, we have nothing to do. - PHObjectList* handlers = s_tl_handlers[Inspector::slot]; + PHObjectList* handlers = s_tl_handlers[Inspector::get_slot()]; if ( !handlers ) return; @@ -1664,7 +1505,7 @@ void InspectorManager::thread_term() phg.api.tterm(); } delete handlers; - s_tl_handlers[Inspector::slot] = nullptr; + s_tl_handlers[Inspector::get_slot()] = nullptr; } //------------------------------------------------------------------------- @@ -1806,24 +1647,6 @@ static bool configure(SnortConfig* sc, InspectorList* il, bool cloned, bool& new return ok; } -Inspector* InspectorManager::acquire_file_inspector() -{ - Inspector* pi = get_file_inspector(); - - if ( !pi ) - FatalError("unconfigured file inspector\n"); - else - pi->add_global_ref(); - - return pi; -} - -void InspectorManager::release(Inspector* pi) -{ - assert(pi); - pi->rem_global_ref(); -} - bool InspectorManager::configure(SnortConfig* sc, bool cloned) { if ( !s_sorted ) @@ -2290,3 +2113,183 @@ void InspectorManager::clear(Packet* p) p->context->clear_inspectors = false; } +Inspector* InspectorManager::get_binder() +{ + InspectionPolicy* pi = get_inspection_policy(); + + if ( !pi ) + return nullptr; + + assert(pi->framework_policy); + return pi->framework_policy->binder; +} + +Inspector* InspectorManager::get_file_inspector(const SnortConfig* sc) +{ + if ( !sc ) + sc = SnortConfig::get_conf(); + SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); + return fid->instance ? fid->instance->handler : nullptr; +} + +Inspector* InspectorManager::acquire_file_inspector() +{ + Inspector* pi = get_file_inspector(); + + if ( !pi ) + FatalError("unconfigured file inspector\n"); + else + pi->add_global_ref(); + + return pi; +} + +// FIXIT-P cache get_inspector() returns or provide indexed lookup +Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, const SnortConfig* snort_config) +{ + InspectionPolicy* pi; + NetworkPolicy* ni; + + const SnortConfig* sc = snort_config; + if ( !sc ) + sc = SnortConfig::get_conf(); + assert(sc); + if ( dflt_only ) + { + ni = get_default_network_policy(sc); + pi = ni->get_inspection_policy(0); + } + else + { + pi = get_inspection_policy(); + // During reload, get_network_policy will return the network policy from the new snort config + // for a given tenant + ni = get_network_policy(); + if (!snort_config) + { + // If no snort config is passed in, it means that this is either a normally running system with + // the correct network policy set or that get_inspector is being called from Inspector::configure + // and it is expecting the inspector from the running configuration and not the new snort config + if (ni) + { + PolicyMap* pm = sc->policy_map; + NetworkPolicy* np = pm->get_user_network(ni->user_policy_id); + if (np) + { + // If network policy is correct, then no need to change the inspection policy + if (np != ni && pi) + pi = np->get_user_inspection_policy(pi->user_policy_id); + ni = np; + } + else + pi = nullptr; + } + else + pi = nullptr; + } + } + + if ( pi ) + { + PHInstance* p = get_instance(pi->framework_policy, key); + if ( p ) + return p->handler; + } + + if ( ni && ni->traffic_policy ) + { + PHInstance* p = get_instance(ni->traffic_policy, key); + if ( p ) + return p->handler; + } + + GlobalInspectorPolicy* pp = sc->policy_map->get_global_inspector_policy(); + PHInstance* p = get_instance(pp, key); + if ( p ) + return p->handler; + + SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking(); + if ( ft->instance && ft->instance->name == key ) + return ft->instance->handler; + + SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); + if ( fid->instance && fid->instance->name == key ) + return fid->instance->handler; + + return nullptr; +} + +Inspector* InspectorManager::get_inspector(const char* key, Module::Usage usage, InspectorType type) +{ + const SnortConfig* sc = SnortConfig::get_conf(); + if (!sc) + return nullptr; + + if (Module::GLOBAL == usage && IT_FILE == type) + { + SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id(); + assert(fid); + return (fid->instance && fid->instance->name == key) ? fid->instance->handler : nullptr; + } + else if (Module::GLOBAL == usage && IT_STREAM == type) + { + SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking(); + assert(ft); + return (ft->instance && ft->instance->name == key) ? ft->instance->handler : nullptr; + } + else + { + if (Module::GLOBAL == usage && IT_SERVICE != type) + { + GlobalInspectorPolicy* il = sc->policy_map->get_global_inspector_policy(); + assert(il); + PHInstance* p = il->get_instance_by_type(key, type); + return p ? p->handler : nullptr; + } + else if (Module::CONTEXT == usage) + { + NetworkPolicy* np = get_network_policy(); + if (!np) + return nullptr; + PolicyMap* pm = sc->policy_map; + np = pm->get_user_network(np->user_policy_id); + if (!np) + return nullptr; + TrafficPolicy* il = np->traffic_policy; + assert(il); + PHInstance* p = il->get_instance_by_type(key, type); + return p ? p->handler : nullptr; + } + else + { + NetworkPolicy* orig_np = get_network_policy(); + if (!orig_np) + return nullptr; + PolicyMap* pm = sc->policy_map; + NetworkPolicy* np = pm->get_user_network(orig_np->user_policy_id); + if (!np) + return nullptr; + InspectionPolicy* ip = get_inspection_policy(); + if (!ip) + return nullptr; + // If network policy is correct, then no need to change the inspection policy + if (np != orig_np) + { + ip = np->get_user_inspection_policy(ip->user_policy_id); + if (!ip) + return nullptr; + } + FrameworkPolicy* il = ip->framework_policy; + assert(il); + PHInstance* p = il->get_instance_by_type(key, type); + return p ? p->handler : nullptr; + } + } +} + +void InspectorManager::release(Inspector* pi) +{ + assert(pi); + pi->rem_global_ref(); +} + diff --git a/src/managers/inspector_manager.h b/src/managers/inspector_manager.h index 62ee48dd0..032a6179e 100644 --- a/src/managers/inspector_manager.h +++ b/src/managers/inspector_manager.h @@ -78,23 +78,6 @@ public: static void destroy_global_inspector_policy(GlobalInspectorPolicy*, bool cloned); static InspectSsnFunc get_session(uint16_t proto); - SO_PUBLIC static Inspector* get_file_inspector(const SnortConfig* = nullptr); - - // This assumes that, in a multi-tenant scenario, this is called with the correct network and inspection - // policies are set correctly - SO_PUBLIC static Inspector* get_inspector(const char* key, bool dflt_only = false, const SnortConfig* = nullptr); - - // This cannot be called in or before the inspector configure phase for a new snort config during reload - SO_PUBLIC static Inspector* get_inspector(const char* key, Module::Usage, InspectorType); - - SO_PUBLIC static Inspector* get_service_inspector_by_service(const char*); - static Inspector* get_service_inspector_by_id(const SnortProtocolId); - - SO_PUBLIC static Binder* get_binder(); - - SO_PUBLIC static Inspector* acquire_file_inspector(); - SO_PUBLIC static void release(Inspector*); - static bool configure(SnortConfig*, bool cloned = false); static void prepare_inspectors(SnortConfig*); static void prepare_controls(SnortConfig*); @@ -116,6 +99,23 @@ public: static void reconcile_inspectors(const SnortConfig*, SnortConfig*, bool cloned = false); static void clear_removed_inspectors(SnortConfig*); + static Inspector* get_binder(); + + static Inspector* acquire_file_inspector(); + static Inspector* get_file_inspector(const SnortConfig* = nullptr); + + static Inspector* get_service_inspector(const SnortProtocolId); + static Inspector* get_service_inspector(const char*); + + // This assumes that, in a multi-tenant scenario, this is called with the correct network and inspection + // policies are set correctly + static Inspector* get_inspector(const char* key, bool dflt_only = false, const SnortConfig* = nullptr); + + // This cannot be called in or before the inspector configure phase for a new snort config during reload + static Inspector* get_inspector(const char* key, Module::Usage, InspectorType); + + static void release(Inspector*); + private: static void bumble(Packet*); template static void full_inspection(Packet*); diff --git a/src/managers/ips_manager.cc b/src/managers/ips_manager.cc index d3c13aa21..80af347a1 100644 --- a/src/managers/ips_manager.cc +++ b/src/managers/ips_manager.cc @@ -28,6 +28,7 @@ #include "detection/fp_detect.h" #include "detection/treenodes.h" +#include "framework/ips_info.h" #include "log/messages.h" #include "main/snort_config.h" @@ -300,7 +301,8 @@ IpsOption* IpsManager::option_end( return nullptr; } - IpsOption* ips = opt->api->ctor(mod, otn); + IpsInfo info(otn, sc); + IpsOption* ips = opt->api->ctor(mod, info); type = opt->api->type; current_keyword.clear(); diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc index 32747e352..2a8366b50 100644 --- a/src/managers/module_manager.cc +++ b/src/managers/module_manager.cc @@ -45,7 +45,7 @@ #include "managers/inspector_manager.h" #include "parser/parse_conf.h" #include "parser/parser.h" -#include "profiler/profiler.h" +#include "profiler/profiler_impl.h" #include "protocols/packet_manager.h" #include "utils/util.h" diff --git a/src/managers/plugin_manager.cc b/src/managers/plugin_manager.cc index 429db50a3..ea83dc4bf 100644 --- a/src/managers/plugin_manager.cc +++ b/src/managers/plugin_manager.cc @@ -28,11 +28,7 @@ #include #include -#include "framework/codec.h" -#include "framework/connector.h" -#include "framework/logger.h" -#include "framework/mpse.h" -#include "framework/policy_selector.h" +#include "framework/plugins.h" #include "helpers/directory.h" #include "helpers/markup.h" #include "log/messages.h" @@ -155,11 +151,9 @@ static void set_key(string& key, Symbol* sym, const char* name) static bool compatible_builds(const char* plug_opts) { const char* snort_opts = API_OPTIONS; + assert(snort_opts); - if ( !snort_opts and !plug_opts ) - return true; - - if ( !snort_opts or !plug_opts ) + if ( !plug_opts ) return false; if ( strcmp(snort_opts, plug_opts) ) @@ -180,7 +174,10 @@ static bool register_plugin( const BaseApi* api, SoHandlePtr handle, const char* file, SnortConfig* sc) { if ( api->type >= PT_MAX ) + { + ParseWarning(WARN_PLUGINS, "%s: invalid plugin type: %u", file, (unsigned)api->type); return false; + } Symbol* sym = symbols + api->type; @@ -250,12 +247,8 @@ static void load_list( static bool load_lib(const char* file, SnortConfig* sc) { - struct stat fs; void* handle; - if ( stat(file, &fs) || !(fs.st_mode & S_IFREG) ) - return false; - if ( !(handle = dlopen(file, RTLD_NOW|RTLD_LOCAL)) ) { if ( const char* err = dlerror() ) @@ -349,8 +342,10 @@ static void load_plugins(const std::string& paths, SnortConfig* sc = nullptr) for ( auto& path : path_list ) { if ( stat(path.c_str(), &sb) ) + { + ParseWarning(WARN_PLUGINS, "%s: can't get file status", path.c_str()); continue; - + } if ( sb.st_mode & S_IFDIR ) { Directory d(path.c_str(), lib_pattern); @@ -358,13 +353,15 @@ static void load_plugins(const std::string& paths, SnortConfig* sc = nullptr) while ( const char* f = d.next() ) load_lib(f, sc); } - else + else if ( sb.st_mode & S_IFREG ) { if ( path.find("/") == string::npos ) path = "./" + path; load_lib(path.c_str(), sc); } + else + ParseWarning(WARN_PLUGINS, "%s: not a directory or regular file", path.c_str()); } } @@ -516,7 +513,7 @@ void PluginManager::instantiate( switch ( api->type ) { case PT_CODEC: - CodecManager::instantiate((const CodecApi*)api, mod, sc); + CodecManager::instantiate((const CodecApi*)api, mod); break; case PT_INSPECTOR: diff --git a/src/managers/policy_selector_manager.cc b/src/managers/policy_selector_manager.cc index 1446f0e0d..d6053d6e0 100644 --- a/src/managers/policy_selector_manager.cc +++ b/src/managers/policy_selector_manager.cc @@ -29,6 +29,7 @@ #include "framework/policy_selector.h" #include "framework/module.h" #include "main/snort_config.h" +#include "log/log_stats.h" #include "log/messages.h" #include "utils/util.h" diff --git a/src/managers/so_manager.cc b/src/managers/so_manager.cc index cca82ba26..d12a73512 100644 --- a/src/managers/so_manager.cc +++ b/src/managers/so_manager.cc @@ -350,7 +350,6 @@ static const char* sp_help = "a proxy inspector to track flow data from SO rules class SoProxy : public Inspector { public: - void eval(Packet*) override { } bool configure(SnortConfig* sc) override { copy(sc->so_rules->handles.begin(), sc->so_rules->handles.end(), back_inserter(handles)); diff --git a/src/managers/test/get_inspector_stubs.h b/src/managers/test/get_inspector_stubs.h index 27e80aefe..21a48ad68 100644 --- a/src/managers/test/get_inspector_stubs.h +++ b/src/managers/test/get_inspector_stubs.h @@ -18,7 +18,7 @@ // stubs.h author Ron Dempster #include "detection/detection_engine.h" -#include "flow/expect_cache.h" +#include "flow/expect_flow.h" #include "main/policy.h" #include "main/snort.h" #include "main/snort_config.h" @@ -45,19 +45,24 @@ void update_buffer_map(const char**, const char*) { } namespace snort { -unsigned THREAD_LOCAL Inspector::slot = 0; [[noreturn]] void FatalError(const char*,...) { exit(-1); } void LogMessage(const char*, ...) { } void LogLabel(const char*, FILE*) { } void ParseError(const char*, ...) { } void WarningMessage(const char*, ...) { } + DataBus::DataBus() { } DataBus::~DataBus() { } void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { } unsigned DataBus::get_id(const PubKey&) { return 0; } + void DetectionEngine::disable_content(Packet*) { } + unsigned SnortConfig::get_thread_reload_id() { return 1; } void SnortConfig::update_thread_reload_id() { } + +THREAD_LOCAL unsigned Inspector::slot = 0; +bool Inspector::is_inactive() { return true; } Inspector::Inspector() { ref_count = nullptr; } Inspector::~Inspector() { } bool Inspector::likes(Packet*) { return false; } @@ -69,6 +74,7 @@ void Inspector::rem_global_ref() { } void Inspector::allocate_thread_storage() { } void Inspector::copy_thread_storage(snort::Inspector*) { } const char* InspectApi::get_type(InspectorType) { return ""; } + unsigned ThreadConfig::get_instance_max() { return 1; } bool Snort::is_reloading() { return false; } SnortProtocolId ProtocolReference::find(const char*) const { return UNKNOWN_PROTOCOL_ID; } @@ -79,7 +85,7 @@ PegCount Module::get_global_count(const char*) const { return 0; } void Module::sum_stats(bool) { } void Module::init_stats(bool) { } void Module::main_accumulate_stats() { } -void Module::show_interval_stats(IndexVec&, FILE*) { } +void Module::show_interval_stats(std::vector&, FILE*) { } void Module::show_stats() { } void Module::reset_stats() { } Module* ModuleManager::get_module(const char*) { return nullptr; } diff --git a/src/managers/test/get_inspector_test.cc b/src/managers/test/get_inspector_test.cc index 56bd7ccf6..2a3016a3d 100644 --- a/src/managers/test/get_inspector_test.cc +++ b/src/managers/test/get_inspector_test.cc @@ -31,8 +31,6 @@ using namespace snort; -bool Inspector::is_inactive() { return true; } - NetworkPolicy* snort::get_network_policy() { return (NetworkPolicy*)mock().getData("network_policy").getObjectPointer(); } NetworkPolicy* PolicyMap::get_user_network(uint64_t) const @@ -97,7 +95,6 @@ class TestInspector : public Inspector public: TestInspector() = default; ~TestInspector() override = default; - void eval(Packet*) override { } }; class TestModule : public Module diff --git a/src/memory/heap_interface.cc b/src/memory/heap_interface.cc index f438b0966..88dbd345f 100644 --- a/src/memory/heap_interface.cc +++ b/src/memory/heap_interface.cc @@ -33,7 +33,6 @@ #include "control/control.h" #include "log/messages.h" -#include "main/thread.h" namespace memory { diff --git a/src/memory/memory_cap.cc b/src/memory/memory_cap.cc index 225499994..a157f3f97 100644 --- a/src/memory/memory_cap.cc +++ b/src/memory/memory_cap.cc @@ -30,6 +30,7 @@ #include #include +#include "log/log_stats.h" #include "log/messages.h" #include "main/snort_config.h" #include "main/snort_types.h" diff --git a/src/memory/memory_overloads.cc b/src/memory/memory_overloads.cc index f56d21288..69083ecf5 100644 --- a/src/memory/memory_overloads.cc +++ b/src/memory/memory_overloads.cc @@ -26,8 +26,6 @@ #include -#include "main/snort.h" -#include "main/thread.h" #include "profiler/memory_profiler_active_context.h" #include "memory_allocator.h" diff --git a/src/memory/test/memory_cap_test.cc b/src/memory/test/memory_cap_test.cc index 403cb39ea..8d26a6ce7 100644 --- a/src/memory/test/memory_cap_test.cc +++ b/src/memory/test/memory_cap_test.cc @@ -64,10 +64,6 @@ unsigned get_instance_id() THREAD_LOCAL const Trace* memory_trace = nullptr; -void Periodic::register_handler(PeriodicHook, void*, uint16_t, uint32_t) { } - -void Profiler::register_module(const char*, const char*, snort::Module*) { } - void ModuleManager::accumulate_module(const char*) { } //-------------------------------------------------------------------------- diff --git a/src/mime/CMakeLists.txt b/src/mime/CMakeLists.txt index 31f0f119b..0ce5353f1 100644 --- a/src/mime/CMakeLists.txt +++ b/src/mime/CMakeLists.txt @@ -3,7 +3,6 @@ set( MIME_INCLUDES decode_b64.h decode_base.h file_mime_config.h - file_mime_context_data.h file_mime_decode.h file_mime_log.h file_mime_paf.h @@ -12,14 +11,8 @@ set( MIME_INCLUDES add_library ( mime OBJECT ${MIME_INCLUDES} - file_mime_config.cc - file_mime_context_data.cc - file_mime_decode.cc - file_mime_log.cc - file_mime_paf.cc - file_mime_process.cc - decode_base.cc decode_b64.cc + decode_base.cc decode_bit.cc decode_bit.h decode_buffer.cc @@ -28,6 +21,13 @@ add_library ( mime OBJECT decode_qp.h decode_uu.cc decode_uu.h + file_mime_config.cc + file_mime_context_data.cc + file_mime_context_data.h + file_mime_decode.cc + file_mime_log.cc + file_mime_paf.cc + file_mime_process.cc ) install (FILES ${MIME_INCLUDES} diff --git a/src/mime/decode_b64.h b/src/mime/decode_b64.h index 91d150c47..db4490770 100644 --- a/src/mime/decode_b64.h +++ b/src/mime/decode_b64.h @@ -44,10 +44,7 @@ namespace snort { // FIXIT-L inbuf should probably be const uint8_t* SO_PUBLIC int sf_base64decode( - uint8_t* inbuf, uint32_t inbuf_size, - uint8_t* outbuf, uint32_t outbuf_size, - uint32_t* bytes_written - ); + uint8_t* inbuf, uint32_t inbuf_size, uint8_t* outbuf, uint32_t outbuf_size, uint32_t* bytes_written); } #endif diff --git a/src/network_inspectors/CMakeLists.txt b/src/network_inspectors/CMakeLists.txt index deefca433..0b7b881e6 100644 --- a/src/network_inspectors/CMakeLists.txt +++ b/src/network_inspectors/CMakeLists.txt @@ -5,7 +5,6 @@ add_subdirectory(binder) add_subdirectory(kaizen) add_subdirectory(normalize) add_subdirectory(packet_capture) -add_subdirectory(packet_tracer) add_subdirectory(perf_monitor) add_subdirectory(port_scan) add_subdirectory(reputation) @@ -24,7 +23,6 @@ set(STATIC_NETWORK_INSPECTOR_PLUGINS $ $ $ - $ $ $ $ diff --git a/src/network_inspectors/appid/app_info_table.h b/src/network_inspectors/appid/app_info_table.h index a0f27ce25..5ddbef5c3 100644 --- a/src/network_inspectors/appid/app_info_table.h +++ b/src/network_inspectors/appid/app_info_table.h @@ -29,7 +29,6 @@ #include "flow/flow.h" #include "framework/counts.h" -#include "main/thread.h" #include "target_based/snort_protocols.h" #include "utils/util.h" diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index 65fb7ce48..f7ccfec66 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -252,8 +252,7 @@ const AppIdSessionApi* AppIdApi::get_appid_session_api(const Flow& flow) const bool AppIdApi::is_inspection_needed(const Inspector& inspector) const { - AppIdInspector* appid_inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, - true); + AppIdInspector* appid_inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); if (!appid_inspector) return false; @@ -269,7 +268,7 @@ bool AppIdApi::is_inspection_needed(const Inspector& inspector) const const char* AppIdApi::get_appid_detector_directory() const { - AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true); + AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); if (!inspector) return ""; diff --git a/src/network_inspectors/appid/appid_debug.h b/src/network_inspectors/appid/appid_debug.h index e1e99db64..dc6ad2859 100644 --- a/src/network_inspectors/appid/appid_debug.h +++ b/src/network_inspectors/appid/appid_debug.h @@ -22,6 +22,7 @@ #ifndef APPID_DEBUG_H #define APPID_DEBUG_H +#include #include #include @@ -29,7 +30,6 @@ #include "detection/detection_engine.h" #include "protocols/ipv6.h" #include "protocols/protocol_ids.h" -#include "main/thread.h" #include "sfip/sf_ip.h" class AppIdSession; diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index b766cbea9..b43e71e23 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -27,7 +27,8 @@ #include "host_tracker/host_cache.h" #include "host_tracker/host_cache_segmented.h" -#include "packet_tracer/packet_tracer.h" +#include "log/messages.h" +#include "packet_io/packet_tracer.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "protocols/tcp.h" @@ -67,7 +68,7 @@ static void populate_trace_data(AppIdSession& session) PacketTracer::daq_log("AppID+%" PRId64"++service: %s(%d), " "client: %s(%d), payload: %s(%d), misc: %s(%d)$", - TO_NSECS(pt_timer->get()), + PacketTracer::get_time(), (service_app_name ? service_app_name : ""), service_id, (client_app_name ? client_app_name : ""), client_id, (payload_app_name ? payload_app_name : ""), payload_id, diff --git a/src/network_inspectors/appid/appid_ha.cc b/src/network_inspectors/appid/appid_ha.cc index 109e4f592..4900cce4f 100644 --- a/src/network_inspectors/appid/appid_ha.cc +++ b/src/network_inspectors/appid/appid_ha.cc @@ -66,8 +66,8 @@ bool AppIdHAAppsClient::consume(Flow*& flow, const FlowKey* key, HAMessage& msg, return false; AppIdInspector* inspector = - static_cast( - InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type)); + static_cast(InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type)); + if (!inspector or !pkt_thread_odp_ctxt) return false; @@ -227,8 +227,8 @@ bool AppIdHAHttpClient::consume(Flow*& flow, const FlowKey* key, HAMessage& msg, return false; AppIdInspector* inspector = - static_cast( - InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type)); + static_cast(InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type)); + if (!inspector or !pkt_thread_odp_ctxt) return false; @@ -315,8 +315,8 @@ bool AppIdHATlsHostClient::consume(Flow*& flow, const FlowKey* key, HAMessage& m return false; AppIdInspector* inspector = - static_cast( - InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type)); + static_cast(InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type)); + if (!inspector or !pkt_thread_odp_ctxt) return false; diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc index 32a580707..194af5077 100644 --- a/src/network_inspectors/appid/appid_http_event_handler.cc +++ b/src/network_inspectors/appid/appid_http_event_handler.cc @@ -30,6 +30,8 @@ #include #include "detection/detection_engine.h" +#include "flow/stream_flow.h" + #include "app_info_table.h" #include "app_cpu_profile_table.h" #include "appid_debug.h" diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index ea17d1562..ad1a5ff94 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -30,9 +30,9 @@ #include "flow/flow.h" #include "main/analyzer_command.h" -#include "managers/inspector_manager.h" +#include "main/snort_config.h" #include "managers/module_manager.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "profiler/profiler.h" #include "pub_sub/appid_event_ids.h" #include "pub_sub/intrinsic_event_ids.h" @@ -237,7 +237,7 @@ void AppIdInspector::eval(Packet* p) if (p->flow) { if (PacketTracer::is_daq_activated()) - PacketTracer::pt_timer_start(); + PacketTracer::restart_timer(); AppIdDiscovery::do_application_discovery(p, *this, *pkt_thread_odp_ctxt, pkt_thread_tp_appid_ctxt); // FIXIT-L tag verdict reason as appid for daq diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index abdcde5e7..c6c4c85f0 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -344,7 +344,8 @@ static int reload_third_party(lua_State* L) return 0; } - AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME); + AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); + if (!inspector) { ReloadTracker::failed(ctrlcon, "appid not enabled"); @@ -442,7 +443,8 @@ static int reload_detectors(lua_State* L) ctrlcon->respond("== reload pending; retry\n"); return 0; } - AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME); + AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); + if (!inspector) { ctrlcon->respond("== reload detectors failed - appid not enabled\n"); diff --git a/src/network_inspectors/appid/appid_peg_counts.cc b/src/network_inspectors/appid/appid_peg_counts.cc index 92bab107f..2bd77928e 100644 --- a/src/network_inspectors/appid/appid_peg_counts.cc +++ b/src/network_inspectors/appid/appid_peg_counts.cc @@ -34,10 +34,11 @@ #include #include +#include "framework/inspector.h" +#include "log/log_stats.h" #include "log/messages.h" -#include "main/thread.h" +#include "main/thread_config.h" #include "trace/trace.h" -#include "utils/stats.h" #include "app_info_table.h" #include "appid_debug.h" diff --git a/src/network_inspectors/appid/appid_peg_counts.h b/src/network_inspectors/appid/appid_peg_counts.h index 6134f959b..ce40543f0 100644 --- a/src/network_inspectors/appid/appid_peg_counts.h +++ b/src/network_inspectors/appid/appid_peg_counts.h @@ -36,6 +36,8 @@ #include "application_ids.h" #include "framework/counts.h" +#include "log/messages.h" +#include "utils/util.h" struct AppIdStats { diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 1c9ff2555..cc5e58e5b 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -26,7 +26,6 @@ #include "appid_session_api.h" #include "flow/ha.h" -#include "managers/inspector_manager.h" #include "appid_inspector.h" #include "appid_peg_counts.h" #include "appid_session.h" @@ -38,13 +37,12 @@ using namespace snort; -THREAD_LOCAL uint32_t AppIdSessionApi::appid_flow_data_id = 0; +static THREAD_LOCAL uint32_t appid_flow_data_id = 0; AppIdSessionApi::AppIdSessionApi(const AppIdSession* asd, const SfIp& ip) : - StashGenericObject(STASH_GENERIC_OBJECT_APPID), asd(asd), initiator_ip(ip) -{ - session_id = std::to_string(get_instance_id()) + "." + std::to_string(++appid_flow_data_id); -} + StashGenericObject(STASH_GENERIC_OBJECT_APPID), asd(asd), initiator_ip(ip), + session_id(std::to_string(get_instance_id()) + "." + std::to_string(++appid_flow_data_id)) +{ } AppId AppIdSessionApi::get_service_app_id() const { diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index 6d72078b7..fd6c4e12f 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -186,8 +186,6 @@ private: ClientAppDescriptor client; PayloadAppDescriptor payload; - static THREAD_LOCAL uint32_t appid_flow_data_id; - void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc, AppId referred, AppidChangeBits& change_bits, Flow& flow); void set_ss_application_ids(AppId client, AppId payload, AppidChangeBits& change_bits, Flow& flow); diff --git a/src/network_inspectors/appid/appid_types.h b/src/network_inspectors/appid/appid_types.h index d953594bb..39f13c0fa 100644 --- a/src/network_inspectors/appid/appid_types.h +++ b/src/network_inspectors/appid/appid_types.h @@ -17,7 +17,7 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// appid_session.h author Sourcefire Inc. +// appid_types.h author Sourcefire Inc. #ifndef APPID_TYPES_H #define APPID_TYPES_H diff --git a/src/network_inspectors/appid/appid_utils/sf_mlmp.cc b/src/network_inspectors/appid/appid_utils/sf_mlmp.cc index 441eefdf4..0f9d26862 100644 --- a/src/network_inspectors/appid/appid_utils/sf_mlmp.cc +++ b/src/network_inspectors/appid/appid_utils/sf_mlmp.cc @@ -23,6 +23,8 @@ #include "config.h" #endif +#include + #include "sf_mlmp.h" #include "search_engines/search_tool.h" diff --git a/src/network_inspectors/appid/client_plugins/client_app_bit.cc b/src/network_inspectors/appid/client_plugins/client_app_bit.cc index b2292e9b5..724771e42 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_bit.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_bit.cc @@ -37,6 +37,8 @@ static const char BIT_BANNER[] = "\023BitTorrent protocol"; #define MAX_VER_LEN 4 #define LAST_BANNER_OFFSET (BIT_BANNER_LEN+RES_LEN+SHA_LEN+PEER_ID_LEN - 1) +namespace +{ enum BITState { BIT_STATE_BANNER = 0, @@ -64,6 +66,7 @@ struct ClientBITMsg uint8_t code; }; #pragma pack() +} // anonymous BitClientDetector::BitClientDetector(ClientDiscovery* cdm) { diff --git a/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc b/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc index 63e5b3c31..3c9e7ff5a 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc @@ -42,6 +42,8 @@ static const char UDP_BIT_COMMON_END[] = "1:y1:"; #define UDP_BIT_COMMON_END_LEN (sizeof(UDP_BIT_COMMON_END)-1) #define UDP_BIT_END_LEN (UDP_BIT_COMMON_END_LEN+2) +namespace +{ enum BITState { BIT_STATE_BANNER = 0, @@ -65,6 +67,7 @@ struct ClientBITData BITType type; unsigned pos; }; +} // anonymous BitTrackerClientDetector::BitTrackerClientDetector(ClientDiscovery* cdm) { diff --git a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc index d9d6a85f7..29c9d075c 100644 --- a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc +++ b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc @@ -26,6 +26,7 @@ #include +#include "log/messages.h" #include "managers/inspector_manager.h" #include "utils/util.h" #include "appid_debug.h" @@ -115,7 +116,7 @@ void EveCaPatternMatchers::finalize_patterns() #ifdef REG_TEST AppIdInspector* inspector = - (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true); + (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); if (inspector and inspector->get_ctxt().config.log_eve_process_client_mappings) appid_log(nullptr, TRACE_INFO_LEVEL, "Adding EVE Client App pattern %d %s %d\n", p->app_id, p->pattern.c_str(), p->confidence); diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc index f8b939388..f877d6681 100644 --- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc +++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc @@ -144,6 +144,8 @@ static const char GOOGLE_TB_PATTERN[] = "toolbarqueries.google.com"; #define COMPATIBLE_BROWSER_STRING " (Compat)" +namespace +{ struct MatchedPatterns { DetectorHTTPPattern* mpattern; @@ -152,6 +154,7 @@ struct MatchedPatterns // matching character. MatchedPatterns* next; }; +} static DetectorHTTPPatterns static_content_type_patterns = { diff --git a/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc b/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc index e9f4e6a60..eb6719e2d 100644 --- a/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc +++ b/src/network_inspectors/appid/detector_plugins/ssl_patterns.cc @@ -81,7 +81,7 @@ static int cname_pattern_match(void* id, void*, int match_end_pos, void* data, v } return 0; } -/* +/* Only patterns that match end of the payload AND (match the start of the payload or match after '.' @@ -116,7 +116,7 @@ static bool scan_patterns(SearchTool& matcher, const uint8_t* data, size_t size, if (!mp) return false; - + MatchedSslPatterns* tmp = mp; while (tmp) diff --git a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h index 3ec89ef90..c9a397094 100644 --- a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h +++ b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h @@ -85,7 +85,7 @@ char* snort_strdup(const char* str) // LCOV_EXCL_START DiscoveryFilter::~DiscoveryFilter(){} void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } // LCOV_EXCL_STOP #ifndef SIP_UNIT_TEST @@ -95,12 +95,6 @@ public: AppIdInspector(AppIdModule&) { } ~AppIdInspector() override = default; bool configure(snort::SnortConfig*) override; -// LCOV_EXCL_START - void eval(Packet*) override { } - void show(const SnortConfig*) const override { } - void tinit() override { } - void tterm() override { } -// LCOV_EXCL_STOP private: AppIdContext* ctxt = nullptr; }; diff --git a/src/network_inspectors/appid/host_port_app_cache.cc b/src/network_inspectors/appid/host_port_app_cache.cc index db0761f49..1b9db1941 100644 --- a/src/network_inspectors/appid/host_port_app_cache.cc +++ b/src/network_inspectors/appid/host_port_app_cache.cc @@ -26,8 +26,10 @@ #include #include "host_port_app_cache.h" -#include "main/thread.h" + +#include "log/messages.h" #include "managers/inspector_manager.h" + #include "appid_config.h" #include "appid_debug.h" #include "appid_inspector.h" @@ -125,9 +127,9 @@ bool HostPortCache::add(const SnortConfig* sc, const SfIp* ip, uint16_t port, Ip HostPortVal hv; hk.ip = *ip; - AppIdInspector* inspector = - (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, false, sc); + AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true, sc); assert(inspector); + const AppIdContext& ctxt = inspector->get_ctxt(); hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port; hk.proto = proto; @@ -180,9 +182,9 @@ bool HostPortCache::add_host(const SnortConfig* sc, const SfIp* ip, uint32_t* ne HostAppIdsVal hv; hk.ip = *ip; - AppIdInspector* inspector = - (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, false, sc); + AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true, sc); assert(inspector); + const AppIdContext& ctxt = inspector->get_ctxt(); hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port; hk.proto = proto; @@ -206,9 +208,9 @@ bool HostPortCache::add_host(const SnortConfig* sc, const SfIp* ip, uint32_t* ne memcpy(&hk.netmask[0], netmask, 16); - AppIdInspector* inspector = - (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, false, sc); + AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true, sc); assert(inspector); + const AppIdContext& ctxt = inspector->get_ctxt(); hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port; hk.proto = proto; diff --git a/src/network_inspectors/appid/ips_appid_option.cc b/src/network_inspectors/appid/ips_appid_option.cc index 2a888a756..a5753dc1f 100644 --- a/src/network_inspectors/appid/ips_appid_option.cc +++ b/src/network_inspectors/appid/ips_appid_option.cc @@ -237,7 +237,7 @@ static void appid_option_mod_dtor(Module* m) delete m; } -static IpsOption* appid_option_ips_ctor(Module* p, OptTreeNode*) +static IpsOption* appid_option_ips_ctor(Module* p, IpsInfo&) { AppIdOptionModule* m = (AppIdOptionModule*)p; return new AppIdIpsOption(m->appid_table); diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index 554f810d8..439e4d465 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -33,6 +33,7 @@ #include #include "log/messages.h" +#include "main/snort_config.h" #include "appid_config.h" #include "appid_debug.h" diff --git a/src/network_inspectors/appid/lua_detector_module.h b/src/network_inspectors/appid/lua_detector_module.h index b8a46fd95..85582240f 100644 --- a/src/network_inspectors/appid/lua_detector_module.h +++ b/src/network_inspectors/appid/lua_detector_module.h @@ -30,7 +30,6 @@ #include #include -#include "main/thread.h" #include "main/thread_config.h" #include "protocols/protocol_ids.h" diff --git a/src/network_inspectors/appid/service_plugins/alpn_patterns.cc b/src/network_inspectors/appid/service_plugins/alpn_patterns.cc index e8462a6b0..5be483617 100644 --- a/src/network_inspectors/appid/service_plugins/alpn_patterns.cc +++ b/src/network_inspectors/appid/service_plugins/alpn_patterns.cc @@ -26,6 +26,7 @@ #include +#include "log/messages.h" #include "managers/inspector_manager.h" #include "utils/util.h" #include "appid_debug.h" @@ -105,7 +106,7 @@ void AlpnPatternMatchers::finalize_patterns() #ifdef REG_TEST AppIdInspector* inspector = - (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true); + (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); if (inspector and inspector->get_ctxt().config.log_alpn_service_mappings) appid_log(nullptr, TRACE_INFO_LEVEL, "Adding ALPN service App pattern %d %s\n", p->app_id, p->pattern.c_str()); diff --git a/src/network_inspectors/appid/service_plugins/test/service_netbios_test.cc b/src/network_inspectors/appid/service_plugins/test/service_netbios_test.cc deleted file mode 100644 index 7843ad9e0..000000000 --- a/src/network_inspectors/appid/service_plugins/test/service_netbios_test.cc +++ /dev/null @@ -1,99 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2020-2024 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// service_netbios_test.cc author Kani Murthi -// unit test for service_netbios -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "network_inspectors/appid/service_plugins/service_detector.cc" -#include "network_inspectors/appid/service_plugins/service_netbios.cc" -#include "protocols/packet.h" -#include "service_plugin_mock.h" - -#include -#include -#include - -void ServiceDiscovery::initialize(AppIdInspector&) {} -void ServiceDiscovery::reload() {} -void ServiceDiscovery::finalize_service_patterns() {} -void ServiceDiscovery::match_by_pattern(AppIdSession&, const Packet*, IpProtocol) {} -void ServiceDiscovery::get_port_based_services(IpProtocol, uint16_t, AppIdSession&) {} -void ServiceDiscovery::get_next_service(const Packet*, const AppidSessionDirection, AppIdSession&) -{} -int ServiceDiscovery::identify_service(AppIdSession&, Packet*, AppidSessionDirection, - AppidChangeBits&) { return 0; } -int ServiceDiscovery::add_ftp_service_state(AppIdSession&) { return 0; } -bool ServiceDiscovery::do_service_discovery(AppIdSession&, Packet*, AppidSessionDirection, - AppidChangeBits&) { return false; } -int ServiceDiscovery::incompatible_data(AppIdSession&, const Packet*,AppidSessionDirection, - ServiceDetector*) { return 0; } -int ServiceDiscovery::fail_service(AppIdSession&, const Packet*, AppidSessionDirection, - ServiceDetector*, ServiceDiscoveryState*) { return 0; } -int ServiceDiscovery::add_service_port(AppIdDetector*, - const ServiceDetectorPort&) { return APPID_EINVALID; } -void AppIdSessionApi::set_netbios_name(AppidChangeBits&, const char*) {} -void AppIdSessionApi::set_netbios_domain(AppidChangeBits&, const char*) {} - -TEST_GROUP(service_netbios_test){}; - -TEST(service_netbios_test, check_add_smb_info_pointer ) -{ - const uint8_t data[] = { 0x11, 0x02, 0x45, 0x63, 0xac, 0x1f, 0x13, 0x49, 0x00, 0x8a, 0x00, 0xd7, - 0x00, 0x00, 0x20, 0x45, 0x50, 0x45, 0x4c, 0x45, 0x4a, 0x43, 0x4e, 0x44, 0x42, 0x44, 0x46, - 0x45, 0x46, 0x44, 0x47, 0x45, 0x43, 0x45, 0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, - 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, 0x20, 0x46, 0x48, 0x45, 0x50, 0x46, 0x43, 0x45, 0x4c, - 0x45, 0x48, 0x46, 0x43, 0x45, 0x50, 0x46, 0x46, 0x46, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, - 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x42, 0x4e, 0x00, 0xff, 0x53, 0x4d, 0x42, 0x25, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, - 0x2f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x2f, 0x00, 0x56, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x40, 0x00, 0x5c, 0x4d, 0x41, 0x49, 0x4c, 0x53, 0x4c, 0x4f, 0x54, 0x5c, 0x42, - 0x52, 0x4f, 0x57, 0x53, 0x45, 0x00, 0x01, 0x00, 0x60, 0xea, 0x00, 0x00, 0x4f, 0x4b, 0x49, - 0x2d, 0x31, 0x35, 0x45, 0x36, 0x42, 0x43, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, - 0x03, 0x22, 0x41, 0x00, 0x0f, 0x01, 0x55, 0xaa, 0x43, 0x68, 0x61, 0x6e, 0x64, 0x72, 0x61, - 0x27, 0x73, 0x20, 0x63, 0x75, 0x62, 0x65, 0x01}; - uint16_t size =215; - AppidSessionDirection dir = APP_ID_FROM_INITIATOR; - AppIdInspector ins; - OdpContext odp_ctxt(config, nullptr); - snort::Packet pkt; - AppidChangeBits cb; - SfIp ip; - AppIdSession asd(IpProtocol::TCP, &ip, 21, ins, odp_ctxt); - AppIdDiscoveryArgs args(data, size, dir, asd, &pkt,cb); - ServiceDiscovery& s_discovery_manager = asd.get_odp_ctxt().get_service_disco_mgr(); - args.pkt->ptrs.sp = args.pkt->ptrs.dp = 138; - NbdgmServiceDetector nsd(&s_discovery_manager); - nsd.validate(args); - FpSMBData *smb_ptr1 = (FpSMBData*)(asd.get_flow_data(APPID_SESSION_DATA_SMB_DATA)); - nsd.validate(args); - FpSMBData *smb_ptr2 = (FpSMBData*)(asd.get_flow_data(APPID_SESSION_DATA_SMB_DATA)); - CHECK(smb_ptr1 == smb_ptr2); - asd.free_flow_data(); - delete &asd.get_api(); -} - -int main(int argc, char** argv) -{ - int return_value = CommandLineTestRunner::RunAllTests(argc, argv); - return return_value; -} diff --git a/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h b/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h index bebe04351..0e255657d 100644 --- a/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h +++ b/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h @@ -22,7 +22,6 @@ #include "appid_detector.h" #include "appid_module.h" #include "appid_peg_counts.h" -#include "utils/stats.h" #define APPID_UT_ID 1492 @@ -65,11 +64,6 @@ char* snort_strdup(const char* str) memcpy(p, str, n); return p; } -class InspectorManager -{ -public: -SO_PUBLIC static Inspector* get_inspector(const char*, bool, SnortConfig*) {return nullptr;} -}; Module::Module(const char*, const char*) {} Module::Module(const char*, const char*, const Parameter*, bool) {} @@ -118,13 +112,12 @@ int AppIdSession::add_flow_data(void*, unsigned, AppIdFreeFCN) { return 0; } int dcerpc_validate(const uint8_t*, int){return 0; } AppIdDiscovery::~AppIdDiscovery() { } void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const vector&, const char*, FILE*) { } AppIdConfig config; AppIdContext ctxt(config); class AppIdInspector : public snort::Inspector { public: - void eval(Packet*) override { } bool configure(snort::SnortConfig*) override { return true; } }; diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index c62636992..ec552b19c 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -27,6 +27,7 @@ #include #include "framework/data_bus.h" +#include "managers/inspector_manager.h" #include "protocols/protocol_ids.h" #include "pub_sub/appid_event_ids.h" #include "service_inspectors/http_inspect/http_msg_header.h" diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index d9c1dd3df..92ae8dd1d 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -28,7 +28,7 @@ #include "host_tracker/host_cache.h" #include "network_inspectors/appid/appid_discovery.cc" #include "network_inspectors/appid/appid_peg_counts.h" -#include "network_inspectors/packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "pub_sub/appid_event_ids.h" #include "search_engines/search_tool.h" #include "utils/sflsq.cc" @@ -52,11 +52,9 @@ AppIdApi appid_api; const char* AppIdApi::get_application_name(AppId, OdpContext&) { return NULL; } // Stubs for packet tracer -THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr; -THREAD_LOCAL Stopwatch* pt_timer = nullptr; void PacketTracer::daq_log(const char*, ...) { } -void FatalError(const char* fmt, ...) { (void)fmt; exit(1); } -void WarningMessage(const char*,...) { } +uint64_t PacketTracer::get_time() { return 0; } +THREAD_LOCAL PacketTracer* PacketTracer::s_pkt_trace = nullptr; // Stubs for packet Packet::Packet(bool) {} @@ -87,6 +85,9 @@ PegCount Module::get_global_count(char const*) const { return 0; } void LogLabel(const char*, FILE*) {} void LogText(const char*, FILE*) {} +void FatalError(const char* fmt, ...) { (void)fmt; exit(1); } +void WarningMessage(const char*,...) { } + // Stubs for utils char* snort_strdup(const char* str) { diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc index 81adda7ad..9c9eb7c1c 100644 --- a/src/network_inspectors/appid/test/appid_http_session_test.cc +++ b/src/network_inspectors/appid/test/appid_http_session_test.cc @@ -28,6 +28,7 @@ #include "framework/data_bus.h" #include "protocols/protocol_ids.h" +#include "profiler/profiler_impl.h" #include "service_inspectors/http_inspect/http_msg_header.h" #include "tp_appid_module_api.h" #include "tp_appid_session_api.h" diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index af5093fbe..5ada0ec6f 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -24,6 +24,8 @@ #include "network_inspectors/appid/appid_session_api.cc" +#include "managers/inspector_manager.h" + #include "appid_mock_definitions.h" #include "appid_mock_session.h" diff --git a/src/network_inspectors/appid/test/tp_lib_handler_test.cc b/src/network_inspectors/appid/test/tp_lib_handler_test.cc index 1dc854b7e..421e6f7a6 100644 --- a/src/network_inspectors/appid/test/tp_lib_handler_test.cc +++ b/src/network_inspectors/appid/test/tp_lib_handler_test.cc @@ -28,6 +28,9 @@ #define TP_SUPPORTED 1 #include "tp_lib_handler.h" + +#include "profiler/profiler.h" + #include "appid_config.h" #include "log_message_mock.h" @@ -73,13 +76,8 @@ int ServiceDiscovery::add_service_port(AppIdDetector*, const ServiceDetectorPort { return 0; } void appid_log(const snort::Packet*, unsigned char, char const*, ...) { } - THREAD_LOCAL ProfileStats tp_appid_perf_stats; THREAD_LOCAL bool TimeProfilerStats::enabled = false; -MemoryContext::MemoryContext(MemoryTracker&) { } -MemoryContext::~MemoryContext() = default; -THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr; - TEST_GROUP(tp_lib_handler) { diff --git a/src/network_inspectors/appid/tp_appid_module_api.cc b/src/network_inspectors/appid/tp_appid_module_api.cc index 6574ece61..a40148bdd 100644 --- a/src/network_inspectors/appid/tp_appid_module_api.cc +++ b/src/network_inspectors/appid/tp_appid_module_api.cc @@ -24,7 +24,10 @@ #endif #include "tp_appid_module_api.h" + #include "managers/module_manager.h" +#include "profiler/profiler.h" + #include "appid_module.h" #include "tp_lib_handler.h" diff --git a/src/network_inspectors/appid/tp_appid_module_api.h b/src/network_inspectors/appid/tp_appid_module_api.h index 96eb57b75..a56e18ff0 100644 --- a/src/network_inspectors/appid/tp_appid_module_api.h +++ b/src/network_inspectors/appid/tp_appid_module_api.h @@ -24,8 +24,8 @@ #include #include -#include "main/thread.h" -#include "profiler/profiler_defs.h" +#include "main/snort_types.h" + #include "tp_appid_types.h" #define THIRD_PARTY_APPID_API_VERSION 6 diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index cb2c6264b..daa70ac90 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -26,6 +26,7 @@ #include #include +#include "main/snort_config.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "stream/stream.h" diff --git a/src/network_inspectors/arp_spoof/arp_spoof.cc b/src/network_inspectors/arp_spoof/arp_spoof.cc index c04bc7c6e..6fb55c524 100644 --- a/src/network_inspectors/arp_spoof/arp_spoof.cc +++ b/src/network_inspectors/arp_spoof/arp_spoof.cc @@ -75,7 +75,6 @@ #include #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "profiler/profiler.h" #include "protocols/arp.h" diff --git a/src/network_inspectors/binder/bind_module.cc b/src/network_inspectors/binder/bind_module.cc index 5bbc9f01c..6d034702c 100644 --- a/src/network_inspectors/binder/bind_module.cc +++ b/src/network_inspectors/binder/bind_module.cc @@ -124,16 +124,6 @@ static const Parameter binder_when_params[] = { "service", Parameter::PT_STRING, nullptr, nullptr, "override default configuration" }, - // FIXIT-D deprecated zone parameters to be removed - { "zones", Parameter::PT_STRING, nullptr, nullptr, - "deprecated alias for groups" }, - - { "src_zone", Parameter::PT_STRING, nullptr, nullptr, - "deprecated alias for src_groups" }, - - { "dst_zone", Parameter::PT_STRING, nullptr, nullptr, - "deprecated alias for dst_groups" }, - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -325,19 +315,19 @@ bool BinderModule::set(const char* fqn, Value& v, SnortConfig*) return false; binding.when.add_criteria(BindWhen::Criteria::BWC_SPLIT_INTFS); } - else if ( v.is("groups") || v.is("zones") ) + else if ( v.is("groups") ) { if (!parse_int_set(v, binding.when.src_groups)) return false; binding.when.add_criteria(BindWhen::Criteria::BWC_GROUPS); } - else if ( v.is("src_groups") || v.is("src_zone") ) + else if ( v.is("src_groups") ) { if (!parse_int_set(v, binding.when.src_groups)) return false; binding.when.add_criteria(BindWhen::Criteria::BWC_SPLIT_GROUPS); } - else if ( v.is("dst_groups") || v.is("dst_zone") ) + else if ( v.is("dst_groups") ) { if (!parse_int_set(v, binding.when.dst_groups)) return false; diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc index 171b61ceb..ccef0efb1 100644 --- a/src/network_inspectors/binder/binder.cc +++ b/src/network_inspectors/binder/binder.cc @@ -23,7 +23,9 @@ #include "detection/detection_engine.h" #include "flow/flow.h" +#include "framework/pig_pen.h" #include "log/messages.h" +#include "main/snort_config.h" #include "managers/inspector_manager.h" #include "packet_io/active.h" #include "profiler/profiler.h" @@ -31,6 +33,7 @@ #include "pub_sub/assistant_gadget_event.h" #include "pub_sub/intrinsic_event_ids.h" #include "pub_sub/stream_event_ids.h" +#include "sfip/sf_cidr.h" #include "stream/stream.h" #include "stream/stream_splitter.h" #include "target_based/host_attributes.h" @@ -51,7 +54,7 @@ static Inspector* get_gadget(const SnortProtocolId protocol_id) if (protocol_id == UNKNOWN_PROTOCOL_ID) return nullptr; - return InspectorManager::get_service_inspector_by_id(protocol_id); + return InspectorManager::get_service_inspector(protocol_id); } static std::string to_string(const sfip_var_t* list) @@ -460,7 +463,7 @@ void Stuff::apply_service(Flow& flow) void Stuff::apply_assistant(Flow& flow, const char* service) { if (!gadget) - gadget = InspectorManager::get_service_inspector_by_service(service); + gadget = InspectorManager::get_service_inspector(service); if (gadget) flow.set_assistant_gadget(gadget); @@ -481,8 +484,6 @@ public: bool configure(SnortConfig*) override; void show(const SnortConfig*) const override; - void eval(Packet*) override { } - void handle_packet(const Packet*); void handle_flow_setup(Flow&, bool standby = false); void handle_flow_service_change(Flow&); @@ -512,7 +513,7 @@ public: void handle(DataEvent& e, Flow*) override { - Binder* binder = InspectorManager::get_binder(); + Binder* binder = (Binder*)InspectorManager::get_binder(); if (binder) binder->handle_packet(e.get_packet()); } @@ -526,7 +527,7 @@ public: void handle(DataEvent&, Flow* flow) override { - Binder* binder = InspectorManager::get_binder(); + Binder* binder = (Binder*)InspectorManager::get_binder(); if (binder && flow && !flow->flags.ha_flow) binder->handle_flow_setup(*flow); } @@ -540,7 +541,7 @@ public: void handle(DataEvent&, Flow* flow) override { - Binder* binder = InspectorManager::get_binder(); + Binder* binder = (Binder*)InspectorManager::get_binder(); if (binder && flow) binder->handle_flow_service_change(*flow); } @@ -554,7 +555,7 @@ public: void handle(DataEvent&, Flow* flow) override { - Binder* binder = InspectorManager::get_binder(); + Binder* binder = (Binder*)InspectorManager::get_binder(); if (binder && flow) binder->handle_flow_setup(*flow, true); } @@ -567,7 +568,7 @@ public: void handle(DataEvent& event, Flow* flow) override { - Binder* binder = InspectorManager::get_binder(); + Binder* binder = (Binder*)InspectorManager::get_binder(); AssistantGadgetEvent* assistant_event = (AssistantGadgetEvent*)&event; if (binder && flow) @@ -584,7 +585,7 @@ public: { if (flow && Flow::FlowState::INSPECT == flow->flow_state) { - Binder* binder = InspectorManager::get_binder(); + Binder* binder = (Binder*)InspectorManager::get_binder(); if (binder) binder->handle_flow_after_reload(*flow); } @@ -939,7 +940,7 @@ void Binder::get_bindings(Flow& flow, Stuff& stuff, const char* service) get_policy_bindings(flow, service); // If policy selection produced a new binder to use, use that instead. - Binder* sub = InspectorManager::get_binder(); + Binder* sub = (Binder*)InspectorManager::get_binder(); if (sub && sub != this) { sub->get_bindings(flow, stuff, service); @@ -970,7 +971,7 @@ void Binder::get_bindings(Packet* p, Stuff& stuff) get_policy_bindings(p); // If policy selection produced a new binder to use, use that instead. - Binder* sub = InspectorManager::get_binder(); + Binder* sub = (Binder*)InspectorManager::get_binder(); if (sub && sub != this) { sub->get_bindings(p, stuff); diff --git a/src/network_inspectors/binder/binding.cc b/src/network_inspectors/binder/binding.cc index b6710d4a8..2b548007f 100644 --- a/src/network_inspectors/binder/binding.cc +++ b/src/network_inspectors/binder/binding.cc @@ -107,6 +107,7 @@ void Binding::configure(const SnortConfig* sc) { const char* name = use.name.c_str(); Inspector* ins = InspectorManager::get_inspector(name, use.global_type, sc); + if (ins) { switch (ins->get_api()->type) diff --git a/src/network_inspectors/binder/binding.h b/src/network_inspectors/binder/binding.h index adf697789..bc27133fb 100644 --- a/src/network_inspectors/binder/binding.h +++ b/src/network_inspectors/binder/binding.h @@ -22,9 +22,9 @@ #include -#include "framework/bits.h" #include "main/policy.h" #include "sfip/sf_ipvar.h" +#include "utils/bits.h" namespace snort { diff --git a/src/network_inspectors/normalize/norm_stats.h b/src/network_inspectors/normalize/norm_stats.h index bf3e745af..a84eaad4a 100644 --- a/src/network_inspectors/normalize/norm_stats.h +++ b/src/network_inspectors/normalize/norm_stats.h @@ -22,7 +22,6 @@ #define NORM_STATS_H #include "framework/counts.h" -#include "main/thread.h" #include "normalize.h" diff --git a/src/network_inspectors/packet_capture/packet_capture.cc b/src/network_inspectors/packet_capture/packet_capture.cc index f778e0574..b546bef4b 100644 --- a/src/network_inspectors/packet_capture/packet_capture.cc +++ b/src/network_inspectors/packet_capture/packet_capture.cc @@ -29,7 +29,6 @@ #include "framework/inspector.h" #include "log/messages.h" #include "packet_io/sfdaq.h" -#include "packet_io/sfdaq_instance.h" #include "protocols/packet.h" #include "utils/util.h" diff --git a/src/network_inspectors/packet_tracer/CMakeLists.txt b/src/network_inspectors/packet_tracer/CMakeLists.txt deleted file mode 100644 index e4bcc193c..000000000 --- a/src/network_inspectors/packet_tracer/CMakeLists.txt +++ /dev/null @@ -1,14 +0,0 @@ -set (PACKET_TRACER_INCLUDES - packet_tracer.h -) - -add_library ( packet_tracer OBJECT - ${PACKET_TRACER_INCLUDES} - packet_tracer.cc - packet_tracer_module.h - packet_tracer_module.cc -) - -install(FILES ${PACKET_TRACER_INCLUDES} - DESTINATION "${INCLUDE_INSTALL_PATH}/network_inspectors/packet_tracer" -) \ No newline at end of file diff --git a/src/network_inspectors/perf_monitor/cpu_tracker.cc b/src/network_inspectors/perf_monitor/cpu_tracker.cc index bfc8d83e8..79cec8dc5 100644 --- a/src/network_inspectors/perf_monitor/cpu_tracker.cc +++ b/src/network_inspectors/perf_monitor/cpu_tracker.cc @@ -36,6 +36,8 @@ #include "catch/snort_catch.h" #endif +#include "main/thread.h" + #define TRACKER_NAME PERF_NAME "_cpu" using namespace snort; diff --git a/src/network_inspectors/perf_monitor/json_formatter.cc b/src/network_inspectors/perf_monitor/json_formatter.cc index 7a62076b1..422c2ba5b 100644 --- a/src/network_inspectors/perf_monitor/json_formatter.cc +++ b/src/network_inspectors/perf_monitor/json_formatter.cc @@ -22,8 +22,6 @@ #include -#include "utils/stats.h" - #if HAVE_CONFIG_H #include "config.h" #endif diff --git a/src/network_inspectors/perf_monitor/perf_module.cc b/src/network_inspectors/perf_monitor/perf_module.cc index 3019d053d..b3c46afd7 100644 --- a/src/network_inspectors/perf_monitor/perf_module.cc +++ b/src/network_inspectors/perf_monitor/perf_module.cc @@ -27,9 +27,10 @@ #include #include "control/control.h" +#include "framework/pig_pen.h" #include "log/messages.h" #include "main/analyzer_command.h" -#include "main/snort.h" +#include "main/snort_config.h" #include "managers/module_manager.h" #include "perf_monitor.h" @@ -138,7 +139,7 @@ bool PerfMonFlowIPDebug::execute(Analyzer&, void**) static int enable_flow_ip_profiling(lua_State* L) { PerfMonitor* perf_monitor = - (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true); + (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true); if (!perf_monitor) { @@ -162,7 +163,7 @@ static int enable_flow_ip_profiling(lua_State* L) static int disable_flow_ip_profiling(lua_State* L) { PerfMonitor* perf_monitor = - (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true); + (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true); if (!perf_monitor) { @@ -193,7 +194,7 @@ static int show_flow_ip_profiling(lua_State* L) bool status = false; ControlConn* ctrlcon = ControlConn::query_from_lua(L); - PerfMonitor* perf_monitor = (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true); + PerfMonitor* perf_monitor = (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true); if (perf_monitor) status = perf_monitor->is_flow_ip_enabled(); @@ -324,7 +325,7 @@ bool PerfMonModule::begin(const char* fqn, int idx, SnortConfig*) bool PerfMonModule::end(const char* fqn, int idx, SnortConfig* sc) { - if ( Snort::is_reloading() && strcmp(fqn, "perf_monitor") == 0 ) + if ( PigPen::snort_is_reloading() && strcmp(fqn, "perf_monitor") == 0 ) sc->register_reload_handler(new PerfMonReloadTuner(config->flowip_memcap)); if ( idx != 0 && strcmp(fqn, "perf_monitor.modules") == 0 ) diff --git a/src/network_inspectors/perf_monitor/perf_module.h b/src/network_inspectors/perf_monitor/perf_module.h index 0b223e19d..2625e0384 100644 --- a/src/network_inspectors/perf_monitor/perf_module.h +++ b/src/network_inspectors/perf_monitor/perf_module.h @@ -61,7 +61,7 @@ struct ModuleConfig // state optimized for run time using indices // can't be determined until all modules have loaded (PerfMonitor::configure) snort::Module* ptr; - IndexVec pegs; + std::vector pegs; void set_name(const std::string& name); void set_peg_names(snort::Value& peg_names); diff --git a/src/network_inspectors/perf_monitor/perf_monitor.cc b/src/network_inspectors/perf_monitor/perf_monitor.cc index 160027f69..59a08f439 100644 --- a/src/network_inspectors/perf_monitor/perf_monitor.cc +++ b/src/network_inspectors/perf_monitor/perf_monitor.cc @@ -31,11 +31,11 @@ #include "perf_monitor.h" #include "framework/data_bus.h" +#include "framework/pig_pen.h" #include "hash/hash_defs.h" #include "hash/xhash.h" #include "log/messages.h" #include "main/analyzer_command.h" -#include "main/thread.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/intrinsic_event_ids.h" @@ -231,7 +231,7 @@ void PerfMonitor::tinit() bool PerfMonReloadTuner::tinit() { - PerfMonitor* pm = (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true); + PerfMonitor* pm = (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true); auto* new_constraints = pm->get_constraints(); if (new_constraints->flow_ip_enabled) @@ -351,7 +351,7 @@ void PerfMonitor::eval(Packet* p) if (ready_to_process(p)) { #ifdef ENABLE_MEMORY_PROFILER - Profiler::show_runtime_memory_stats(); + PigPen::show_runtime_memory_stats(); #endif for (unsigned i = 0; i < trackers->size(); i++) { diff --git a/src/network_inspectors/perf_monitor/perf_monitor.h b/src/network_inspectors/perf_monitor/perf_monitor.h index 31424c752..f0704cf34 100644 --- a/src/network_inspectors/perf_monitor/perf_monitor.h +++ b/src/network_inspectors/perf_monitor/perf_monitor.h @@ -21,7 +21,6 @@ #ifndef PERF_MONITOR_H #define PERF_MONITOR_H -#include "managers/inspector_manager.h" #include "protocols/packet.h" #include "base_tracker.h" diff --git a/src/network_inspectors/perf_monitor/perf_tracker.cc b/src/network_inspectors/perf_monitor/perf_tracker.cc index 0c7cda2f8..fc74e81a7 100644 --- a/src/network_inspectors/perf_monitor/perf_tracker.cc +++ b/src/network_inspectors/perf_monitor/perf_tracker.cc @@ -30,6 +30,7 @@ #include "log/messages.h" #include "main/snort_config.h" +#include "main/thread.h" #include "utils/util.h" #include "utils/util_cstring.h" diff --git a/src/network_inspectors/perf_monitor/text_formatter.cc b/src/network_inspectors/perf_monitor/text_formatter.cc index 7d913ade8..4219938cd 100644 --- a/src/network_inspectors/perf_monitor/text_formatter.cc +++ b/src/network_inspectors/perf_monitor/text_formatter.cc @@ -26,7 +26,7 @@ #include -#include "utils/stats.h" +#include "log/log_stats.h" #ifdef UNIT_TEST #include diff --git a/src/network_inspectors/port_scan/port_scan.cc b/src/network_inspectors/port_scan/port_scan.cc index c58a956ea..44e47215a 100644 --- a/src/network_inspectors/port_scan/port_scan.cc +++ b/src/network_inspectors/port_scan/port_scan.cc @@ -26,7 +26,6 @@ #include "detection/detection_engine.h" #include "log/messages.h" -#include "managers/inspector_manager.h" #include "profiler/profiler.h" #include "utils/util.h" #include "utils/util_cstring.h" diff --git a/src/network_inspectors/port_scan/ps_detect.cc b/src/network_inspectors/port_scan/ps_detect.cc index cb64e18a2..1c5fd8dd5 100644 --- a/src/network_inspectors/port_scan/ps_detect.cc +++ b/src/network_inspectors/port_scan/ps_detect.cc @@ -42,7 +42,6 @@ #include "stream/stream.h" #include "time/packet_time.h" #include "utils/cpp_macros.h" -#include "utils/stats.h" #include "ps_inspect.h" #include "ps_pegs.h" diff --git a/src/network_inspectors/port_scan/ps_module.cc b/src/network_inspectors/port_scan/ps_module.cc index 922c47261..06b9577b6 100644 --- a/src/network_inspectors/port_scan/ps_module.cc +++ b/src/network_inspectors/port_scan/ps_module.cc @@ -23,8 +23,9 @@ #endif #include "ps_module.h" + +#include "framework/pig_pen.h" #include "log/messages.h" -#include "main/snort.h" #include "main/snort_config.h" #include @@ -329,7 +330,7 @@ bool PortScanModule::set(const char* fqn, Value& v, SnortConfig*) bool PortScanModule::end(const char* fqn, int, SnortConfig* sc) { - if ( Snort::is_reloading() && strcmp(fqn, "port_scan") == 0 ) + if ( PigPen::snort_is_reloading() && strcmp(fqn, "port_scan") == 0 ) sc->register_reload_handler(new PortScanReloadTuner(config->memcap)); return true; } diff --git a/src/network_inspectors/reputation/reputation_commands.cc b/src/network_inspectors/reputation/reputation_commands.cc index 4f4a68338..9270e3df5 100644 --- a/src/network_inspectors/reputation/reputation_commands.cc +++ b/src/network_inspectors/reputation/reputation_commands.cc @@ -24,9 +24,10 @@ #include "reputation_commands.h" #include "control/control.h" +#include "framework/pig_pen.h" #include "log/messages.h" #include "main/analyzer_command.h" -#include "managers/inspector_manager.h" +#include "main/snort_config.h" #include "reputation_common.h" #include "reputation_inspect.h" @@ -75,7 +76,8 @@ bool ReputationReload::execute(Analyzer&, void**) static int reload(lua_State* L) { ControlConn* ctrlcon = ControlConn::query_from_lua(L); - Reputation* ins = static_cast(InspectorManager::get_inspector(REPUTATION_NAME)); + Reputation* ins = static_cast(PigPen::get_inspector(REPUTATION_NAME)); + if (ins) main_broadcast_command(new ReputationReload(ctrlcon, *ins), ctrlcon); else diff --git a/src/network_inspectors/reputation/reputation_common.h b/src/network_inspectors/reputation/reputation_common.h index 7c3548bbe..9c718b945 100644 --- a/src/network_inspectors/reputation/reputation_common.h +++ b/src/network_inspectors/reputation/reputation_common.h @@ -20,16 +20,6 @@ #ifndef REPUTATION_COMMON_H #define REPUTATION_COMMON_H -#define REPUTATION_NAME "reputation" -#define REPUTATION_HELP "reputation inspection" - #define GID_REPUTATION 136 -#define REPUTATION_EVENT_BLOCKLIST_SRC 1 -#define REPUTATION_EVENT_ALLOWLIST_SRC 2 -#define REPUTATION_EVENT_MONITOR_SRC 3 -#define REPUTATION_EVENT_BLOCKLIST_DST 4 -#define REPUTATION_EVENT_ALLOWLIST_DST 5 -#define REPUTATION_EVENT_MONITOR_DST 6 - #endif diff --git a/src/network_inspectors/reputation/reputation_config.h b/src/network_inspectors/reputation/reputation_config.h index a57150e44..3e6bc6ff8 100644 --- a/src/network_inspectors/reputation/reputation_config.h +++ b/src/network_inspectors/reputation/reputation_config.h @@ -21,7 +21,6 @@ #define REPUTATION_CONFIG_H #include "framework/counts.h" -#include "main/thread.h" #include "sfrt/sfrt.h" #include diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 9aa0f5f5c..06aa63cc7 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -25,15 +25,12 @@ #include "reputation_inspect.h" -#include "detection/detect.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "main/snort.h" #include "main/snort_config.h" -#include "managers/inspector_manager.h" -#include "network_inspectors/packet_tracer/packet_tracer.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/auxiliary_ip_event.h" @@ -348,7 +345,7 @@ static void populate_trace_data(IPdecision& decision, Packet* p, uint32_t iplist sfip_ntop(ip, addr, sizeof(addr)); PacketTracer::daq_log("SI-IP+%" PRId64"+%s list id %u+Matched ip %s, action %s$", - TO_NSECS(pt_timer->get()), + PacketTracer::get_time(), (TRUSTED_SRC == decision or TRUSTED_DST == decision)?"Do_not_block":"Block", iplist_id, addr, to_string(decision)); } @@ -482,7 +479,7 @@ void IpRepHandler::handle(DataEvent& event, Flow*) return; if (PacketTracer::is_daq_activated()) - PacketTracer::pt_timer_start(); + PacketTracer::restart_timer(); ReputationData* data = static_cast(inspector.get_thread_specific_data()); assert(data); diff --git a/src/network_inspectors/reputation/reputation_module.h b/src/network_inspectors/reputation/reputation_module.h index 37ea19d2c..a1ee0bf27 100644 --- a/src/network_inspectors/reputation/reputation_module.h +++ b/src/network_inspectors/reputation/reputation_module.h @@ -29,6 +29,16 @@ #include "reputation_config.h" #include "reputation_common.h" +#define REPUTATION_NAME "reputation" +#define REPUTATION_HELP "reputation inspection" + +#define REPUTATION_EVENT_BLOCKLIST_SRC 1 +#define REPUTATION_EVENT_ALLOWLIST_SRC 2 +#define REPUTATION_EVENT_MONITOR_SRC 3 +#define REPUTATION_EVENT_BLOCKLIST_DST 4 +#define REPUTATION_EVENT_ALLOWLIST_DST 5 +#define REPUTATION_EVENT_MONITOR_DST 6 + namespace snort { struct SnortConfig; diff --git a/src/network_inspectors/rna/CMakeLists.txt b/src/network_inspectors/rna/CMakeLists.txt index fb2e957d2..95fa15cbf 100644 --- a/src/network_inspectors/rna/CMakeLists.txt +++ b/src/network_inspectors/rna/CMakeLists.txt @@ -1,14 +1,14 @@ set (RNA_INCLUDES + rna_cpe_os.h rna_fingerprint.h rna_fingerprint_smb.h rna_fingerprint_tcp.h rna_fingerprint_ua.h rna_fingerprint_udp.h - rna_flow.h rna_inspector.h - rna_logger.h + rna_logger_event.h rna_name.h - rna_cpe_os.h + rna_tracker.h ) set ( RNA_SOURCES @@ -26,7 +26,9 @@ set ( RNA_SOURCES rna_fingerprint_udp.cc rna_inspector.cc rna_flow.cc + rna_flow.h rna_logger.cc + rna_logger.h rna_logger_common.h rna_mac_cache.cc rna_mac_cache.h diff --git a/src/network_inspectors/rna/data_purge_cmd.cc b/src/network_inspectors/rna/data_purge_cmd.cc index 5027203de..615662d02 100644 --- a/src/network_inspectors/rna/data_purge_cmd.cc +++ b/src/network_inspectors/rna/data_purge_cmd.cc @@ -24,8 +24,6 @@ #include "data_purge_cmd.h" -#include "managers/inspector_manager.h" - #include "rna_inspector.h" #include "rna_name.h" #include "rna_pnd.h" diff --git a/src/network_inspectors/rna/rna_fingerprint_ua.cc b/src/network_inspectors/rna/rna_fingerprint_ua.cc index b98764ed2..1c377fc9c 100644 --- a/src/network_inspectors/rna/rna_fingerprint_ua.cc +++ b/src/network_inspectors/rna/rna_fingerprint_ua.cc @@ -27,7 +27,6 @@ #include #include -#include "main/thread.h" using namespace snort; using namespace std; diff --git a/src/network_inspectors/rna/rna_fingerprint_udp.cc b/src/network_inspectors/rna/rna_fingerprint_udp.cc index 00074e568..96db02787 100644 --- a/src/network_inspectors/rna/rna_fingerprint_udp.cc +++ b/src/network_inspectors/rna/rna_fingerprint_udp.cc @@ -31,7 +31,6 @@ #include "catch/snort_catch.h" #endif -#include "main/thread.h" #include "pub_sub/dhcp_events.h" using namespace snort; diff --git a/src/network_inspectors/rna/rna_flow.h b/src/network_inspectors/rna/rna_flow.h index 567863870..88d4b860d 100644 --- a/src/network_inspectors/rna/rna_flow.h +++ b/src/network_inspectors/rna/rna_flow.h @@ -29,6 +29,7 @@ #include "sfip/sf_ip.h" #include "rna_fingerprint_tcp.h" +#include "rna_tracker.h" namespace snort { @@ -37,8 +38,6 @@ struct Packet; class DiscoveryFilter; -using RnaTracker = std::shared_ptr; - class RNAFlow : public snort::FlowData { public: diff --git a/src/network_inspectors/rna/rna_inspector.cc b/src/network_inspectors/rna/rna_inspector.cc index 209bbafea..bdd8ccf62 100644 --- a/src/network_inspectors/rna/rna_inspector.cc +++ b/src/network_inspectors/rna/rna_inspector.cc @@ -31,7 +31,6 @@ #include "log/messages.h" #include "main/snort.h" -#include "managers/inspector_manager.h" #include "protocols/packet.h" #include "pub_sub/appid_event_ids.h" #include "pub_sub/dhcp_events.h" diff --git a/src/network_inspectors/rna/rna_logger.cc b/src/network_inspectors/rna/rna_logger.cc index 3d84872a9..b896402e3 100644 --- a/src/network_inspectors/rna/rna_logger.cc +++ b/src/network_inspectors/rna/rna_logger.cc @@ -32,6 +32,7 @@ #include "rna_fingerprint.h" #include "rna_logger_common.h" +#include "rna_logger_event.h" #include "rna_module.h" #ifdef UNIT_TEST diff --git a/src/network_inspectors/rna/rna_logger.h b/src/network_inspectors/rna/rna_logger.h index 6d95dcdcd..0700d94ab 100644 --- a/src/network_inspectors/rna/rna_logger.h +++ b/src/network_inspectors/rna/rna_logger.h @@ -20,55 +20,17 @@ #ifndef RNA_LOGGER_H #define RNA_LOGGER_H -#include "events/event.h" #include "host_tracker/host_cache.h" #include "host_tracker/host_tracker.h" #include "rna_cpe_os.h" -#include "rna_flow.h" +#include "rna_tracker.h" namespace snort { -class Flow; struct Packet; class FpFingerprint; } -struct RnaLoggerEvent : public Event -{ - RnaLoggerEvent (uint16_t t, uint16_t st, const uint8_t* mc, const RnaTracker* rt, - const snort::HostMac* hmp, uint16_t pr, void* cv, const snort::HostApplication* hap, - const snort::FpFingerprint* fpr, const snort::HostClient* hcp, const char* u, - int32_t app, const char* di, bool jb, uint32_t ls, uint32_t nm, - const struct in6_addr* rtr, const snort::Packet* p, const char* nb_name, - const std::vector* cpe) : type(t), subtype(st), - mac(mc), ht(rt), hm(hmp), proto(pr), cond_var(cv), ha(hap), fp(fpr), hc(hcp), - user(u), appid(app), device_info(di), jail_broken(jb), lease(ls), netmask(nm), - router(rtr), pkt(p), netbios_name(nb_name), cpe_os(cpe) { } - - uint32_t event_time = 0; - uint16_t type; - uint16_t subtype; - const struct in6_addr* ip = nullptr; - const uint8_t* mac; - const RnaTracker* ht; - const snort::HostMac* hm; - uint16_t proto; - void* cond_var; - const snort::HostApplication* ha; - const snort::FpFingerprint* fp; - const snort::HostClient* hc; - const char* user; - AppId appid; - const char* device_info; - bool jail_broken; - uint32_t lease; - uint32_t netmask; - const struct in6_addr* router; - const snort::Packet* pkt; - const char* netbios_name = nullptr; - const std::vector* cpe_os = nullptr; -}; - class RnaLogger { public: diff --git a/src/network_inspectors/rna/rna_logger_event.h b/src/network_inspectors/rna/rna_logger_event.h new file mode 100644 index 000000000..11641d796 --- /dev/null +++ b/src/network_inspectors/rna/rna_logger_event.h @@ -0,0 +1,72 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2003-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifndef RNA_LOGGER_EVENT_H +#define RNA_LOGGER_EVENT_H + +#include "events/event.h" +#include "host_tracker/host_cache.h" +#include "host_tracker/host_tracker.h" +#include "rna_cpe_os.h" +#include "rna_tracker.h" + +namespace snort +{ +struct Packet; +class FpFingerprint; +} + +struct RnaLoggerEvent : public Event +{ + RnaLoggerEvent (uint16_t t, uint16_t st, const uint8_t* mc, const RnaTracker* rt, + const snort::HostMac* hmp, uint16_t pr, void* cv, const snort::HostApplication* hap, + const snort::FpFingerprint* fpr, const snort::HostClient* hcp, const char* u, + int32_t app, const char* di, bool jb, uint32_t ls, uint32_t nm, + const struct in6_addr* rtr, const snort::Packet* p, const char* nb_name, + const std::vector* cpe) : + + type(t), subtype(st), mac(mc), ht(rt), hm(hmp), proto(pr), cond_var(cv), ha(hap), + fp(fpr), hc(hcp), user(u), appid(app), device_info(di), jail_broken(jb), lease(ls), + netmask(nm), router(rtr), pkt(p), netbios_name(nb_name), cpe_os(cpe) { } + + uint32_t event_time = 0; + uint16_t type; + uint16_t subtype; + const struct in6_addr* ip = nullptr; + const uint8_t* mac; + const RnaTracker* ht; + const snort::HostMac* hm; + uint16_t proto; + void* cond_var; + const snort::HostApplication* ha; + const snort::FpFingerprint* fp; + const snort::HostClient* hc; + const char* user; + AppId appid; + const char* device_info; + bool jail_broken; + uint32_t lease; + uint32_t netmask; + const struct in6_addr* router; + const snort::Packet* pkt; + const char* netbios_name = nullptr; + const std::vector* cpe_os = nullptr; +}; + +#endif diff --git a/src/network_inspectors/rna/rna_module.cc b/src/network_inspectors/rna/rna_module.cc index ff2cb97e4..0ed4d22f9 100644 --- a/src/network_inspectors/rna/rna_module.cc +++ b/src/network_inspectors/rna/rna_module.cc @@ -32,12 +32,12 @@ #include #include "control/control.h" +#include "framework/pig_pen.h" #include "host_tracker/host_cache.h" #include "host_tracker/host_cache_segmented.h" #include "log/messages.h" #include "lua/lua.h" #include "main/snort_config.h" -#include "managers/inspector_manager.h" #include "managers/module_manager.h" #include "utils/util.h" @@ -66,7 +66,7 @@ THREAD_LOCAL const Trace* rna_trace = nullptr; static int dump_mac_cache(lua_State* L) { RnaModule* mod = (RnaModule*) ModuleManager::get_module(RNA_NAME); - Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true); + Inspector* rna = PigPen::get_inspector(RNA_NAME, true); if ( rna && mod ) mod->log_mac_cache( luaL_optstring(L, 1, nullptr) ); return 0; @@ -89,7 +89,7 @@ static inline string format_dump_mac(const uint8_t mac[MAC_SIZE]) static int purge_data(lua_State* L) { - Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true); + Inspector* rna = PigPen::get_inspector(RNA_NAME, true); if ( rna ) { HostCacheMac* mac_cache = new HostCacheMac(MAC_CACHE_INITIAL_SIZE); @@ -164,7 +164,7 @@ static bool get_mac_from_args(lua_State* L, uint8_t* mac_addr) static int delete_mac_host(lua_State* L) { - Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true); + Inspector* rna = PigPen::get_inspector(RNA_NAME, true); if ( rna ) { uint8_t mac[MAC_SIZE] = {0}; @@ -200,7 +200,7 @@ static int delete_mac_host(lua_State* L) static int delete_mac_host_proto(lua_State* L) { - Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true); + Inspector* rna = PigPen::get_inspector(RNA_NAME, true); if ( rna ) { uint8_t mac[MAC_SIZE] = {0}; diff --git a/src/network_inspectors/rna/rna_tracker.h b/src/network_inspectors/rna/rna_tracker.h new file mode 100644 index 000000000..c71f78b7d --- /dev/null +++ b/src/network_inspectors/rna/rna_tracker.h @@ -0,0 +1,29 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2021-2023 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// rna_tracker.h author Silviu Minut + +#ifndef RNA_TRACKER_H +#define RNA_TRACKER_H + +#include "host_tracker/host_tracker.h" + +using RnaTracker = std::shared_ptr; + +#endif + diff --git a/src/network_inspectors/rna/test/rna_module_stubs.h b/src/network_inspectors/rna/test/rna_module_stubs.h index 34043ca35..9e47944d1 100644 --- a/src/network_inspectors/rna/test/rna_module_stubs.h +++ b/src/network_inspectors/rna/test/rna_module_stubs.h @@ -81,10 +81,8 @@ bool DataPurgeAC::execute(Analyzer&, void**) { return true;} void set_host_cache_mac(HostCacheMac*) { } -Inspector* InspectorManager::get_inspector(const char*, bool, const SnortConfig*) -{ - return nullptr; -} +Inspector* PigPen::get_inspector(const char*, bool, const SnortConfig*) +{ return nullptr; } void HostTracker::remove_flows() { } diff --git a/src/packet_io/CMakeLists.txt b/src/packet_io/CMakeLists.txt index fa17cb110..4b5a581f1 100644 --- a/src/packet_io/CMakeLists.txt +++ b/src/packet_io/CMakeLists.txt @@ -1,6 +1,9 @@ set ( PACKET_IO_INCLUDES active.h + active_action.h + packet_constraints.h + packet_tracer.h sfdaq.h sfdaq_instance.h ) @@ -26,15 +29,17 @@ if (ENABLE_STATIC_DAQ) endif () add_library (packet_io OBJECT + ${PACKET_IO_INCLUDES} active.cc - active.h - active_action.h + active_counts.h + packet_constraints.cc + packet_tracer.cc + packet_tracer_module.cc + packet_tracer_module.h sfdaq.cc - sfdaq.h sfdaq_config.cc sfdaq_config.h sfdaq_instance.cc - sfdaq_instance.h sfdaq_module.cc sfdaq_module.h trough.cc diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc index 54266b031..fb1e22889 100644 --- a/src/packet_io/active.cc +++ b/src/packet_io/active.cc @@ -36,6 +36,7 @@ #include "utils/dnet_header.h" #include "active_action.h" +#include "active_counts.h" #include "sfdaq.h" #include "sfdaq_instance.h" #include "sfdaq_module.h" @@ -67,10 +68,11 @@ const char* Active::act_str[Active::ACT_MAX][Active::AST_MAX] = { "reset", "cant_reset", "would_reset", "force_reset" }, }; -THREAD_LOCAL uint8_t Active::s_attempts = 0; -THREAD_LOCAL bool Active::s_suspend = false; -THREAD_LOCAL Active::ActiveSuspendReason Active::s_suspend_reason = Active::ASP_NONE; -THREAD_LOCAL Active::Counts snort::active_counts; +static THREAD_LOCAL uint8_t s_attempts = 0; +static THREAD_LOCAL bool s_suspend = false; +static THREAD_LOCAL Active::ActiveSuspendReason s_suspend_reason = Active::ASP_NONE; + +static THREAD_LOCAL Active::Counts active_counts; typedef int (* send_t) ( DAQ_Msg_h msg, int rev, const uint8_t* buf, uint32_t len); @@ -84,6 +86,9 @@ static int default_drop_reason_id = -1; static std::unordered_map drop_reason_id_map; +PegCount* get_active_counts() +{ return (PegCount*)&active_counts; } + //-------------------------------------------------------------------- // helpers @@ -546,6 +551,43 @@ void Active::update_status_actionable(const Packet* p) } } +void Active::suspend(ActiveSuspendReason suspend_reason) +{ + s_suspend = true; + s_suspend_reason = suspend_reason; +} + +bool Active::is_suspended() +{ return s_suspend; } + +void Active::resume() +{ + s_suspend = false; + s_suspend_reason = ASP_NONE; +} + +bool Active::can_partial_block_session() const +{ return active_status == AST_CANT and s_suspend_reason > ASP_NONE and s_suspend_reason != ASP_TIMEOUT; } + +bool Active::keep_pruned_flow() const +{ return ( s_suspend_reason == ASP_PRUNE ) or ( s_suspend_reason == ASP_RELOAD ); } + +bool Active::keep_timedout_flow() const +{ return ( s_suspend_reason == ASP_TIMEOUT ); } + +Active::ActiveWouldReason Active::get_whd_reason_from_suspend_reason() +{ + switch ( s_suspend_reason ) + { + case ASP_NONE: return WHD_NONE; + case ASP_PRUNE: return WHD_PRUNE; + case ASP_TIMEOUT: return WHD_TIMEOUT; + case ASP_RELOAD: return WHD_RELOAD; + case ASP_EXIT: return WHD_EXIT; + } + return WHD_NONE; +} + void Active::update_status(const Packet* p, bool force) { if ( s_suspend ) diff --git a/src/packet_io/active.h b/src/packet_io/active.h index ce0719655..df84c4631 100644 --- a/src/packet_io/active.h +++ b/src/packet_io/active.h @@ -69,33 +69,11 @@ public: static bool thread_init(const SnortConfig*); static void thread_term(); - static void suspend(ActiveSuspendReason suspend_reason) - { - s_suspend = true; - s_suspend_reason = suspend_reason; - } - - static bool is_suspended() - { return s_suspend; } + static void suspend(ActiveSuspendReason); + static bool is_suspended(); + static void resume(); - static void resume() - { - s_suspend = false; - s_suspend_reason = ASP_NONE; - } - - static ActiveWouldReason get_whd_reason_from_suspend_reason() - { - switch ( s_suspend_reason ) - { - case ASP_NONE: return WHD_NONE; - case ASP_PRUNE: return WHD_PRUNE; - case ASP_TIMEOUT: return WHD_TIMEOUT; - case ASP_RELOAD: return WHD_RELOAD; - case ASP_EXIT: return WHD_EXIT; - } - return WHD_NONE; - } + static ActiveWouldReason get_whd_reason_from_suspend_reason(); void send_reset(Packet*, EncodeFlags); void send_unreach(Packet*, snort::UnreachResponse); @@ -161,14 +139,9 @@ public: ActiveWouldReason get_would_be_dropped_reason() const { return active_would_reason; } - bool can_partial_block_session() const - { return active_status == AST_CANT and s_suspend_reason > ASP_NONE and s_suspend_reason != ASP_TIMEOUT; } - - bool keep_pruned_flow() const - { return ( s_suspend_reason == ASP_PRUNE ) or ( s_suspend_reason == ASP_RELOAD ); } - - bool keep_timedout_flow() const - { return ( s_suspend_reason == ASP_TIMEOUT ); } + bool can_partial_block_session() const; + bool keep_pruned_flow() const; + bool keep_timedout_flow() const; bool packet_retry_requested() const { return active_action == ACT_RETRY; } @@ -231,9 +204,6 @@ private: private: static const char* act_str[ACT_MAX][AST_MAX]; - static THREAD_LOCAL uint8_t s_attempts; - static THREAD_LOCAL bool s_suspend; - static THREAD_LOCAL ActiveSuspendReason s_suspend_reason; int active_tunnel_bypass = 0; const char* drop_reason = nullptr; @@ -248,7 +218,7 @@ private: ActiveAction* delayed_reject = nullptr; // set with set_delayed_action() }; -struct SO_PUBLIC ActiveSuspendContext +struct ActiveSuspendContext { ActiveSuspendContext(Active::ActiveSuspendReason suspend_reason) { Active::suspend(suspend_reason); } @@ -257,7 +227,6 @@ struct SO_PUBLIC ActiveSuspendContext { Active::resume(); } }; -extern THREAD_LOCAL Active::Counts active_counts; } #endif diff --git a/src/packet_io/active_counts.h b/src/packet_io/active_counts.h new file mode 100644 index 000000000..8757350a4 --- /dev/null +++ b/src/packet_io/active_counts.h @@ -0,0 +1,32 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2005-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// active_counts.h author Russ Combs + +#ifndef ACTIVE_COUNTS_H +#define ACTIVE_COUNTS_H + +// private Active accessors (not installed) + +#include "framework/counts.h" + +PegCount* get_active_counts(); + +#endif + diff --git a/src/framework/packet_constraints.cc b/src/packet_io/packet_constraints.cc similarity index 99% rename from src/framework/packet_constraints.cc rename to src/packet_io/packet_constraints.cc index 67ccdad99..7fd2e29c9 100644 --- a/src/framework/packet_constraints.cc +++ b/src/packet_io/packet_constraints.cc @@ -23,10 +23,11 @@ #include "packet_constraints.h" -#include "protocols/packet.h" - +#include #include +#include "protocols/packet.h" + namespace { inline bool match_constraints(const snort::PacketConstraints& cs, diff --git a/src/framework/packet_constraints.h b/src/packet_io/packet_constraints.h similarity index 100% rename from src/framework/packet_constraints.h rename to src/packet_io/packet_constraints.h diff --git a/src/network_inspectors/packet_tracer/packet_tracer.cc b/src/packet_io/packet_tracer.cc similarity index 91% rename from src/network_inspectors/packet_tracer/packet_tracer.cc rename to src/packet_io/packet_tracer.cc index 22d3c69bf..2a19685f4 100644 --- a/src/network_inspectors/packet_tracer/packet_tracer.cc +++ b/src/packet_io/packet_tracer.cc @@ -30,10 +30,8 @@ #include #include "detection/ips_context.h" -#include "log/log.h" #include "log/messages.h" -#include "packet_io/active.h" -#include "packet_io/sfdaq_instance.h" +#include "main/thread.h" #include "protocols/eth.h" #include "protocols/icmp4.h" #include "protocols/ip.h" @@ -41,6 +39,9 @@ #include "protocols/tcp.h" #include "utils/util.h" +#include "active.h" +#include "sfdaq_instance.h" + #ifdef UNIT_TEST #include "catch/snort_catch.h" #endif @@ -52,9 +53,14 @@ using namespace snort; // ----------------------------------------------------------------------------- // FIXIT-M refactor the way this is used so all methods are members called against this pointer -THREAD_LOCAL PacketTracer* snort::s_pkt_trace = nullptr; - -THREAD_LOCAL Stopwatch* snort::pt_timer = nullptr; +#ifdef _WIN64 +static THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr; +#else +namespace snort +{ +THREAD_LOCAL PacketTracer* PacketTracer::s_pkt_trace = nullptr; +}; +#endif // so modules can register regardless of when packet trace is activated static THREAD_LOCAL struct{ unsigned val = 0; } global_mutes; @@ -62,44 +68,40 @@ static THREAD_LOCAL struct{ unsigned val = 0; } global_mutes; static std::string log_file = "-"; static bool config_status = false; +// %s %u -> %s %u %u AS=%u ID=%u GR=%hd-%hd +// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum GR=SrcGroupNum-DstGroupNum +#define PT_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10+32)+1) +static constexpr int max_buff_size = 2048; + // ----------------------------------------------------------------------------- // static functions // ----------------------------------------------------------------------------- +#ifdef _WIN64 +bool PacketTracer::is_active() +{ return s_pkt_trace ? s_pkt_trace->active : false; } + +bool PacketTracer::is_daq_activated() +{ return s_pkt_trace ? s_pkt_trace->daq_activated : false; } +#endif + void PacketTracer::set_log_file(const std::string& file) { log_file = file; } // template needed for unit tests template void PacketTracer::_thread_init() { - if ( s_pkt_trace == nullptr ) - s_pkt_trace = new T(); - - if ( pt_timer == nullptr ) - pt_timer = new Stopwatch; - - s_pkt_trace->mutes.resize(global_mutes.val, false); - s_pkt_trace->open_file(); - s_pkt_trace->user_enabled = config_status; + assert(!s_pkt_trace); + s_pkt_trace = new T(); } -template void PacketTracer::_thread_init(); void PacketTracer::thread_init() -{ _thread_init(); } +{ _thread_init(); } void PacketTracer::thread_term() { - if ( s_pkt_trace ) - { - delete s_pkt_trace; - s_pkt_trace = nullptr; - } - - if (pt_timer) - { - delete pt_timer; - pt_timer = nullptr; - } + delete s_pkt_trace; + s_pkt_trace = nullptr; } void PacketTracer::dump(char* output_buff, unsigned int len) @@ -269,17 +271,37 @@ void PacketTracer::activate(const Packet& p) s_pkt_trace->active = false; } -void PacketTracer::pt_timer_start() +uint64_t PacketTracer::get_time() +{ return TO_NSECS(s_pkt_trace->pt_timer->get()); } + +void PacketTracer::start_timer() +{ s_pkt_trace->pt_timer->start(); } + +void PacketTracer::reset_timer() +{ s_pkt_trace->pt_timer->reset(); } + +void PacketTracer::restart_timer() { - pt_timer->reset(); - pt_timer->start(); + s_pkt_trace->pt_timer->reset(); + s_pkt_trace->pt_timer->start(); } // ----------------------------------------------------------------------------- // non-static functions // ----------------------------------------------------------------------------- -// destructor +PacketTracer::PacketTracer() +{ + pt_timer = new Stopwatch; + buffer = new char[max_buff_size] { }; + daq_buffer = new char[max_buff_size] { }; + debug_session = new char[PT_DEBUG_SESSION_ID_SIZE]; + + mutes.resize(global_mutes.val, false); + open_file(); + user_enabled = config_status; +} + PacketTracer::~PacketTracer() { if ( log_fh && log_fh != stdout ) @@ -287,6 +309,10 @@ PacketTracer::~PacketTracer() fclose(log_fh); log_fh = nullptr; } + delete[] debug_session; + delete[] daq_buffer; + delete[] buffer; + delete pt_timer; } void PacketTracer::populate_buf(const char* format, va_list ap, char* buffer, uint32_t& buff_len) @@ -398,7 +424,7 @@ void PacketTracer::add_packet_type_info(const Packet& p) case PktType::TCP: { char tcpFlags[10]; - CreateTCPFlagString(p.ptrs.tcph, tcpFlags); + p.ptrs.tcph->stringify_flags(tcpFlags); if (p.ptrs.tcph->th_flags & TH_ACK) PacketTracer::log("Packet %" PRIu64 ": TCP %s, %s, seq %u, ack %u, dsize %u%s\n", @@ -643,32 +669,32 @@ TEST_CASE("corner cases", "[PacketTracer]") TestPacketTracer::daq_log("%s", test_str); } // when buffer limit is reached, buffer length will stopped at max_buff_size-1 - CHECK((TestPacketTracer::get_buff_len() == (TestPacketTracer::max_buff_size-1))); - CHECK((TestPacketTracer::get_daq_buff_len() == (TestPacketTracer::max_buff_size-1))); + CHECK((TestPacketTracer::get_buff_len() == (max_buff_size-1))); + CHECK((TestPacketTracer::get_daq_buff_len() == (max_buff_size-1))); // continue logging will not change anything TestPacketTracer::log("%s", test_str); - CHECK((TestPacketTracer::get_buff_len() == (TestPacketTracer::max_buff_size-1))); + CHECK((TestPacketTracer::get_buff_len() == (max_buff_size-1))); TestPacketTracer::daq_log("%s", test_str); - CHECK((TestPacketTracer::get_daq_buff_len() == (TestPacketTracer::max_buff_size-1))); + CHECK((TestPacketTracer::get_daq_buff_len() == (max_buff_size-1))); TestPacketTracer::thread_term(); } TEST_CASE("dump", "[PacketTracer]") { - char test_string[TestPacketTracer::max_buff_size]; + char test_string[max_buff_size]; char test_str[] = "ABCD", results[] = "ABCD3=400"; TestPacketTracer::thread_init(); TestPacketTracer::set_user_enable(true); TestPacketTracer::log("%s%d=%d", test_str, 3, 400); - TestPacketTracer::dump(test_string, TestPacketTracer::max_buff_size); + TestPacketTracer::dump(test_string, max_buff_size); CHECK(!strcmp(test_string, results)); CHECK((TestPacketTracer::get_buff_len() == 0)); // dump again - TestPacketTracer::dump(test_string, TestPacketTracer::max_buff_size); + TestPacketTracer::dump(test_string, max_buff_size); CHECK(!strcmp(test_string, "")); CHECK((TestPacketTracer::get_buff_len() == 0)); diff --git a/src/network_inspectors/packet_tracer/packet_tracer.h b/src/packet_io/packet_tracer.h similarity index 83% rename from src/network_inspectors/packet_tracer/packet_tracer.h rename to src/packet_io/packet_tracer.h index 8776b5f63..152fa2b48 100644 --- a/src/network_inspectors/packet_tracer/packet_tracer.h +++ b/src/packet_io/packet_tracer.h @@ -26,9 +26,8 @@ #include #include -#include "framework/packet_constraints.h" #include "main/snort_types.h" -#include "main/thread.h" +#include "packet_io/packet_constraints.h" #include "protocols/ipv6.h" #include "protocols/protocol_ids.h" #include "sfip/sf_ip.h" @@ -42,11 +41,10 @@ struct Packet; class PacketTracer { public: - PacketTracer() = default; + PacketTracer(); virtual ~PacketTracer(); typedef uint8_t TracerMute; - static const int max_buff_size = 2048; // static functions static void set_log_file(const std::string&); @@ -64,8 +62,17 @@ public: static SO_PUBLIC void pause(); static SO_PUBLIC void unpause(); static SO_PUBLIC bool is_paused(); + +#ifdef _WIN64 static SO_PUBLIC bool is_active(); static SO_PUBLIC bool is_daq_activated(); +#else + static bool is_active() + { return s_pkt_trace ? s_pkt_trace->active : false; } + + static bool is_daq_activated() + { return s_pkt_trace ? s_pkt_trace->daq_activated : false; } +#endif static SO_PUBLIC TracerMute get_mute(); @@ -74,20 +81,32 @@ public: static SO_PUBLIC void log_msg_only(const char* format, ...) __attribute__((format (printf, 1, 2))); static SO_PUBLIC void daq_log(const char* format, ...) __attribute__((format (printf, 1, 2))); - static SO_PUBLIC void pt_timer_start(); -protected: + static SO_PUBLIC void start_timer(); + static SO_PUBLIC void restart_timer(); + static SO_PUBLIC void reset_timer(); + static SO_PUBLIC uint64_t get_time(); + +protected: +#ifndef _WIN64 + static SO_PUBLIC THREAD_LOCAL PacketTracer* s_pkt_trace; +#endif // non-static variable + Stopwatch* pt_timer = nullptr; FILE* log_fh = stdout; + + char* buffer; + char* daq_buffer; + char* debug_session; + std::vector mutes; - char buffer[max_buff_size] = {0}; + unsigned buff_len = 0; - char daq_buffer[max_buff_size] = {0}; unsigned daq_buff_len = 0; - unsigned pause_count = 0; + bool user_enabled = false; bool daq_activated = false; bool shell_enabled = false; @@ -108,21 +127,12 @@ protected: void update_constraints(const PacketConstraints* constraints); const char *get_debug_session() { return debugstr.c_str(); } - virtual void open_file(); + void open_file(); virtual void dump_to_daq(Packet*); - virtual void reset(bool); + void reset(bool); }; -SO_PUBLIC extern THREAD_LOCAL PacketTracer* s_pkt_trace; -SO_PUBLIC extern THREAD_LOCAL Stopwatch* pt_timer; - -inline bool PacketTracer::is_active() -{ return s_pkt_trace ? s_pkt_trace->active : false; } - -inline bool PacketTracer::is_daq_activated() -{ return s_pkt_trace ? s_pkt_trace->daq_activated : false; } - -struct SO_PUBLIC PacketTracerSuspend +struct PacketTracerSuspend { PacketTracerSuspend() { PacketTracer::pause(); } diff --git a/src/network_inspectors/packet_tracer/packet_tracer_module.cc b/src/packet_io/packet_tracer_module.cc similarity index 100% rename from src/network_inspectors/packet_tracer/packet_tracer_module.cc rename to src/packet_io/packet_tracer_module.cc diff --git a/src/network_inspectors/packet_tracer/packet_tracer_module.h b/src/packet_io/packet_tracer_module.h similarity index 100% rename from src/network_inspectors/packet_tracer/packet_tracer_module.h rename to src/packet_io/packet_tracer_module.h diff --git a/src/packet_io/sfdaq_instance.cc b/src/packet_io/sfdaq_instance.cc index 76b4ee591..c52a67c48 100644 --- a/src/packet_io/sfdaq_instance.cc +++ b/src/packet_io/sfdaq_instance.cc @@ -28,6 +28,7 @@ #include "log/messages.h" #include "main/snort_config.h" +#include "main/thread.h" #include "protocols/packet.h" #include "protocols/vlan.h" diff --git a/src/packet_io/sfdaq_module.h b/src/packet_io/sfdaq_module.h index f3eb249cd..ca1008b00 100644 --- a/src/packet_io/sfdaq_module.h +++ b/src/packet_io/sfdaq_module.h @@ -21,6 +21,8 @@ #ifndef SFDAQ_MODULE_H #define SFDAQ_MODULE_H +#include + #include "framework/module.h" namespace snort diff --git a/src/parser/cmd_line.cc b/src/parser/cmd_line.cc index c601bb340..3ca380c89 100644 --- a/src/parser/cmd_line.cc +++ b/src/parser/cmd_line.cc @@ -24,6 +24,7 @@ #include "cmd_line.h" #include "framework/module.h" +#include "log/log_errors.h" #include "log/messages.h" #include "main/help.h" #include "main/snort_config.h" diff --git a/src/parser/config_file.cc b/src/parser/config_file.cc index bfb7f23f3..f734ecc23 100644 --- a/src/parser/config_file.cc +++ b/src/parser/config_file.cc @@ -27,7 +27,6 @@ #include #include -#include "detection/detect.h" #include "detection/detection_engine.h" #include "log/messages.h" #include "main/analyzer.h" diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc index 9be773a43..8a6d7ba73 100644 --- a/src/parser/parse_rule.cc +++ b/src/parser/parse_rule.cc @@ -23,14 +23,15 @@ #include "parse_rule.h" -#include "actions/actions.h" -#include "detection/detect.h" +#include "detection/extract.h" #include "detection/fp_config.h" #include "detection/fp_utils.h" #include "detection/rtn_checks.h" #include "detection/treenodes.h" #include "framework/decode_data.h" +#include "framework/ips_action.h" #include "hash/xhash.h" +#include "log/log_stats.h" #include "log/messages.h" #include "main/snort_config.h" #include "main/thread_config.h" @@ -42,7 +43,6 @@ #include "sfip/sf_vartable.h" #include "target_based/snort_protocols.h" #include "utils/util.h" -#include "ips_options/extract.h" #include "parser.h" #include "parse_conf.h" @@ -788,15 +788,15 @@ void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn) assert(s); - rtn.action = Actions::get_type(s); + rtn.action = IpsAction::get_type(s); - if ( !Actions::is_valid_action(rtn.action) ) + if ( !IpsAction::is_valid_action(rtn.action) ) { s_ignore = true; ParseError("unknown rule action '%s'", s); return; } - if (!strcmp(s,"file_id")) + if (!strcmp(s, "file_id")) action_file_id = true; else action_file_id = false; diff --git a/src/parser/parse_utils.h b/src/parser/parse_utils.h index 1224077b3..712dd5d2a 100644 --- a/src/parser/parse_utils.h +++ b/src/parser/parse_utils.h @@ -22,8 +22,10 @@ #include -bool parse_byte_code(const char*, bool& negate, std::string&); -int parse_int(const char*, const char* tag, int low = -65535, int high = 65535); +#include "main/snort_types.h" + +SO_PUBLIC bool parse_byte_code(const char*, bool& negate, std::string&); +SO_PUBLIC int parse_int(const char*, const char* tag, int low = -65535, int high = 65535); #endif diff --git a/src/parser/parser.cc b/src/parser/parser.cc index fa02a74a5..42467185b 100644 --- a/src/parser/parser.cc +++ b/src/parser/parser.cc @@ -34,6 +34,7 @@ #include "detection/rules.h" #include "detection/sfrim.h" #include "dump_config/config_output.h" +#include "events/event_queue.h" #include "filters/detection_filter.h" #include "filters/rate_filter.h" #include "filters/sfthreshold.h" @@ -42,6 +43,7 @@ #include "hash/xhash.h" #include "helpers/directory.h" #include "ips_options/ips_flowbits.h" +#include "log/log_stats.h" #include "log/messages.h" #include "main/modules.h" #include "main/shell.h" @@ -632,7 +634,7 @@ void ParseRulesFinish(SnortConfig* sc) * Returns: the ListHead for the rule type * ***************************************************************************/ -RuleListNode* CreateRuleType(SnortConfig* sc, const char* name, Actions::Type mode) +RuleListNode* CreateRuleType(SnortConfig* sc, const char* name, IpsAction::Type mode) { RuleListNode* node; @@ -710,7 +712,7 @@ void OrderRuleLists(SnortConfig* sc) const char* order = sc->rule_order.c_str(); if ( !*order ) { - default_priorities = Actions::get_default_priorities(); + default_priorities = IpsAction::get_default_priorities(); order = default_priorities.c_str(); } diff --git a/src/parser/parser.h b/src/parser/parser.h index 267f4869e..b0c583718 100644 --- a/src/parser/parser.h +++ b/src/parser/parser.h @@ -29,6 +29,8 @@ namespace snort struct SnortConfig; } +struct OptTreeNode; + void parser_init(); void parser_term(snort::SnortConfig*); @@ -60,15 +62,15 @@ const char* parser_get_special_includer(); int ParseBool(const char* arg); -int addRtnToOtn(snort::SnortConfig*, struct OptTreeNode*, RuleTreeNode*); -int addRtnToOtn(snort::SnortConfig*, struct OptTreeNode*, RuleTreeNode*, PolicyId); +int addRtnToOtn(snort::SnortConfig*, OptTreeNode*, RuleTreeNode*); +int addRtnToOtn(snort::SnortConfig*, OptTreeNode*, RuleTreeNode*, PolicyId); void set_strict_rtn_reduction(bool); bool same_headers(RuleTreeNode*, RuleTreeNode*); RuleTreeNode* deleteRtnFromOtn(OptTreeNode*, snort::SnortConfig* sc = nullptr); -RuleTreeNode* deleteRtnFromOtn(struct OptTreeNode*, PolicyId, snort::SnortConfig* sc = nullptr, bool remove = true); +RuleTreeNode* deleteRtnFromOtn(OptTreeNode*, PolicyId, snort::SnortConfig* sc = nullptr, bool remove = true); -inline RuleTreeNode* getRtnFromOtn(const struct OptTreeNode* otn, PolicyId policyId) +inline RuleTreeNode* getRtnFromOtn(const OptTreeNode* otn, PolicyId policyId) { if (otn && otn->proto_nodes && (otn->proto_node_num > (unsigned)policyId)) { @@ -77,12 +79,12 @@ inline RuleTreeNode* getRtnFromOtn(const struct OptTreeNode* otn, PolicyId polic return nullptr; } -inline RuleTreeNode* getRtnFromOtn(const struct OptTreeNode* otn) +inline RuleTreeNode* getRtnFromOtn(const OptTreeNode* otn) { return getRtnFromOtn(otn, snort::get_ips_policy()->policy_id); } -RuleListNode* CreateRuleType(snort::SnortConfig* sc, const char* name, Actions::Type action_type); +RuleListNode* CreateRuleType(snort::SnortConfig* sc, const char* name, snort::IpsAction::Type action_type); void FreeRuleTreeNode(RuleTreeNode*); void DestroyRuleTreeNode(RuleTreeNode*); diff --git a/src/payload_injector/payload_injector.cc b/src/payload_injector/payload_injector.cc index fbcbf5086..da77f0d9c 100644 --- a/src/payload_injector/payload_injector.cc +++ b/src/payload_injector/payload_injector.cc @@ -26,6 +26,7 @@ #include "detection/detection_engine.h" #include "flow/session.h" +#include "main/snort_config.h" #include "packet_io/active.h" #include "protocols/packet.h" #include "service_inspectors/http2_inspect/http2_flow_data.h" diff --git a/src/payload_injector/test/payload_injector_test.cc b/src/payload_injector/test/payload_injector_test.cc index 1e1bbb17c..ce4589f38 100644 --- a/src/payload_injector/test/payload_injector_test.cc +++ b/src/payload_injector/test/payload_injector_test.cc @@ -28,6 +28,7 @@ #include "detection/detection_engine.h" #include "flow/flow.h" +#include "main/snort_config.h" #include "main/thread_config.h" #include "packet_io/active.h" #include "protocols/packet.h" @@ -99,7 +100,7 @@ class StreamSplitter* Inspector::get_splitter(bool) { return nullptr; } } void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } // MockInspector class diff --git a/src/policy_selectors/address_space_selector/address_space_selector.cc b/src/policy_selectors/address_space_selector/address_space_selector.cc index f9fe1dabd..03f711716 100644 --- a/src/policy_selectors/address_space_selector/address_space_selector.cc +++ b/src/policy_selectors/address_space_selector/address_space_selector.cc @@ -28,6 +28,7 @@ #include "detection/ips_context.h" #include "framework/policy_selector.h" #include "log/messages.h" +#include "main/policy.h" #include "policy_selectors/int_set_to_string.h" #include "profiler/profiler.h" diff --git a/src/policy_selectors/address_space_selector/address_space_selector_module.h b/src/policy_selectors/address_space_selector/address_space_selector_module.h index b29fa4ddd..970394194 100644 --- a/src/policy_selectors/address_space_selector/address_space_selector_module.h +++ b/src/policy_selectors/address_space_selector/address_space_selector_module.h @@ -24,6 +24,7 @@ #include "framework/module.h" #include "framework/policy_selector.h" + #include "address_space_selection.h" #define ADDRESS_SPACE_SELECT_NAME "address_space_selector" diff --git a/src/policy_selectors/tenant_selector/tenant_selector.cc b/src/policy_selectors/tenant_selector/tenant_selector.cc index 8c45147c4..b0390ce99 100644 --- a/src/policy_selectors/tenant_selector/tenant_selector.cc +++ b/src/policy_selectors/tenant_selector/tenant_selector.cc @@ -28,6 +28,7 @@ #include "detection/ips_context.h" #include "framework/policy_selector.h" #include "log/messages.h" +#include "main/policy.h" #include "policy_selectors/int_set_to_string.h" #include "profiler/profiler.h" diff --git a/src/ports/port_object2.h b/src/ports/port_object2.h index ccb406627..fd21df80b 100644 --- a/src/ports/port_object2.h +++ b/src/ports/port_object2.h @@ -22,7 +22,7 @@ #ifndef PORT_OBJECT2_H #define PORT_OBJECT2_H -#include "framework/bits.h" +#include "utils/bits.h" #include "utils/sflsq.h" //------------------------------------------------------------------------- diff --git a/src/ports/port_utils.h b/src/ports/port_utils.h index 236dfc49f..205c798b0 100644 --- a/src/ports/port_utils.h +++ b/src/ports/port_utils.h @@ -22,8 +22,8 @@ #ifndef PORT_UTILS_H #define PORT_UTILS_H -#include "framework/bits.h" #include "protocols/packet.h" +#include "utils/bits.h" #include "utils/sflsq.h" struct PortObject; diff --git a/src/profiler/CMakeLists.txt b/src/profiler/CMakeLists.txt index f13d66abc..be260f85c 100644 --- a/src/profiler/CMakeLists.txt +++ b/src/profiler/CMakeLists.txt @@ -1,6 +1,5 @@ set ( PROFILER_INCLUDES memory_defs.h - memory_context.h memory_profiler_defs.h profiler.h profiler_defs.h @@ -13,9 +12,11 @@ set ( PROFILER_SOURCES json_view.cc json_view.h memory_context.cc + memory_context.h memory_profiler.cc memory_profiler.h profiler.cc + profiler_impl.h profiler_module.cc profiler_module.h profiler_nodes.cc diff --git a/src/profiler/profiler.cc b/src/profiler/profiler.cc index 56e0d0cfd..a4fe16527 100644 --- a/src/profiler/profiler.cc +++ b/src/profiler/profiler.cc @@ -22,7 +22,7 @@ #include "config.h" #endif -#include "profiler.h" +#include "profiler_impl.h" #include #include @@ -31,6 +31,7 @@ #include "main/snort_config.h" #include "main/thread_config.h" #include "time/stopwatch.h" +#include "utils/stats.h" #include "memory_context.h" #include "memory_profiler.h" @@ -45,16 +46,33 @@ using namespace snort; -THREAD_LOCAL ProfileStats totalPerfStats; -THREAD_LOCAL ProfileStats otherPerfStats; +static THREAD_LOCAL ProfileStats totalPerfStats; +static THREAD_LOCAL ProfileStats otherPerfStats; -THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr; THREAD_LOCAL Stopwatch* run_timer = nullptr; THREAD_LOCAL uint64_t first_pkt_num = 0; THREAD_LOCAL bool consolidated_once = false; static ProfilerNodeMap s_profiler_nodes; +#ifndef _WIN64 +THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr; +#else +static THREAD_LOCAL TimeContext* curr_time = nullptr; + +TimeContext* ProfileContext::get_curr_time() +{ return curr_time; } + +void ProfileContext::set_curr_time(TimeContext* t) +{ curr_time = t; } +#endif + +ProfileStats* Profiler::get_total_perf_stats() +{ return &totalPerfStats; } + +ProfileStats* Profiler::get_other_perf_stats() +{ return &otherPerfStats; } + void Profiler::register_module(Module* m) { if ( m->get_profile() ) @@ -78,7 +96,7 @@ void Profiler::register_module(const char* n, const char* pn, Module* m) void Profiler::start() { - first_pkt_num = (uint64_t)get_packet_number(); + first_pkt_num = pc.analyzed_pkts; run_timer = new Stopwatch; run_timer->start(); consolidated_once = false; diff --git a/src/profiler/profiler.h b/src/profiler/profiler.h index 01f406355..4cdff9454 100644 --- a/src/profiler/profiler.h +++ b/src/profiler/profiler.h @@ -21,34 +21,6 @@ #ifndef PROFILER_H #define PROFILER_H -#include "main/thread.h" #include "profiler_defs.h" -namespace snort -{ -class Module; -} -class ControlConn; -class ProfilerNodeMap; -class Profiler -{ -public: - static void register_module(snort::Module*); - static void register_module(const char*, const char*, snort::Module*); - - static void start(); - static void stop(uint64_t); - - static void consolidate_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH); - - static void reset_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH); - static void prepare_stats(); - static void show_stats(); - static ProfilerNodeMap& get_profiler_nodes(); - SO_PUBLIC static void show_runtime_memory_stats(); -}; - -extern THREAD_LOCAL snort::ProfileStats totalPerfStats; -extern THREAD_LOCAL snort::ProfileStats otherPerfStats; - #endif diff --git a/src/profiler/profiler_defs.h b/src/profiler/profiler_defs.h index 559e7480d..4d90d4431 100644 --- a/src/profiler/profiler_defs.h +++ b/src/profiler/profiler_defs.h @@ -22,7 +22,6 @@ #define PROFILER_DEFS_H #include "main/snort_types.h" -#include "main/thread.h" #include "memory_defs.h" #include "memory_profiler_defs.h" #include "rule_profiler_defs.h" @@ -104,24 +103,37 @@ class SO_PUBLIC ProfileContext public: ProfileContext(ProfileStats& stats) : time(stats.time), memory(stats.memory) { - prev_time = curr_time; + prev_time = get_curr_time(); if ( prev_time ) prev_time->pause(); - curr_time = &time; + set_curr_time(&time); } ~ProfileContext() { if ( prev_time ) prev_time->resume(); - curr_time = prev_time; + set_curr_time(prev_time); } +private: +#ifdef _WIN64 + static TimeContext* get_curr_time(); + static void set_curr_time(TimeContext*); +#else + static THREAD_LOCAL TimeContext* curr_time; + + static TimeContext* get_curr_time() + { return curr_time; } + + static void set_curr_time(TimeContext* t) + { curr_time = t; } +#endif + private: TimeContext time; MemoryContext memory; TimeContext* prev_time; - static THREAD_LOCAL TimeContext* curr_time; }; using get_profile_stats_fn = ProfileStats* (*)(const char*); diff --git a/src/profiler/profiler_impl.h b/src/profiler/profiler_impl.h new file mode 100644 index 000000000..056765e03 --- /dev/null +++ b/src/profiler/profiler_impl.h @@ -0,0 +1,57 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2015-2023 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// profiler_impl.h author Joel Cornett + +#ifndef PROFILER_IMPL_H +#define PROFILER_IMPL_H + +#include "profiler_defs.h" + +namespace snort +{ +class Module; +struct ProfileStats; +} + +class ProfilerNodeMap; + +class Profiler +{ +public: + static void register_module(snort::Module*); + static void register_module(const char*, const char*, snort::Module*); + + static void start(); + static void stop(uint64_t); + + static void consolidate_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH); + + static void reset_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH); + static void prepare_stats(); + + static void show_stats(); + static void show_runtime_memory_stats(); + + static ProfilerNodeMap& get_profiler_nodes(); + + static snort::ProfileStats* get_total_perf_stats(); + static snort::ProfileStats* get_other_perf_stats(); +}; + +#endif diff --git a/src/profiler/profiler_module.cc b/src/profiler/profiler_module.cc index 7434a0d2f..526f29b5d 100644 --- a/src/profiler/profiler_module.cc +++ b/src/profiler/profiler_module.cc @@ -35,6 +35,7 @@ #include "managers/module_manager.h" #include "utils/stats.h" +#include "profiler_impl.h" #include "rule_profiler.h" #include "rule_profiler_defs.h" #include "time_profiler.h" @@ -269,7 +270,7 @@ static void time_profiling_start_cmd() static void time_profiling_stop_cmd() { TimeProfilerStats::set_enabled(false); - Profiler::stop((uint64_t)get_packet_number()); + Profiler::stop(pc.analyzed_pkts); Profiler::consolidate_stats(snort::PROFILER_TYPE_TIME); } @@ -456,7 +457,7 @@ static const Parameter profiler_params[] = class ProfilerReloadTuner : public snort::ReloadResourceTuner { public: - explicit ProfilerReloadTuner(bool enable_rule, bool enable_time) + explicit ProfilerReloadTuner(bool enable_rule, bool enable_time) : enable_rule(enable_rule), enable_time(enable_time) {} ~ProfilerReloadTuner() override = default; @@ -568,12 +569,12 @@ ProfileStats* ProfilerModule::get_profile( case 0: name = "total"; parent = nullptr; - return &totalPerfStats; + return Profiler::get_total_perf_stats(); case 1: name = "other"; parent = nullptr; - return &otherPerfStats; + return Profiler::get_other_perf_stats(); } return nullptr; } diff --git a/src/profiler/time_profiler.cc b/src/profiler/time_profiler.cc index a4af66530..51ac758d7 100644 --- a/src/profiler/time_profiler.cc +++ b/src/profiler/time_profiler.cc @@ -42,7 +42,17 @@ using namespace snort; // enabled is not in SnortConfig to avoid that ugly dependency // enabled is not in TimeContext because declaring it SO_PUBLIC made TimeContext visible // putting enabled in TimeProfilerStats seems to be the best solution +#ifndef _WIN64 THREAD_LOCAL bool TimeProfilerStats::enabled = false; +#else +static THREAD_LOCAL bool enabled; + +void TimeProfilerStats::set_enabled(bool b) +{ enabled = b; } + +bool TimeProfilerStats::is_enabled() +{ return enabled; } +#endif namespace time_stats { diff --git a/src/profiler/time_profiler_defs.h b/src/profiler/time_profiler_defs.h index 09c4b91b5..4b50920f5 100644 --- a/src/profiler/time_profiler_defs.h +++ b/src/profiler/time_profiler_defs.h @@ -47,6 +47,8 @@ struct SO_PUBLIC TimeProfilerStats hr_duration elapsed; uint64_t checks; mutable unsigned int ref_count; + +#ifndef _WIN64 static THREAD_LOCAL bool enabled; static void set_enabled(bool b) @@ -54,6 +56,10 @@ struct SO_PUBLIC TimeProfilerStats static bool is_enabled() { return enabled; } +#else + static void set_enabled(bool); + static bool is_enabled(); +#endif void update(hr_duration delta) { elapsed += delta; ++checks; } diff --git a/src/protocols/ip.h b/src/protocols/ip.h index 442443d94..0b747a20d 100644 --- a/src/protocols/ip.h +++ b/src/protocols/ip.h @@ -31,19 +31,14 @@ namespace snort { struct Packet; -// FIXIT-L can I assume api is always valid? -// i.e. if not ip4, then ipv6? -// or if not ip4, also make sure its not ip6 - namespace ip { -// keeping this as a class to avoid confusion. class SO_PUBLIC IpApi { public: enum Type { IAT_NONE, IAT_4, IAT_6, IAT_DATA }; - // constructor and destructor MUST remain a trivial. Adding + // constructor and destructor MUST remain trivial. Adding // any non-trivial code will cause a compilation failure. IpApi() = default; diff --git a/src/protocols/layer.h b/src/protocols/layer.h index a0f623b02..d6c44b75d 100644 --- a/src/protocols/layer.h +++ b/src/protocols/layer.h @@ -20,6 +20,8 @@ #ifndef PROTOCOLS_LAYER_H #define PROTOCOLS_LAYER_H +// Packet contains a Layer for each decoded encapsulation. + #include "main/snort_types.h" #include "protocols/protocol_ids.h" diff --git a/src/protocols/mpls.h b/src/protocols/mpls.h index 5b70d427d..0180fbd1e 100644 --- a/src/protocols/mpls.h +++ b/src/protocols/mpls.h @@ -33,7 +33,7 @@ struct MplsHdr uint8_t bos; uint8_t ttl; }; -} // namespace mpls +} } #endif diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc index 04161f1c4..e0785230a 100644 --- a/src/protocols/packet.cc +++ b/src/protocols/packet.cc @@ -24,11 +24,12 @@ #include "packet.h" #include "detection/ips_context.h" -#include "flow/expect_cache.h" +#include "flow/expect_flow.h" +#include "flow/flow_key.h" #include "framework/endianness.h" #include "log/obfuscator.h" +#include "main/snort_config.h" #include "packet_io/active.h" -#include "managers/codec_manager.h" #include "packet_manager.h" #include "vlan.h" @@ -38,7 +39,7 @@ namespace snort { Packet::Packet(bool packet_data) { - layers = new Layer[CodecManager::get_max_layers()]; + layers = new Layer[PacketManager::get_max_layers()]; allocated = packet_data; if (!packet_data) diff --git a/src/protocols/packet.h b/src/protocols/packet.h index c12708df7..475fe5b52 100644 --- a/src/protocols/packet.h +++ b/src/protocols/packet.h @@ -20,6 +20,10 @@ #ifndef PROTOCOLS_PACKET_H #define PROTOCOLS_PACKET_H +// Packet is an abstraction describing a unit of work. it may define a +// wire packet or it may define a cooked packet. the latter contains +// payload data only, no headers. + #include #include "flow/flow.h" @@ -42,7 +46,7 @@ class SFDAQInstance; #define PKT_REBUILT_FRAG 0x00000001 // is a rebuilt fragment #define PKT_REBUILT_STREAM 0x00000002 // is a rebuilt stream #define PKT_STREAM_UNEST_UNI 0x00000004 // is from an unestablished stream and - // we've only seen traffic in one direction + // we've only seen traffic in one direction #define PKT_STREAM_EST 0x00000008 // is from an established stream #define PKT_STREAM_INSERT 0x00000010 // this packet has been queued for stream reassembly @@ -108,9 +112,6 @@ constexpr uint16_t NUM_IP_PROTOS = 256; constexpr uint8_t TCP_OPTLENMAX = 40; /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */ constexpr uint8_t DEFAULT_LAYERMAX = 40; -// Packet is an abstraction describing a unit of work. it may define a -// wire packet or it may define a cooked packet. the latter contains -// payload data only, no headers. struct SO_PUBLIC Packet { Packet(bool packet_data = true); @@ -376,13 +377,6 @@ private: bool allocated; }; -/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */ -#define SEQ_LT(a,b) ((int)((a) - (b)) < 0) -#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0) -#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) -#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0) -#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0) - #define BIT(i) (0x1 << ((i)-1)) inline void SetExtraData(Packet* p, const uint32_t xid) { p->xtradata_mask |= BIT(xid); } diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc index 17fc08e69..f8ea3a99a 100644 --- a/src/protocols/packet_manager.cc +++ b/src/protocols/packet_manager.cc @@ -31,12 +31,14 @@ #include "detection/detection_engine.h" #include "log/text_log.h" #include "main/snort_config.h" +#include "managers/codec_manager.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "packet_io/sfdaq.h" -#include "packet_tracer/packet_tracer.h" #include "profiler/profiler_defs.h" #include "stream/stream.h" #include "trace/trace_api.h" +#include "utils/stats.h" #include "eth.h" #include "icmp4.h" @@ -45,17 +47,17 @@ using namespace snort; THREAD_LOCAL ProfileStats decodePerfStats; +uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX; + +ProtocolIndex PacketManager::proto_idx(ProtocolId prot_id) +{ return CodecManager::s_proto_map[to_utype(prot_id)]; } // Decoding statistics -// this may be my longer member declaration ... ever -THREAD_LOCAL std::array PacketManager::s_stats { - { 0 } -}; +static THREAD_LOCAL std::array s_stats +{ { 0 } }; -//PacketManager::s_stats{{0}}; -std::array PacketManager::g_stats; +static std::array g_stats; // names which will be printed for the first three statistics // in s_stats/g_stats @@ -72,15 +74,14 @@ const std::array PacketManager::stat_na // Encoder Foo static THREAD_LOCAL std::array* s_pkt; +void PacketManager::global_init(uint8_t max) +{ max_layers = max; } + void PacketManager::thread_init() -{ - s_pkt = new std::array{ {0} }; -} +{ s_pkt = new std::array{ {0} }; } void PacketManager::thread_term() -{ - delete s_pkt; -} +{ delete s_pkt; } //------------------------------------------------------------------------- // Private helper functions @@ -89,7 +90,7 @@ void PacketManager::thread_term() inline bool PacketManager::push_layer(Packet* p, CodecData& codec_data, ProtocolId prot_id, const uint8_t* hdr_start, uint32_t len) { - if ( p->num_layers == CodecManager::get_max_layers() ) + if ( p->num_layers == max_layers ) { if (!(codec_data.codec_flags & CODEC_LAYERS_EXCEEDED)) { diff --git a/src/protocols/packet_manager.h b/src/protocols/packet_manager.h index d9969c7e5..9b14de157 100644 --- a/src/protocols/packet_manager.h +++ b/src/protocols/packet_manager.h @@ -27,8 +27,8 @@ #include "framework/codec.h" #include "framework/counts.h" #include "main/snort_types.h" -#include "managers/codec_manager.h" #include "protocols/packet.h" +#include "protocols/protocol_ids.h" struct TextLog; @@ -57,6 +57,8 @@ enum class UnreachResponse class SO_PUBLIC PacketManager { public: + static void global_init(uint8_t max_layers); + static void thread_init(); static void thread_term(); @@ -122,17 +124,21 @@ public: * * The equivalent of Snort's PROTO_ID */ static constexpr std::size_t max_protocols() // compile time constant - { return CodecManager::s_protocols.size(); } + { return num_protocol_idx; } /* If a proto was registered in a Codec's get_protocol_ids() function, * this function will return the 'ProtocolIndex' of the Codec to which the proto belongs. * If none of the loaded Codecs registered that proto, this function will * return zero. */ - static ProtocolIndex proto_idx(ProtocolId prot_id) - { return CodecManager::s_proto_map[to_utype(prot_id)]; } + static ProtocolIndex proto_idx(ProtocolId); static void accumulate(); + static uint8_t get_max_layers() + { return max_layers; } + + static constexpr uint8_t stat_offset = 4; + private: static bool push_layer(Packet*, CodecData&, ProtocolId, const uint8_t* hdr_start, uint32_t len); static Codec* get_layer_codec(const Layer&, int idx); @@ -144,20 +150,12 @@ private: // constant offsets into the s_stats array. Notice the stat_offset // constant which is used when adding a protocol specific codec - static const uint8_t total_processed = 0; - static const uint8_t other_codecs = 1; - static const uint8_t discards = 2; - static const uint8_t depth_exceeded = 3; - static const uint8_t stat_offset = 4; - - // declared in header so it can access s_protocols - static THREAD_LOCAL std::array s_stats; - // FIXIT-L gcc apparently does not consider thread_local variables to be valid in - // constexpr expressions. As long as __thread is used instead of thread_local in gcc, - // this is not a problem. However, if we use thread_local and gcc, the declaration - // below will not compile. - static std::array g_stats; + static constexpr uint8_t total_processed = 0; + static constexpr uint8_t other_codecs = 1; + static constexpr uint8_t discards = 2; + static constexpr uint8_t depth_exceeded = 3; + + static uint8_t max_layers; static const std::array stat_names; }; } diff --git a/src/protocols/protocol_ids.h b/src/protocols/protocol_ids.h index 665b98462..8d89d20ed 100644 --- a/src/protocols/protocol_ids.h +++ b/src/protocols/protocol_ids.h @@ -161,6 +161,8 @@ enum class ProtocolId : std::uint16_t ETHERTYPE_CISCO_META = 0x8909, }; +constexpr auto num_protocol_idx = UINT8_MAX; + static const auto num_protocol_ids = std::numeric_limits::type>::max() + 1; diff --git a/src/protocols/ssl.h b/src/protocols/ssl.h index 17eb8b040..0089d0323 100644 --- a/src/protocols/ssl.h +++ b/src/protocols/ssl.h @@ -201,14 +201,14 @@ struct SSLv2_shello_t uint8_t minor; }; -struct SSLV3ClientHelloData +struct SO_PUBLIC SSLV3ClientHelloData { ~SSLV3ClientHelloData(); void clear(); char* host_name = nullptr; }; -struct SSLV3ServerCertData +struct SO_PUBLIC SSLV3ServerCertData { ~SSLV3ServerCertData(); void clear(); @@ -306,7 +306,7 @@ struct ServiceSSLV3ExtensionServerName namespace snort { -uint32_t SSL_decode( +SO_PUBLIC uint32_t SSL_decode( const uint8_t* pkt, int size, uint32_t pktflags, uint32_t prevflags, uint8_t* alert_flags, uint16_t* partial_rec_len, int hblen, uint32_t* info_flags = nullptr, SSLV3ClientHelloData* data = nullptr, SSLV3ServerCertData* server_cert_data = nullptr); diff --git a/src/protocols/tcp.h b/src/protocols/tcp.h index 74468154d..3f79f2543 100644 --- a/src/protocols/tcp.h +++ b/src/protocols/tcp.h @@ -65,6 +65,13 @@ namespace tcp #define GET_PKT_SEQ(p) (ntohl((p)->ptrs.tcph->th_seq)) +/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */ +#define SEQ_LT(a,b) ((int)((a) - (b)) < 0) +#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0) +#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) +#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0) +#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0) + constexpr uint8_t TCP_MIN_HEADER_LEN = 20; // this is actually the minimal TCP header length constexpr int OPT_TRUNC = -1; constexpr int OPT_BADLEN = -2; @@ -176,6 +183,19 @@ struct TCPHdr inline void set_seq(uint32_t new_seq) { th_seq = htonl(new_seq); } + + void stringify_flags(char* buf) const + { + *buf++ = (char)((th_flags & TH_RES1) ? '1' : '*'); + *buf++ = (char)((th_flags & TH_RES2) ? '2' : '*'); + *buf++ = (char)((th_flags & TH_URG) ? 'U' : '*'); + *buf++ = (char)((th_flags & TH_ACK) ? 'A' : '*'); + *buf++ = (char)((th_flags & TH_PUSH) ? 'P' : '*'); + *buf++ = (char)((th_flags & TH_RST) ? 'R' : '*'); + *buf++ = (char)((th_flags & TH_SYN) ? 'S' : '*'); + *buf++ = (char)((th_flags & TH_FIN) ? 'F' : '*'); + *buf = '\0'; + } }; } // namespace tcp } // namespace snort diff --git a/src/protocols/test/decode_err_len_test.cc b/src/protocols/test/decode_err_len_test.cc index 29620e2d7..e15031b6b 100644 --- a/src/protocols/test/decode_err_len_test.cc +++ b/src/protocols/test/decode_err_len_test.cc @@ -24,11 +24,12 @@ #include "detection/detection_engine.h" #include "detection/ips_context.h" #include "flow/expect_cache.h" +#include "flow/expect_flow.h" #include "log/text_log.h" #include "main/snort_config.h" #include "managers/codec_manager.h" +#include "packet_io/packet_tracer.h" #include "packet_io/sfdaq.h" -#include "packet_tracer/packet_tracer.h" #include "profiler/profiler_defs.h" #include "stream/stream.h" #include "trace/trace_api.h" @@ -109,7 +110,6 @@ public: MockCodec mock_cd; std::array CodecManager::s_protocols { { &mock_cd } }; -THREAD_LOCAL uint8_t CodecManager::max_layers = 1; //----------------------------- // Test diff --git a/src/protocols/test/get_geneve_opt_test.cc b/src/protocols/test/get_geneve_opt_test.cc index b9ff274d3..a28aab871 100644 --- a/src/protocols/test/get_geneve_opt_test.cc +++ b/src/protocols/test/get_geneve_opt_test.cc @@ -21,7 +21,7 @@ #include "config.h" #endif -#include "flow/expect_cache.h" +#include "flow/expect_flow.h" #include "framework/api_options.h" #include "protocols/packet.h" #include "protocols/packet_manager.h" @@ -37,8 +37,8 @@ const char* PacketManager::get_proto_name(ProtocolId) { return nullptr; } const vlan::VlanTagHdr* layer::get_vlan_layer(const Packet*) { return nullptr; } const geneve::GeneveLyr* layer::get_geneve_layer(const Packet*, bool) { return nullptr; } void ip::IpApi::reset() {} -THREAD_LOCAL uint8_t CodecManager::max_layers = 0; +uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX; TEST_GROUP(get_geneve_opt_tests) { diff --git a/src/pub_sub/dns_events.cc b/src/pub_sub/dns_events.cc index d730b7a08..318e2c7ea 100644 --- a/src/pub_sub/dns_events.cc +++ b/src/pub_sub/dns_events.cc @@ -23,6 +23,8 @@ #include "dns_events.h" +#include + #include "service_inspectors/dns/dns.h" using namespace snort; @@ -43,7 +45,7 @@ void IPFqdnCacheItem::add_fqdn(const FqdnTtl& fqdn_ttl) return; fqdns.emplace_back(fqdn_ttl); -} +} void DnsResponseDataEvents::add_ip(const DnsResponseIp& ip) { diff --git a/src/search_engines/ac_bnfa.cc b/src/search_engines/ac_bnfa.cc index f1bfa3329..99715b885 100644 --- a/src/search_engines/ac_bnfa.cc +++ b/src/search_engines/ac_bnfa.cc @@ -30,14 +30,61 @@ #include "config.h" #endif +#include "framework/module.h" #include "framework/mpse.h" +#include "main/snort_types.h" +#include "profiler/profiler.h" #include "bnfa_search.h" using namespace snort; +#define MOD_NAME "ac_bnfa" +#define MOD_HELP "Aho-Corasick Binary NFA (low memory, low performance) MPSE" + +struct BnfaCounts +{ + PegCount searches; + PegCount matches; + PegCount bytes; +}; + +static THREAD_LOCAL BnfaCounts bnfa_counts; +static THREAD_LOCAL ProfileStats bnfa_stats; + +const PegInfo bnfa_pegs[] = +{ + { CountType::SUM, "searches", "number of search attempts" }, + { CountType::SUM, "matches", "number of times a match was found" }, + { CountType::SUM, "bytes", "total bytes searched" }, + + { CountType::END, nullptr, nullptr } +}; + //------------------------------------------------------------------------- -// "ac_bnfa" +// module +//------------------------------------------------------------------------- + +class AcBnfaModule : public Module +{ +public: + AcBnfaModule() : Module(MOD_NAME, MOD_HELP) { } + + ProfileStats* get_profile() const override + { return &bnfa_stats; } + + const PegInfo* get_pegs() const override + { return bnfa_pegs; } + + PegCount* get_counts() const override + { return (PegCount*)&bnfa_counts; } + + Usage get_usage() const override + { return GLOBAL; } +}; + +//------------------------------------------------------------------------- +// mpse //------------------------------------------------------------------------- class AcBnfaMpse : public Mpse @@ -58,27 +105,14 @@ public: bnfaFree(obj); } - int add_pattern( - const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override - { - return bnfaAddPattern(obj, P, m, desc.no_case, desc.negated, user); - } + int add_pattern(const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override + { return bnfaAddPattern(obj, P, m, desc.no_case, desc.negated, user); } int prep_patterns(SnortConfig* sc) override - { - return bnfaCompile(sc, obj); - } - - int _search( - const uint8_t* T, int n, MpseMatch match, - void* context, int* current_state) override - { - /* return is actually the state */ - return _bnfa_search_csparse_nfa( - obj, T, n, match, context, 0 /* start-state */, current_state); - } + { return bnfaCompile(sc, obj); } - // FIXIT-L Implement search_all method for AC_BNFA. + int get_pattern_count() const override + { return bnfaPatternCount(obj); } int print_info() override { @@ -86,16 +120,38 @@ public: return 0; } - int get_pattern_count() const override - { - return bnfaPatternCount(obj); - } + int search(const uint8_t*, int, MpseMatch, void*, int*) override; + // FIXIT-L Implement search_all method for AC_BNFA. }; +int AcBnfaMpse::search( const uint8_t* T, int n, MpseMatch match, void* context, int* current_state) +{ + Profile profile(bnfa_stats); // cppcheck-suppress unreadVariable + + bnfa_counts.searches++; + bnfa_counts.bytes += n; + + int found = _bnfa_search_csparse_nfa( + obj, T, n, match, context, 0 /* start-state */, current_state); + + bnfa_counts.matches += found; + return found; +} + //------------------------------------------------------------------------- // api //------------------------------------------------------------------------- +static Module* mod_ctor() +{ + return new AcBnfaModule; +} + +static void mod_dtor(Module* p) +{ + delete p; +} + static Mpse* bnfa_ctor( const SnortConfig*, class Module*, const MpseAgent* agent) { @@ -127,10 +183,10 @@ static const MpseApi bnfa_api = 0, API_RESERVED, API_OPTIONS, - "ac_bnfa", - "Aho-Corasick Binary NFA (low memory, high performance) MPSE", - nullptr, - nullptr + MOD_NAME, + MOD_HELP, + mod_ctor, + mod_dtor }, MPSE_BASE, nullptr, diff --git a/src/search_engines/ac_full.cc b/src/search_engines/ac_full.cc index 7a44c8333..d8d5b6995 100644 --- a/src/search_engines/ac_full.cc +++ b/src/search_engines/ac_full.cc @@ -21,14 +21,61 @@ #include "config.h" #endif +#include "framework/module.h" #include "framework/mpse.h" +#include "main/snort_types.h" +#include "profiler/profiler.h" #include "acsmx2.h" using namespace snort; +#define MOD_NAME "ac_full" +#define MOD_HELP "Aho-Corasick Full (high memory, best performance), implements search_all()" + +struct FullCounts +{ + PegCount searches; + PegCount matches; + PegCount bytes; +}; + +static THREAD_LOCAL FullCounts full_counts; +static THREAD_LOCAL ProfileStats full_stats; + +const PegInfo full_pegs[] = +{ + { CountType::SUM, "searches", "number of search attempts" }, + { CountType::SUM, "matches", "number of times a match was found" }, + { CountType::SUM, "bytes", "total bytes searched" }, + + { CountType::END, nullptr, nullptr } +}; + +//------------------------------------------------------------------------- +// module +//------------------------------------------------------------------------- + +class AcFullModule : public Module +{ +public: + AcFullModule() : Module(MOD_NAME, MOD_HELP) { } + + ProfileStats* get_profile() const override + { return &full_stats; } + + const PegInfo* get_pegs() const override + { return full_pegs; } + + PegCount* get_counts() const override + { return (PegCount*)&full_counts; } + + Usage get_usage() const override + { return GLOBAL; } +}; + //------------------------------------------------------------------------- -// "ac_full" +// mpse //------------------------------------------------------------------------- class AcfMpse : public Mpse @@ -43,40 +90,60 @@ public: ~AcfMpse() override { acsmFree2(obj); } - int add_pattern( - const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override - { - return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user); - } + int add_pattern(const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override + { return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user); } int prep_patterns(SnortConfig* sc) override { return acsmCompile2(sc, obj); } - int _search( - const uint8_t* T, int n, MpseMatch match, - void* context, int* current_state) override - { - return acsm_search_dfa_full(obj, T, n, match, context, current_state); - } - - int search_all( - const uint8_t* T, int n, MpseMatch match, - void* context, int* current_state) override - { - return acsm_search_dfa_full_all(obj, T, n, match, context, current_state); - } - int print_info() override { return acsmPrintDetailInfo2(obj); } int get_pattern_count() const override { return acsmPatternCount2(obj); } + + int search(const uint8_t*, int, MpseMatch, void*, int*) override; + int search_all(const uint8_t*, int n, MpseMatch, void*, int*) override; }; +int AcfMpse::search(const uint8_t* T, int n, MpseMatch match, void* context, int* current_state) +{ + Profile profile(full_stats); // cppcheck-suppress unreadVariable + + full_counts.searches++; + full_counts.bytes += n; + + int found = acsm_search_dfa_full(obj, T, n, match, context, current_state); + + full_counts.matches += found; + return found; +} + +int AcfMpse::search_all(const uint8_t* T, int n, MpseMatch match, void* context, int* current_state) +{ + full_counts.searches++; + full_counts.bytes += n; + + int found = acsm_search_dfa_full_all(obj, T, n, match, context, current_state); + + full_counts.matches += found; + return found; +} + //------------------------------------------------------------------------- // api //------------------------------------------------------------------------- +static Module* mod_ctor() +{ + return new AcFullModule; +} + +static void mod_dtor(Module* p) +{ + delete p; +} + static Mpse* acf_ctor( const SnortConfig*, class Module*, const MpseAgent* agent) { @@ -108,10 +175,10 @@ static const MpseApi acf_api = 0, API_RESERVED, API_OPTIONS, - "ac_full", - "Aho-Corasick Full (high memory, best performance), implements search_all()", - nullptr, - nullptr + MOD_NAME, + MOD_HELP, + mod_ctor, + mod_dtor }, MPSE_BASE, nullptr, diff --git a/src/search_engines/acsmx2.cc b/src/search_engines/acsmx2.cc index bf3a21a3b..6340b6229 100644 --- a/src/search_engines/acsmx2.cc +++ b/src/search_engines/acsmx2.cc @@ -127,8 +127,8 @@ #include #include +#include "log/log_stats.h" #include "log/messages.h" -#include "utils/stats.h" #include "utils/util.h" using namespace snort; diff --git a/src/search_engines/bnfa_search.cc b/src/search_engines/bnfa_search.cc index 19de47ad7..8047ca9ea 100644 --- a/src/search_engines/bnfa_search.cc +++ b/src/search_engines/bnfa_search.cc @@ -148,8 +148,8 @@ #include +#include "log/log_stats.h" #include "log/messages.h" -#include "utils/stats.h" #include "utils/util.h" using namespace snort; diff --git a/src/search_engines/hyperscan.cc b/src/search_engines/hyperscan.cc index 49cb26c6e..da57d2225 100644 --- a/src/search_engines/hyperscan.cc +++ b/src/search_engines/hyperscan.cc @@ -36,16 +36,23 @@ #include "framework/mpse.h" #include "hash/hashes.h" #include "helpers/scratch_allocator.h" +#include "log/log_stats.h" #include "log/messages.h" #include "main/snort_config.h" #include "main/thread.h" -#include "utils/stats.h" +#include "profiler/profiler.h" using namespace snort; static const char* s_name = "hyperscan"; -static const char* s_help = "intel hyperscan-based mpse with regex support"; +static const char* s_help = "intel hyperscan-based MPSE with regex support"; +//------------------------------------------------------------------------- +// pattern foo +//------------------------------------------------------------------------- + +namespace +{ struct Pattern { std::string pat; @@ -61,6 +68,7 @@ struct Pattern Pattern(const uint8_t*, unsigned, const Mpse::PatternDescriptor&, void*); void escape(const uint8_t*, unsigned, bool); }; +} Pattern::Pattern( const uint8_t* s, unsigned n, const Mpse::PatternDescriptor& d, void* u) @@ -113,21 +121,98 @@ static bool compare(const Pattern& a, const Pattern& b) typedef std::vector PatternVector; +//------------------------------------------------------------------------- +// scratch +//------------------------------------------------------------------------- + static std::mutex s_mutex; static hs_scratch_t* s_scratch = nullptr; static unsigned int scratch_index; static ScratchAllocator* scratcher = nullptr; -struct ScanContext +static bool scratch_setup(SnortConfig* sc) { - class HyperscanMpse* mpse; - MpseMatch match_cb; - void* match_ctx; - int nfound = 0; + for ( unsigned i = 0; i < sc->num_slots; ++i ) + { + hs_scratch_t** ss = (hs_scratch_t**) &sc->state[i][scratch_index]; + hs_clone_scratch(s_scratch, ss); + } - ScanContext(HyperscanMpse* m, MpseMatch cb, void* ctx) - { mpse = m; match_cb = cb; match_ctx = ctx; } + return true; +} + +static void scratch_cleanup(SnortConfig* sc) +{ + for ( unsigned i = 0; i < sc->num_slots; ++i ) + { + hs_scratch_t* ss = (hs_scratch_t*)sc->state[i][scratch_index]; + hs_free_scratch(ss); + sc->state[i][scratch_index] = nullptr; + } +} + +static void scratch_update(SnortConfig* sc) +{ + hs_scratch_t** ss = (hs_scratch_t**) &sc->state[get_instance_id()][scratch_index]; + + if ( *ss == s_scratch ) + return; + + hs_free_scratch(*ss); + *ss = nullptr; + + hs_clone_scratch(s_scratch, ss); +} + +//------------------------------------------------------------------------- +// module +//------------------------------------------------------------------------- + +struct FullCounts +{ + PegCount searches; + PegCount matches; + PegCount bytes; +}; + +static THREAD_LOCAL FullCounts hyper_counts; +static THREAD_LOCAL ProfileStats hyper_stats; + +const PegInfo hyper_pegs[] = +{ + { CountType::SUM, "searches", "number of search attempts" }, + { CountType::SUM, "matches", "number of times a match was found" }, + { CountType::SUM, "bytes", "total bytes searched" }, + + { CountType::END, nullptr, nullptr } +}; + +class HyperscanModule : public Module +{ +public: + HyperscanModule() : Module(s_name, s_help) + { + scratcher = new SimpleScratchAllocator(scratch_setup, scratch_cleanup, scratch_update); + scratch_index = scratcher->get_id(); + } + + ~HyperscanModule() override + { + delete scratcher; + hs_free_scratch(s_scratch); + s_scratch = nullptr; + } + ProfileStats* get_profile() const override + { return &hyper_stats; } + + const PegInfo* get_pegs() const override + { return hyper_pegs; } + PegCount* get_counts() const override + { return (PegCount*)&hyper_counts; } + + Usage get_usage() const override + { return GLOBAL; } }; //------------------------------------------------------------------------- @@ -165,7 +250,7 @@ public: int prep_patterns(SnortConfig*) override; void reuse_search() override; - int _search(const uint8_t*, int, MpseMatch, void*, int*) override; + int search(const uint8_t*, int, MpseMatch, void*, int*) override; int get_pattern_count() const override { return pvector.size(); } @@ -351,9 +436,25 @@ int HyperscanMpse::match(unsigned id, unsigned long long to, MpseMatch match_cb, { assert(id < pvector.size()); Pattern& p = pvector[id]; + hyper_counts.matches++; return match_cb(p.user, p.user_tree, (int)to, match_ctx, p.user_list); } +namespace +{ +struct ScanContext +{ + HyperscanMpse* mpse; + MpseMatch match_cb; + void* match_ctx; + int nfound = 0; + + ScanContext(HyperscanMpse* m, MpseMatch cb, void* ctx) + { mpse = m; match_cb = cb; match_ctx = ctx; } + +}; +} + int HyperscanMpse::match( unsigned id, unsigned long long /*from*/, unsigned long long to, unsigned /*flags*/, void* pv) @@ -363,9 +464,11 @@ int HyperscanMpse::match( return scan->mpse->match(id, to, scan->match_cb, scan->match_ctx); } -int HyperscanMpse::_search( +int HyperscanMpse::search( const uint8_t* buf, int n, MpseMatch mf, void* pv, int* current_state) { + Profile profile(hyper_stats); // cppcheck-suppress unreadVariable + *current_state = 0; ScanContext scan(this, mf, pv); @@ -375,62 +478,14 @@ int HyperscanMpse::_search( // scratch is null for the degenerate case w/o patterns assert(!hs_db or ss); + hyper_counts.searches++; + hyper_counts.bytes += n; + hs_scan(hs_db, (const char*)buf, n, 0, ss, HyperscanMpse::match, &scan); return scan.nfound; } -static bool scratch_setup(SnortConfig* sc) -{ - for ( unsigned i = 0; i < sc->num_slots; ++i ) - { - hs_scratch_t** ss = (hs_scratch_t**) &sc->state[i][scratch_index]; - hs_clone_scratch(s_scratch, ss); - } - - return true; -} - -static void scratch_cleanup(SnortConfig* sc) -{ - for ( unsigned i = 0; i < sc->num_slots; ++i ) - { - hs_scratch_t* ss = (hs_scratch_t*)sc->state[i][scratch_index]; - hs_free_scratch(ss); - sc->state[i][scratch_index] = nullptr; - } -} - -static void scratch_update(SnortConfig* sc) -{ - hs_scratch_t** ss = (hs_scratch_t**) &sc->state[get_instance_id()][scratch_index]; - - if ( *ss == s_scratch ) - return; - - hs_free_scratch(*ss); - *ss = nullptr; - - hs_clone_scratch(s_scratch, ss); -} - -class HyperscanModule : public Module -{ -public: - HyperscanModule() : Module(s_name, s_help) - { - scratcher = new SimpleScratchAllocator(scratch_setup, scratch_cleanup, scratch_update); - scratch_index = scratcher->get_id(); - } - - ~HyperscanModule() override - { - delete scratcher; - hs_free_scratch(s_scratch); - s_scratch = nullptr; - } -}; - //------------------------------------------------------------------------- // api //------------------------------------------------------------------------- diff --git a/src/search_engines/pat_stats.h b/src/search_engines/pat_stats.h index fbba49b44..21a2bf7ca 100644 --- a/src/search_engines/pat_stats.h +++ b/src/search_engines/pat_stats.h @@ -22,7 +22,6 @@ #include "framework/counts.h" #include "main/snort_types.h" -#include "main/thread.h" // pattern matcher queue statistics @@ -35,12 +34,11 @@ struct PatMatQStat PegCount tot_inq_uinserts; PegCount non_qualified_events; PegCount qualified_events; - PegCount matched_bytes; }; namespace snort { -SO_PUBLIC extern THREAD_LOCAL PatMatQStat pmqs; +extern THREAD_LOCAL PatMatQStat pmqs; } #endif diff --git a/src/search_engines/search_tool.cc b/src/search_engines/search_tool.cc index 4433dabd6..f8206db94 100644 --- a/src/search_engines/search_tool.cc +++ b/src/search_engines/search_tool.cc @@ -39,7 +39,7 @@ SearchTool::SearchTool(bool multi, const char* override_method) assert(!override_method || strcmp(override_method, "hyperscan")); const char* method = override_method ? override_method : sc->fast_pattern_config->get_search_method(); - if ( strcmp(method, "hyperscan") ) + if ( !method or strcmp(method, "hyperscan") ) method = "ac_full"; mpsegrp = new MpseGroup; diff --git a/src/search_engines/test/CMakeLists.txt b/src/search_engines/test/CMakeLists.txt index a01686db7..ee1f566e6 100644 --- a/src/search_engines/test/CMakeLists.txt +++ b/src/search_engines/test/CMakeLists.txt @@ -6,6 +6,7 @@ add_cpputest( ac_bnfa_test ../ac_bnfa.cc ../bnfa_search.cc ../search_tool.cc + ../../framework/module.cc ../../framework/mpse.cc ) @@ -16,6 +17,7 @@ add_cpputest( search_tool_test ../ac_full.cc ../acsmx2.cc ../search_tool.cc + ../../framework/module.cc ../../framework/mpse.cc ) diff --git a/src/search_engines/test/hyper_tool_test.cc b/src/search_engines/test/hyper_tool_test.cc index a9afc3e6d..c88a445c8 100644 --- a/src/search_engines/test/hyper_tool_test.cc +++ b/src/search_engines/test/hyper_tool_test.cc @@ -44,12 +44,6 @@ using namespace snort; -namespace snort -{ - unsigned get_instance_id() { return 0; } - unsigned ThreadConfig::get_instance_max() { return 1; } -} - //------------------------------------------------------------------------- // stubs, spies, etc. //------------------------------------------------------------------------- diff --git a/src/search_engines/test/hyperscan_test.cc b/src/search_engines/test/hyperscan_test.cc index a3f8c16c2..107ff7330 100644 --- a/src/search_engines/test/hyperscan_test.cc +++ b/src/search_engines/test/hyperscan_test.cc @@ -40,12 +40,6 @@ using namespace snort; -namespace snort -{ - unsigned get_instance_id() { return 0; } - unsigned ThreadConfig::get_instance_max() { return 1; } -} - //------------------------------------------------------------------------- // stubs, spies, etc. //------------------------------------------------------------------------- diff --git a/src/search_engines/test/mpse_test_stubs.cc b/src/search_engines/test/mpse_test_stubs.cc index 74bc48349..39e45f0ef 100644 --- a/src/search_engines/test/mpse_test_stubs.cc +++ b/src/search_engines/test/mpse_test_stubs.cc @@ -32,9 +32,9 @@ #include "framework/mpse_batch.h" #include "log/messages.h" #include "main/snort_config.h" +#include "main/thread_config.h" #include "managers/mpse_manager.h" -#include "search_engines/pat_stats.h" -#include "utils/stats.h" +#include "profiler/time_profiler_defs.h" //------------------------------------------------------------------------- // base stuff @@ -76,7 +76,10 @@ void SnortConfig::release_scratch(int) DataBus::DataBus() = default; DataBus::~DataBus() = default; -THREAD_LOCAL PatMatQStat pmqs; +THREAD_LOCAL bool snort::TimeProfilerStats::enabled; + +unsigned get_instance_id() { return 0; } +unsigned ThreadConfig::get_instance_max() { return 1; } unsigned parse_errors = 0; void ParseError(const char*, ...) @@ -105,7 +108,7 @@ const char* FastPatternConfig::get_search_method() const using namespace snort; void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } Mpse* mpse = nullptr; diff --git a/src/search_engines/test/mpse_test_stubs.h b/src/search_engines/test/mpse_test_stubs.h index 710c9d1bc..7d4b960e6 100644 --- a/src/search_engines/test/mpse_test_stubs.h +++ b/src/search_engines/test/mpse_test_stubs.h @@ -29,9 +29,6 @@ #include "framework/mpse_batch.h" #include "main/snort_config.h" #include "managers/mpse_manager.h" -#include "utils/stats.h" - -#include "search_engines/pat_stats.h" extern std::vector s_state; extern snort::ScratchAllocator* scratcher; @@ -41,7 +38,6 @@ namespace snort extern SnortConfig s_conf; extern THREAD_LOCAL SnortConfig* snort_conf; -extern THREAD_LOCAL PatMatQStat pmqs; extern unsigned parse_errors; } // namespace snort diff --git a/src/service_inspectors/CMakeLists.txt b/src/service_inspectors/CMakeLists.txt index bfac57111..fa902c170 100644 --- a/src/service_inspectors/CMakeLists.txt +++ b/src/service_inspectors/CMakeLists.txt @@ -40,6 +40,7 @@ if (STATIC_INSPECTORS) $ $ $ + $ $ ) endif() @@ -48,7 +49,6 @@ set(STATIC_SERVICE_INSPECTOR_PLUGINS $ $ $ - $ $ ${STATIC_INSPECTOR_OBJS} CACHE INTERNAL "STATIC_SERVICE_INSPECTOR_PLUGINS" diff --git a/src/service_inspectors/back_orifice/back_orifice.cc b/src/service_inspectors/back_orifice/back_orifice.cc index 416f3892c..d5d261fe4 100644 --- a/src/service_inspectors/back_orifice/back_orifice.cc +++ b/src/service_inspectors/back_orifice/back_orifice.cc @@ -110,7 +110,6 @@ #endif #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "framework/inspector.h" #include "framework/module.h" #include "log/messages.h" diff --git a/src/service_inspectors/cip/cip.cc b/src/service_inspectors/cip/cip.cc index 8993d06ab..d143e4a95 100644 --- a/src/service_inspectors/cip/cip.cc +++ b/src/service_inspectors/cip/cip.cc @@ -27,9 +27,7 @@ #include "cip.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" -#include "managers/inspector_manager.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/cip_events.h" diff --git a/src/service_inspectors/cip/cip.h b/src/service_inspectors/cip/cip.h index 630d5e874..e998c99e6 100644 --- a/src/service_inspectors/cip/cip.h +++ b/src/service_inspectors/cip/cip.h @@ -25,7 +25,6 @@ #include "flow/flow.h" #include "framework/counts.h" #include "framework/data_bus.h" -#include "main/thread.h" #include "protocols/packet.h" #include "cip_definitions.h" diff --git a/src/service_inspectors/cip/ips_cip_attribute.cc b/src/service_inspectors/cip/ips_cip_attribute.cc index fb085735e..d57d62037 100644 --- a/src/service_inspectors/cip/ips_cip_attribute.cc +++ b/src/service_inspectors/cip/ips_cip_attribute.cc @@ -171,7 +171,7 @@ static void cip_attribute_mod_dtor(Module* m) delete m; } -static IpsOption* cip_attribute_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_attribute_ctor(Module* p, IpsInfo&) { CipAttributeModule* m = static_cast(p); return new CipAttributeOption(m->cip_attr); diff --git a/src/service_inspectors/cip/ips_cip_class.cc b/src/service_inspectors/cip/ips_cip_class.cc index 9eca53034..db60dd69a 100644 --- a/src/service_inspectors/cip/ips_cip_class.cc +++ b/src/service_inspectors/cip/ips_cip_class.cc @@ -170,7 +170,7 @@ static void cip_class_mod_dtor(Module* m) delete m; } -static IpsOption* cip_class_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_class_ctor(Module* p, IpsInfo&) { CipClassModule* m = static_cast(p); return new CipClassOption(m->cip_class); diff --git a/src/service_inspectors/cip/ips_cip_connpathclass.cc b/src/service_inspectors/cip/ips_cip_connpathclass.cc index 0ba5f82f5..3f4114f1f 100644 --- a/src/service_inspectors/cip/ips_cip_connpathclass.cc +++ b/src/service_inspectors/cip/ips_cip_connpathclass.cc @@ -171,7 +171,7 @@ static void cip_connpathclass_mod_dtor(Module* m) delete m; } -static IpsOption* cip_connpathclass_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_connpathclass_ctor(Module* p, IpsInfo&) { CipConnpathclassModule* m = static_cast(p); return new CipConnpathclassOption(m->cip_cpc); diff --git a/src/service_inspectors/cip/ips_cip_enipcommand.cc b/src/service_inspectors/cip/ips_cip_enipcommand.cc index beb741412..54a7211e6 100644 --- a/src/service_inspectors/cip/ips_cip_enipcommand.cc +++ b/src/service_inspectors/cip/ips_cip_enipcommand.cc @@ -164,7 +164,7 @@ static void cip_enipcommand_mod_dtor(Module* m) delete m; } -static IpsOption* cip_enipcommand_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_enipcommand_ctor(Module* p, IpsInfo&) { CipEnipCommandModule* m = static_cast(p); return new CipEnipCommandOption(m->cip_enip_cmd); diff --git a/src/service_inspectors/cip/ips_cip_enipreq.cc b/src/service_inspectors/cip/ips_cip_enipreq.cc index a060664e5..a424a5fd0 100644 --- a/src/service_inspectors/cip/ips_cip_enipreq.cc +++ b/src/service_inspectors/cip/ips_cip_enipreq.cc @@ -127,7 +127,7 @@ static void cip_enipreq_mod_dtor(Module* m) delete m; } -static IpsOption* cip_enipreq_ctor(Module*, OptTreeNode*) +static IpsOption* cip_enipreq_ctor(Module*, IpsInfo&) { return new CipEnipreqOption; } diff --git a/src/service_inspectors/cip/ips_cip_eniprsp.cc b/src/service_inspectors/cip/ips_cip_eniprsp.cc index 4fbb8636c..83dec6f9e 100644 --- a/src/service_inspectors/cip/ips_cip_eniprsp.cc +++ b/src/service_inspectors/cip/ips_cip_eniprsp.cc @@ -127,7 +127,7 @@ static void cip_eniprsp_mod_dtor(Module* m) delete m; } -static IpsOption* cip_eniprsp_ctor(Module*, OptTreeNode*) +static IpsOption* cip_eniprsp_ctor(Module*, IpsInfo&) { return new CipEnipRspOption; } diff --git a/src/service_inspectors/cip/ips_cip_instance.cc b/src/service_inspectors/cip/ips_cip_instance.cc index baa504d9a..f629dc57c 100644 --- a/src/service_inspectors/cip/ips_cip_instance.cc +++ b/src/service_inspectors/cip/ips_cip_instance.cc @@ -171,7 +171,7 @@ static void cip_instance_mod_dtor(Module* m) delete m; } -static IpsOption* cip_instance_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_instance_ctor(Module* p, IpsInfo&) { CipInstanceModule* m = static_cast(p); return new CipInstanceOption(m->cip_inst); diff --git a/src/service_inspectors/cip/ips_cip_req.cc b/src/service_inspectors/cip/ips_cip_req.cc index 7cd52636a..642427d68 100644 --- a/src/service_inspectors/cip/ips_cip_req.cc +++ b/src/service_inspectors/cip/ips_cip_req.cc @@ -128,7 +128,7 @@ static void cip_req_mod_dtor(Module* m) delete m; } -static IpsOption* cip_req_ctor(Module*, OptTreeNode*) +static IpsOption* cip_req_ctor(Module*, IpsInfo&) { return new CipReqOption; } diff --git a/src/service_inspectors/cip/ips_cip_rsp.cc b/src/service_inspectors/cip/ips_cip_rsp.cc index d65e79ac4..d5a5d5bcf 100644 --- a/src/service_inspectors/cip/ips_cip_rsp.cc +++ b/src/service_inspectors/cip/ips_cip_rsp.cc @@ -128,7 +128,7 @@ static void cip_rsp_mod_dtor(Module* m) delete m; } -static IpsOption* cip_rsp_ctor(Module*, OptTreeNode*) +static IpsOption* cip_rsp_ctor(Module*, IpsInfo&) { return new CipRspOption; } diff --git a/src/service_inspectors/cip/ips_cip_service.cc b/src/service_inspectors/cip/ips_cip_service.cc index 26da01f8f..228921d25 100644 --- a/src/service_inspectors/cip/ips_cip_service.cc +++ b/src/service_inspectors/cip/ips_cip_service.cc @@ -175,7 +175,7 @@ static void cip_service_mod_dtor(Module* m) delete m; } -static IpsOption* cip_service_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_service_ctor(Module* p, IpsInfo&) { CipServiceModule* m = static_cast(p); return new CipServiceOption(m->cip_serv); diff --git a/src/service_inspectors/cip/ips_cip_status.cc b/src/service_inspectors/cip/ips_cip_status.cc index f24a4ba91..f4604a05d 100644 --- a/src/service_inspectors/cip/ips_cip_status.cc +++ b/src/service_inspectors/cip/ips_cip_status.cc @@ -170,7 +170,7 @@ static void cip_status_mod_dtor(Module* m) delete m; } -static IpsOption* cip_status_ctor(Module* p, OptTreeNode*) +static IpsOption* cip_status_ctor(Module* p, IpsInfo&) { CipStatusModule* m = static_cast(p); return new CipStatusOption(m->cip_status); diff --git a/src/service_inspectors/dce_rpc/dce_common.cc b/src/service_inspectors/dce_rpc/dce_common.cc index 54a054253..ac80725f6 100644 --- a/src/service_inspectors/dce_rpc/dce_common.cc +++ b/src/service_inspectors/dce_rpc/dce_common.cc @@ -25,7 +25,7 @@ #include "dce_common.h" #include "detection/detection_engine.h" -#include "ips_options/extract.h" +#include "detection/extract.h" #include "log/messages.h" #include "utils/safec.h" diff --git a/src/service_inspectors/dce_rpc/dce_expected_session.cc b/src/service_inspectors/dce_rpc/dce_expected_session.cc index 8fd8139d6..50f971a1b 100644 --- a/src/service_inspectors/dce_rpc/dce_expected_session.cc +++ b/src/service_inspectors/dce_rpc/dce_expected_session.cc @@ -24,7 +24,7 @@ #include "dce_expected_session.h" -#include "managers/inspector_manager.h" +#include "framework/pig_pen.h" #include "pub_sub/dcerpc_events.h" #include "stream/stream.h" @@ -36,7 +36,7 @@ void DceExpSsnManager::create_expected_session(const SfIp* ept_ip, uint16_t ept_port, const char* mod_name) { Packet* pkt = DetectionEngine::get_current_packet(); - Dce2Tcp* inspector = (Dce2Tcp*)InspectorManager::get_inspector(mod_name, true); + Dce2Tcp* inspector = (Dce2Tcp*)PigPen::get_inspector(mod_name, true); DceExpSsnManager& esm = inspector->get_esm(); const SfIp* src_ip = pkt->ptrs.ip_api.get_dst(); diff --git a/src/service_inspectors/dce_rpc/dce_http_proxy.cc b/src/service_inspectors/dce_rpc/dce_http_proxy.cc index e929b6f77..174222b59 100644 --- a/src/service_inspectors/dce_rpc/dce_http_proxy.cc +++ b/src/service_inspectors/dce_rpc/dce_http_proxy.cc @@ -25,7 +25,6 @@ #include "dce_http_proxy_module.h" -#include "managers/inspector_manager.h" #include "stream/tcp/tcp_stream_session.h" #include "dce_http_proxy_splitter.h" diff --git a/src/service_inspectors/dce_rpc/dce_http_proxy_module.h b/src/service_inspectors/dce_rpc/dce_http_proxy_module.h index f6889892f..1541fd3e4 100644 --- a/src/service_inspectors/dce_rpc/dce_http_proxy_module.h +++ b/src/service_inspectors/dce_rpc/dce_http_proxy_module.h @@ -24,7 +24,6 @@ #include "dce_common.h" #include "framework/counts.h" #include "framework/module.h" -#include "main/thread.h" class DceHttpProxyModule : public snort::Module { diff --git a/src/service_inspectors/dce_rpc/dce_http_server.cc b/src/service_inspectors/dce_rpc/dce_http_server.cc index 444b4570f..65391880f 100644 --- a/src/service_inspectors/dce_rpc/dce_http_server.cc +++ b/src/service_inspectors/dce_rpc/dce_http_server.cc @@ -25,7 +25,6 @@ #include "dce_http_server_module.h" -#include "managers/inspector_manager.h" #include "stream/tcp/tcp_stream_session.h" #include "dce_http_server_splitter.h" diff --git a/src/service_inspectors/dce_rpc/dce_http_server_module.h b/src/service_inspectors/dce_rpc/dce_http_server_module.h index 19c7f5cd9..a214643bf 100644 --- a/src/service_inspectors/dce_rpc/dce_http_server_module.h +++ b/src/service_inspectors/dce_rpc/dce_http_server_module.h @@ -24,7 +24,6 @@ #include "dce_common.h" #include "framework/counts.h" #include "framework/module.h" -#include "main/thread.h" class DceHttpServerModule : public snort::Module { diff --git a/src/service_inspectors/dce_rpc/dce_smb.h b/src/service_inspectors/dce_rpc/dce_smb.h index e6c1cd8a3..183505876 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.h +++ b/src/service_inspectors/dce_rpc/dce_smb.h @@ -510,9 +510,6 @@ public: static void init() { inspector_id = snort::FlowData::create_flow_data_id(); } - size_t size_of() override - { return sizeof(*this); } - public: static unsigned inspector_id; DCE2_SmbVersion smb_version; diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc index b5981c504..4e6b48f11 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2.cc @@ -24,10 +24,12 @@ #endif #include "dce_smb2.h" -#include "dce_smb2_commands.h" -#include "detection/detection_util.h" + +#include "flow/flow_key.h" #include "stream/stream.h" +#include "dce_smb2_commands.h" + using namespace snort; const char* smb2_command_string[SMB2_COM_MAX] = { diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc index 0103254de..6f7893ea5 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc @@ -26,6 +26,8 @@ #endif #include "dce_smb2_commands.h" + +#include "file_api/file_lib.h" #include "hash/hash_key_operations.h" #include "log/messages.h" #include "packet_io/active.h" diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.h b/src/service_inspectors/dce_rpc/dce_smb2_commands.h index 20c771b3a..184526123 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_commands.h +++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.h @@ -22,12 +22,12 @@ #ifndef DCE_SMB2_COMMANDS_H #define DCE_SMB2_COMMANDS_H +#include "file_api/file_flows.h" +#include "file_api/file_service.h" + #include "dce_smb_module.h" #include "dce_smb_utils.h" #include "dce_smb2_utils.h" -#include "detection/detection_util.h" -#include "file_api/file_flows.h" -#include "file_api/file_service.h" void DCE2_Smb2Setup(DCE2_Smb2SsnData*, const Smb2Hdr*, const uint64_t sid, const uint8_t* smb_data, const uint8_t* end); diff --git a/src/service_inspectors/dce_rpc/dce_smb2_utils.cc b/src/service_inspectors/dce_rpc/dce_smb2_utils.cc index 5cb22e7a2..6e66caf6a 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2_utils.cc @@ -23,11 +23,11 @@ #include "config.h" #endif +#include "flow/flow_key.h" + #include "dce_smb_module.h" #include "dce_smb_utils.h" #include "dce_smb2_utils.h" -#include "detection/detection_util.h" -#include "flow/flow_key.h" using namespace snort; diff --git a/src/service_inspectors/dce_rpc/dce_smb_module.cc b/src/service_inspectors/dce_rpc/dce_smb_module.cc index d01c6ebb1..0d96db6ec 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_module.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_module.cc @@ -231,9 +231,6 @@ static const Parameter s_params[] = { "valid_smb_versions", Parameter::PT_MULTI, "v1 | v2 | all", "all", "valid SMB versions" }, - { "smb_file_inspection", Parameter::PT_ENUM, "off | on | only", nullptr, - "deprecated (not used): file inspection controlled by smb_file_depth" }, - { "smb_file_depth", Parameter::PT_INT, "-1:32767", "16384", "SMB file depth for file data (-1 = disabled, 0 = unlimited)" }, @@ -510,9 +507,6 @@ bool Dce2SmbModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("valid_smb_versions") ) set_smb_versions_mask(config,v.get_string()); - else if ( v.is("smb_file_inspection") ) - ParseWarning(WARN_CONF, "smb_file_inspection is deprecated (not used): use smb_file_depth"); - else if ( v.is("smb_file_depth") ) config.smb_file_depth = v.get_int16(); diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index 98126780e..11bdf03c5 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -26,12 +26,12 @@ #include "dce_smb_utils.h" #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "file_api/file_api.h" +#include "file_api/file_lib.h" #include "hash/hash_key_operations.h" #include "main/snort.h" -#include "network_inspectors/packet_tracer/packet_tracer.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "trace/trace_api.h" #include "utils/util.h" diff --git a/src/service_inspectors/dce_rpc/dce_tcp.cc b/src/service_inspectors/dce_rpc/dce_tcp.cc index 5be45a8b0..ee469a4ac 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp.cc @@ -26,6 +26,7 @@ #include "dce_tcp.h" #include "detection/detection_engine.h" +#include "main/snort_config.h" #include "pub_sub/dcerpc_events.h" #include "utils/util.h" diff --git a/src/service_inspectors/dce_rpc/ips_dce_iface.cc b/src/service_inspectors/dce_rpc/ips_dce_iface.cc index 81a5f7f38..815bfb301 100644 --- a/src/service_inspectors/dce_rpc/ips_dce_iface.cc +++ b/src/service_inspectors/dce_rpc/ips_dce_iface.cc @@ -511,7 +511,7 @@ static void dce2_iface_mod_dtor(Module* m) delete m; } -static IpsOption* dce2_iface_ctor(Module* p, OptTreeNode*) +static IpsOption* dce2_iface_ctor(Module* p, IpsInfo&) { Dce2IfaceModule* m = (Dce2IfaceModule*)p; return new Dce2IfaceOption(m->version, m->any_frag, m->uuid); diff --git a/src/service_inspectors/dce_rpc/ips_dce_opnum.cc b/src/service_inspectors/dce_rpc/ips_dce_opnum.cc index d9f54134d..84ce96522 100644 --- a/src/service_inspectors/dce_rpc/ips_dce_opnum.cc +++ b/src/service_inspectors/dce_rpc/ips_dce_opnum.cc @@ -524,7 +524,7 @@ static void dce2_opnum_mod_dtor(Module* m) delete m; } -static IpsOption* dce2_opnum_ctor(Module* p, OptTreeNode*) +static IpsOption* dce2_opnum_ctor(Module* p, IpsInfo&) { Dce2OpnumModule* m = (Dce2OpnumModule*)p; DCE2_Opnum opnum = m->opnum; diff --git a/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc b/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc index 3611b306d..6ada2ecb8 100644 --- a/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc +++ b/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc @@ -136,7 +136,7 @@ static void dce2_stub_data_mod_dtor(Module* m) delete m; } -static IpsOption* dce2_stub_data_ctor(Module*, OptTreeNode*) +static IpsOption* dce2_stub_data_ctor(Module*, IpsInfo&) { return new Dce2StubDataOption; } diff --git a/src/service_inspectors/dce_rpc/smb_message.cc b/src/service_inspectors/dce_rpc/smb_message.cc index c3592a26e..963de3ba9 100644 --- a/src/service_inspectors/dce_rpc/smb_message.cc +++ b/src/service_inspectors/dce_rpc/smb_message.cc @@ -24,13 +24,6 @@ #include "smb_message.h" -#include "dce_smb.h" -#include "dce_smb_commands.h" -#include "dce_smb_module.h" -#include "dce_smb_paf.h" -#include "dce_smb_transaction.h" -#include "dce_smb2_utils.h" -#include "detection/detect.h" #include "file_api/file_service.h" #include "memory/memory_cap.h" #include "packet_io/active.h" @@ -38,6 +31,13 @@ #include "trace/trace_api.h" #include "utils/util.h" +#include "dce_smb.h" +#include "dce_smb2.h" +#include "dce_smb_commands.h" +#include "dce_smb_module.h" +#include "dce_smb_paf.h" +#include "dce_smb_transaction.h" + using namespace snort; /******************************************************************** diff --git a/src/service_inspectors/dnp3/dnp3.cc b/src/service_inspectors/dnp3/dnp3.cc index 7f3a18cc0..9f6344c53 100644 --- a/src/service_inspectors/dnp3/dnp3.cc +++ b/src/service_inspectors/dnp3/dnp3.cc @@ -26,7 +26,6 @@ #include "dnp3.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/dnp3/dnp3_reassembly.cc b/src/service_inspectors/dnp3/dnp3_reassembly.cc index bac2a3aae..f300ceea2 100644 --- a/src/service_inspectors/dnp3/dnp3_reassembly.cc +++ b/src/service_inspectors/dnp3/dnp3_reassembly.cc @@ -27,7 +27,6 @@ #include "dnp3_reassembly.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "protocols/packet.h" #include "dnp3_map.h" diff --git a/src/service_inspectors/dnp3/ips_dnp3_data.cc b/src/service_inspectors/dnp3/ips_dnp3_data.cc index 89a80eb6d..439637b61 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_data.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_data.cc @@ -136,7 +136,7 @@ static void dnp3_data_mod_dtor(Module* m) delete m; } -static IpsOption* dnp3_data_ctor(Module*, OptTreeNode*) +static IpsOption* dnp3_data_ctor(Module*, IpsInfo&) { return new Dnp3DataOption; } diff --git a/src/service_inspectors/dnp3/ips_dnp3_func.cc b/src/service_inspectors/dnp3/ips_dnp3_func.cc index 06fa8a744..96612d90a 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_func.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_func.cc @@ -176,7 +176,7 @@ static void dnp3_func_mod_dtor(Module* m) delete m; } -static IpsOption* dnp3_func_ctor(Module* p, OptTreeNode*) +static IpsOption* dnp3_func_ctor(Module* p, IpsInfo&) { Dnp3FuncModule* m = (Dnp3FuncModule*)p; return new Dnp3FuncOption(m->func); diff --git a/src/service_inspectors/dnp3/ips_dnp3_ind.cc b/src/service_inspectors/dnp3/ips_dnp3_ind.cc index 207f6b867..383ce115e 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_ind.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_ind.cc @@ -185,7 +185,7 @@ static void dnp3_ind_mod_dtor(Module* m) delete m; } -static IpsOption* dnp3_ind_ctor(Module* p, OptTreeNode*) +static IpsOption* dnp3_ind_ctor(Module* p, IpsInfo&) { Dnp3IndModule* m = (Dnp3IndModule*)p; return new Dnp3IndOption(m->flags); diff --git a/src/service_inspectors/dnp3/ips_dnp3_obj.cc b/src/service_inspectors/dnp3/ips_dnp3_obj.cc index 0b4d4dda5..38ad1d836 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_obj.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_obj.cc @@ -218,7 +218,7 @@ static void dnp3_obj_mod_dtor(Module* m) delete m; } -static IpsOption* dnp3_obj_ctor(Module* p, OptTreeNode*) +static IpsOption* dnp3_obj_ctor(Module* p, IpsInfo&) { Dnp3ObjModule* m = (Dnp3ObjModule*)p; return new Dnp3ObjOption(m->group, m->var); diff --git a/src/service_inspectors/dns/dns_module.h b/src/service_inspectors/dns/dns_module.h index 484edb815..26d581344 100644 --- a/src/service_inspectors/dns/dns_module.h +++ b/src/service_inspectors/dns/dns_module.h @@ -22,9 +22,8 @@ #define DNS_MODULE_H //Interface to the DNS service inspector -#include "framework/bits.h" #include "framework/module.h" -#include "main/thread.h" +#include "utils/bits.h" namespace snort { diff --git a/src/service_inspectors/ftp_telnet/CMakeLists.txt b/src/service_inspectors/ftp_telnet/CMakeLists.txt index c0ee5e28f..f11e1afc2 100644 --- a/src/service_inspectors/ftp_telnet/CMakeLists.txt +++ b/src/service_inspectors/ftp_telnet/CMakeLists.txt @@ -17,6 +17,8 @@ set (FILE_LIST ftp_print.cc ftp_print.h ftp_server.h + kmap.cc + kmap.h telnet_splitter.h telnet_splitter.cc ftpdata_splitter.h diff --git a/src/service_inspectors/ftp_telnet/ft_main.cc b/src/service_inspectors/ftp_telnet/ft_main.cc index ddcac74c2..dc715d477 100644 --- a/src/service_inspectors/ftp_telnet/ft_main.cc +++ b/src/service_inspectors/ftp_telnet/ft_main.cc @@ -46,8 +46,8 @@ #include "detection/detection_engine.h" #include "framework/data_bus.h" +#include "framework/pig_pen.h" #include "log/messages.h" -#include "managers/inspector_manager.h" #include "pub_sub/intrinsic_event_ids.h" #include "utils/util.h" @@ -176,13 +176,13 @@ int FTPCheckConfigs(SnortConfig* sc, void* pData) return rval; // Verify that FTP client and FTP data inspectors are initialized. - if(!InspectorManager::get_inspector(FTP_CLIENT_NAME, false, sc)) + if(!PigPen::get_inspector(FTP_CLIENT_NAME, false, sc)) { ParseError("ftp_server requires that %s also be configured.", FTP_CLIENT_NAME); return -1; } - if(!InspectorManager::get_inspector(FTP_DATA_NAME, false, sc)) + if(!PigPen::get_inspector(FTP_DATA_NAME, false, sc)) { ParseError("ftp_server requires that %s also be configured.", FTP_DATA_NAME); return -1; diff --git a/src/service_inspectors/ftp_telnet/ftp.cc b/src/service_inspectors/ftp_telnet/ftp.cc index 3cc1fa5da..37ae42e35 100644 --- a/src/service_inspectors/ftp_telnet/ftp.cc +++ b/src/service_inspectors/ftp_telnet/ftp.cc @@ -21,8 +21,8 @@ #include "config.h" #endif +#include "framework/pig_pen.h" #include "main/snort_config.h" -#include "managers/inspector_manager.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "stream/stream.h" @@ -196,7 +196,6 @@ public: { delete ftp_client; } void show(const SnortConfig*) const override; - void eval(Packet*) override { } FTP_CLIENT_PROTO_CONF* ftp_client; }; @@ -272,7 +271,7 @@ FTP_CLIENT_PROTO_CONF* get_ftp_client(Packet* p) FtpClient* client = (FtpClient*)p->flow->data; if ( !client ) { - client = (FtpClient*)InspectorManager::get_inspector(FTP_CLIENT_NAME); + client = (FtpClient*)PigPen::get_inspector(FTP_CLIENT_NAME); assert(client); p->flow->set_data(client); } diff --git a/src/service_inspectors/ftp_telnet/ftp_data.cc b/src/service_inspectors/ftp_telnet/ftp_data.cc index a23fff5a7..8a4d4351b 100644 --- a/src/service_inspectors/ftp_telnet/ftp_data.cc +++ b/src/service_inspectors/ftp_telnet/ftp_data.cc @@ -30,7 +30,7 @@ #include "file_api/file_flows.h" #include "file_api/file_service.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "parser/parse_rule.h" #include "profiler/profiler.h" #include "protocols/tcp.h" diff --git a/src/service_inspectors/ftp_telnet/ftpp_si.h b/src/service_inspectors/ftp_telnet/ftpp_si.h index f768c6f5f..730fd428b 100644 --- a/src/service_inspectors/ftp_telnet/ftpp_si.h +++ b/src/service_inspectors/ftp_telnet/ftpp_si.h @@ -189,9 +189,6 @@ public: static void init() { inspector_id = snort::FlowData::create_flow_data_id(); } - size_t size_of() override - { return sizeof(*this); } - public: static unsigned inspector_id; FTP_SESSION session; @@ -230,8 +227,6 @@ public: void handle_expected(snort::Packet*) override; void handle_eof(snort::Packet*) override; - size_t size_of() override - { return sizeof(*this); } public: static unsigned inspector_id; diff --git a/src/service_inspectors/ftp_telnet/ftpp_ui_config.h b/src/service_inspectors/ftp_telnet/ftpp_ui_config.h index 67425b42d..1f1a70d00 100644 --- a/src/service_inspectors/ftp_telnet/ftpp_ui_config.h +++ b/src/service_inspectors/ftp_telnet/ftpp_ui_config.h @@ -39,7 +39,8 @@ #define FTPP_UI_CONFIG_H #include "sfip/sf_ip.h" -#include "utils/kmap.h" + +#include "kmap.h" /* * Defines diff --git a/src/utils/kmap.cc b/src/service_inspectors/ftp_telnet/kmap.cc similarity index 99% rename from src/utils/kmap.cc rename to src/service_inspectors/ftp_telnet/kmap.cc index a0c4d0317..12fb42c46 100644 --- a/src/utils/kmap.cc +++ b/src/service_inspectors/ftp_telnet/kmap.cc @@ -29,7 +29,7 @@ #include #include -#include "util.h" +#include "utils/util.h" namespace snort { diff --git a/src/utils/kmap.h b/src/service_inspectors/ftp_telnet/kmap.h similarity index 89% rename from src/utils/kmap.h rename to src/service_inspectors/ftp_telnet/kmap.h index db4bece12..601882c67 100644 --- a/src/utils/kmap.h +++ b/src/service_inspectors/ftp_telnet/kmap.h @@ -74,14 +74,14 @@ typedef struct _kmap namespace snort { -SO_PUBLIC KMAP* KMapNew(KMapUserFreeFunc, bool nocase); -SO_PUBLIC void KMapDelete(KMAP*); +KMAP* KMapNew(KMapUserFreeFunc, bool nocase); +void KMapDelete(KMAP*); -SO_PUBLIC int KMapAdd(KMAP*, void* key, int ksize, void* userdata); +int KMapAdd(KMAP*, void* key, int ksize, void* userdata); -SO_PUBLIC void* KMapFind(KMAP*, void* key, int ksize); -SO_PUBLIC void* KMapFindFirst(KMAP*); -SO_PUBLIC void* KMapFindNext(KMAP*); +void* KMapFind(KMAP*, void* key, int ksize); +void* KMapFindFirst(KMAP*); +void* KMapFindNext(KMAP*); } #endif diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc index 2c1208a19..f7018eab2 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.cc +++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc @@ -28,8 +28,8 @@ #include "pp_ftp.h" +#include "detection/detection_buf.h" #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "hash/hash_key_operations.h" #include "file_api/file_service.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/ftp_telnet/pp_telnet.cc b/src/service_inspectors/ftp_telnet/pp_telnet.cc index f3b118dab..4373d3a02 100644 --- a/src/service_inspectors/ftp_telnet/pp_telnet.cc +++ b/src/service_inspectors/ftp_telnet/pp_telnet.cc @@ -32,8 +32,8 @@ #include "pp_telnet.h" +#include "detection/detection_buf.h" #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "protocols/packet.h" #include "stream/stream.h" diff --git a/src/service_inspectors/gtp/gtp.h b/src/service_inspectors/gtp/gtp.h index 752b64ccc..d6989ffa7 100644 --- a/src/service_inspectors/gtp/gtp.h +++ b/src/service_inspectors/gtp/gtp.h @@ -27,7 +27,6 @@ #include #include "framework/counts.h" -#include "main/thread.h" namespace snort { diff --git a/src/service_inspectors/gtp/gtp_inspect.cc b/src/service_inspectors/gtp/gtp_inspect.cc index 229f7f576..3675950a1 100644 --- a/src/service_inspectors/gtp/gtp_inspect.cc +++ b/src/service_inspectors/gtp/gtp_inspect.cc @@ -26,7 +26,7 @@ #include "detection/detection_engine.h" #include "detection/ips_context_data.h" -#include "managers/inspector_manager.h" +#include "framework/pig_pen.h" #include "profiler/profiler.h" #include "protocols/packet.h" @@ -156,7 +156,7 @@ int GtpInspect::get_message_type(int version, const char* name) int get_message_type(int version, const char* name, snort::SnortConfig* sc) { - GtpInspect* ins = (GtpInspect*)InspectorManager::get_inspector(GTP_NAME, false, sc); + GtpInspect* ins = (GtpInspect*)PigPen::get_inspector(GTP_NAME, false, sc); if ( !ins ) return -1; @@ -178,7 +178,7 @@ int GtpInspect::get_info_type(int version, const char* name) int get_info_type(int version, const char* name, SnortConfig* sc) { - GtpInspect* ins = (GtpInspect*)InspectorManager::get_inspector(GTP_NAME, false, sc); + GtpInspect* ins = (GtpInspect*)PigPen::get_inspector(GTP_NAME, false, sc); if ( !ins ) return -1; diff --git a/src/service_inspectors/gtp/gtp_parser.cc b/src/service_inspectors/gtp/gtp_parser.cc index 50cbefcbe..094e1507e 100644 --- a/src/service_inspectors/gtp/gtp_parser.cc +++ b/src/service_inspectors/gtp/gtp_parser.cc @@ -29,7 +29,6 @@ #include #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "trace/trace_api.h" #include "utils/util_cstring.h" diff --git a/src/service_inspectors/gtp/ips_gtp_info.cc b/src/service_inspectors/gtp/ips_gtp_info.cc index a81c418ed..06863f62d 100644 --- a/src/service_inspectors/gtp/ips_gtp_info.cc +++ b/src/service_inspectors/gtp/ips_gtp_info.cc @@ -217,7 +217,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { GtpInfoModule* mod = (GtpInfoModule*)m; return new GtpInfoOption(mod->types); diff --git a/src/service_inspectors/gtp/ips_gtp_type.cc b/src/service_inspectors/gtp/ips_gtp_type.cc index 733e59cd1..87c6b3efc 100644 --- a/src/service_inspectors/gtp/ips_gtp_type.cc +++ b/src/service_inspectors/gtp/ips_gtp_type.cc @@ -231,7 +231,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { GtpTypeModule* mod = (GtpTypeModule*)m; return new GtpTypeOption(mod->types); diff --git a/src/service_inspectors/gtp/ips_gtp_version.cc b/src/service_inspectors/gtp/ips_gtp_version.cc index b7c913287..92185fffd 100644 --- a/src/service_inspectors/gtp/ips_gtp_version.cc +++ b/src/service_inspectors/gtp/ips_gtp_version.cc @@ -145,7 +145,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { GtpVersionModule* mod = (GtpVersionModule*)m; return new GtpVersionOption(mod->version); diff --git a/src/service_inspectors/http2_inspect/http2_flow_data.h b/src/service_inspectors/http2_inspect/http2_flow_data.h index 4b19deadf..729aabb23 100644 --- a/src/service_inspectors/http2_inspect/http2_flow_data.h +++ b/src/service_inspectors/http2_inspect/http2_flow_data.h @@ -23,10 +23,11 @@ #include #include -#include "main/snort_types.h" -#include "utils/event_gen.h" -#include "utils/infractions.h" #include "flow/flow.h" +#include "flow/stream_flow.h" +#include "helpers/event_gen.h" +#include "helpers/infractions.h" +#include "main/snort_types.h" #include "service_inspectors/http_inspect/http_common.h" #include "service_inspectors/http_inspect/http_field.h" #include "stream/stream_splitter.h" diff --git a/src/service_inspectors/http2_inspect/http2_hpack.h b/src/service_inspectors/http2_inspect/http2_hpack.h index e0f5da74b..f8dfae38c 100644 --- a/src/service_inspectors/http2_inspect/http2_hpack.h +++ b/src/service_inspectors/http2_inspect/http2_hpack.h @@ -20,9 +20,9 @@ #ifndef HTTP2_HPACK_H #define HTTP2_HPACK_H +#include "helpers/event_gen.h" +#include "helpers/infractions.h" #include "service_inspectors/http_inspect/http_common.h" -#include "utils/event_gen.h" -#include "utils/infractions.h" #include "http2_hpack_int_decode.h" #include "http2_hpack_string_decode.h" diff --git a/src/service_inspectors/http2_inspect/http2_hpack_int_decode.h b/src/service_inspectors/http2_inspect/http2_hpack_int_decode.h index c59f4ae2e..ce3a9225e 100644 --- a/src/service_inspectors/http2_inspect/http2_hpack_int_decode.h +++ b/src/service_inspectors/http2_inspect/http2_hpack_int_decode.h @@ -23,9 +23,9 @@ #include "http2_enum.h" #include "http2_varlen_int_decode.h" +#include "helpers/event_gen.h" +#include "helpers/infractions.h" #include "main/snort_types.h" -#include "utils/event_gen.h" -#include "utils/infractions.h" using Http2Infractions = Infractions; diff --git a/src/service_inspectors/http2_inspect/http2_push_promise_frame.h b/src/service_inspectors/http2_inspect/http2_push_promise_frame.h index 038031782..7ef3f79b4 100644 --- a/src/service_inspectors/http2_inspect/http2_push_promise_frame.h +++ b/src/service_inspectors/http2_inspect/http2_push_promise_frame.h @@ -20,9 +20,9 @@ #ifndef HTTP2_PUSH_PROMISE_FRAME_H #define HTTP2_PUSH_PROMISE_FRAME_H +#include "helpers/event_gen.h" +#include "helpers/infractions.h" #include "service_inspectors/http_inspect/http_common.h" -#include "utils/event_gen.h" -#include "utils/infractions.h" #include "http2_enum.h" #include "http2_frame.h" diff --git a/src/service_inspectors/http2_inspect/http2_start_line.h b/src/service_inspectors/http2_inspect/http2_start_line.h index 82bd92ca5..3fb71b159 100644 --- a/src/service_inspectors/http2_inspect/http2_start_line.h +++ b/src/service_inspectors/http2_inspect/http2_start_line.h @@ -20,10 +20,10 @@ #ifndef HTTP2_START_LINE_H #define HTTP2_START_LINE_H +#include "helpers/event_gen.h" +#include "helpers/infractions.h" #include "service_inspectors/http_inspect/http_common.h" #include "service_inspectors/http_inspect/http_field.h" -#include "utils/event_gen.h" -#include "utils/infractions.h" #include "http2_enum.h" diff --git a/src/service_inspectors/http2_inspect/ips_http2.h b/src/service_inspectors/http2_inspect/ips_http2.h index d4089b273..3a6b4263b 100644 --- a/src/service_inspectors/http2_inspect/ips_http2.h +++ b/src/service_inspectors/http2_inspect/ips_http2.h @@ -73,7 +73,7 @@ public: EvalStatus eval(Cursor&, snort::Packet*) override; uint32_t hash() const override; bool operator==(const snort::IpsOption& ips) const override; - static snort::IpsOption* opt_ctor(snort::Module* m, OptTreeNode*) + static snort::IpsOption* opt_ctor(snort::Module* m, IpsInfo&) { return new Http2IpsOption((Http2CursorModule*)m); } static void opt_dtor(IpsOption* p) { delete p; } private: diff --git a/src/service_inspectors/http_inspect/http_event.h b/src/service_inspectors/http_inspect/http_event.h index 628c06aa8..b0b2dbef4 100644 --- a/src/service_inspectors/http_inspect/http_event.h +++ b/src/service_inspectors/http_inspect/http_event.h @@ -20,8 +20,8 @@ #ifndef HTTP_EVENT_H #define HTTP_EVENT_H -#include "utils/event_gen.h" -#include "utils/infractions.h" +#include "helpers/event_gen.h" +#include "helpers/infractions.h" #include "utils/util_cstring.h" #include "http_enum.h" diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h index 63baa554d..23de3cc19 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.h +++ b/src/service_inspectors/http_inspect/http_flow_data.h @@ -26,7 +26,7 @@ #include #include "flow/flow.h" -#include "utils/util_utf.h" +#include "helpers/utf.h" #include "decompress/file_decomp.h" #include "http_common.h" diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index 21f852050..c4f9b37c6 100755 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -28,7 +28,6 @@ #include #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "service_inspectors/http2_inspect/http2_flow_data.h" #include "log/unified2.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc index 8b8bd119a..63436f9d6 100644 --- a/src/service_inspectors/http_inspect/http_msg_request.cc +++ b/src/service_inspectors/http_inspect/http_msg_request.cc @@ -23,6 +23,7 @@ #include "http_msg_request.h" +#include "main/snort_config.h" #include "pub_sub/intrinsic_event_ids.h" #include "http_api.h" diff --git a/src/service_inspectors/http_inspect/http_msg_section.h b/src/service_inspectors/http_inspect/http_msg_section.h index e40bcd9e1..8a25c6cd6 100644 --- a/src/service_inspectors/http_inspect/http_msg_section.h +++ b/src/service_inspectors/http_inspect/http_msg_section.h @@ -20,7 +20,6 @@ #ifndef HTTP_MSG_SECTION_H #define HTTP_MSG_SECTION_H -#include "detection/detection_util.h" #include "framework/cursor.h" #include "framework/pdu_section.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/http_inspect/ips_http_buffer.h b/src/service_inspectors/http_inspect/ips_http_buffer.h index 7114fe897..2fb87cc22 100644 --- a/src/service_inspectors/http_inspect/ips_http_buffer.h +++ b/src/service_inspectors/http_inspect/ips_http_buffer.h @@ -73,7 +73,7 @@ public: key(cm->key), fp_buffer_info(cm->rule_opt_index) {} EvalStatus eval(Cursor&, snort::Packet*) override; - static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*) + static IpsOption* opt_ctor(snort::Module* m, IpsInfo&) { return new HttpBufferIpsOption((HttpBufferRuleOptModule*)m); } static void opt_dtor(snort::IpsOption* p) { delete p; } diff --git a/src/service_inspectors/http_inspect/ips_http_num_hdrs.h b/src/service_inspectors/http_inspect/ips_http_num_hdrs.h index f8eea48cd..62b3ccb08 100644 --- a/src/service_inspectors/http_inspect/ips_http_num_hdrs.h +++ b/src/service_inspectors/http_inspect/ips_http_num_hdrs.h @@ -101,7 +101,7 @@ class HttpNumIpsOption : public HttpRangeIpsOption public: using HttpRangeIpsOption::HttpRangeIpsOption; - static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*) + static IpsOption* opt_ctor(snort::Module* m, IpsInfo&) { return new HttpNumIpsOption((const HttpRangeRuleOptModule*)m); } int32_t get_num(const HttpInspect* hi, snort::Packet* p) override diff --git a/src/service_inspectors/http_inspect/ips_http_param.cc b/src/service_inspectors/http_inspect/ips_http_param.cc index daad74dbc..9aba6a241 100644 --- a/src/service_inspectors/http_inspect/ips_http_param.cc +++ b/src/service_inspectors/http_inspect/ips_http_param.cc @@ -96,7 +96,7 @@ bool HttpParamIpsOption::operator==(const IpsOption& ips) const http_param == hio.http_param; } -bool HttpParamIpsOption::retry(Cursor& current_cursor, const Cursor&) +bool HttpParamIpsOption::retry(Cursor& current_cursor) { HttpCursorData* cd = (HttpCursorData*)current_cursor.get_data(HttpCursorData::id); diff --git a/src/service_inspectors/http_inspect/ips_http_param.h b/src/service_inspectors/http_inspect/ips_http_param.h index 4f4882c2f..2b07ce819 100644 --- a/src/service_inspectors/http_inspect/ips_http_param.h +++ b/src/service_inspectors/http_inspect/ips_http_param.h @@ -67,11 +67,11 @@ public: uint32_t hash() const override; bool operator==(const snort::IpsOption& ips) const override; - static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*) + static IpsOption* opt_ctor(snort::Module* m, IpsInfo&) { return new HttpParamIpsOption((HttpParamRuleOptModule*)m); } static void opt_dtor(snort::IpsOption* p) { delete p; } - bool retry(Cursor& , const Cursor&) override; + bool retry(Cursor&) override; snort::section_flags get_pdu_section(bool) const override; diff --git a/src/service_inspectors/http_inspect/ips_http_test.h b/src/service_inspectors/http_inspect/ips_http_test.h index 2781d00b5..fc7fe3b36 100644 --- a/src/service_inspectors/http_inspect/ips_http_test.h +++ b/src/service_inspectors/http_inspect/ips_http_test.h @@ -68,7 +68,7 @@ public: EvalStatus eval(Cursor&, snort::Packet*) override; uint32_t hash() const override; bool operator==(const snort::IpsOption& ips) const override; - static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*) + static IpsOption* opt_ctor(snort::Module* m, IpsInfo&) { return new HttpTestIpsOption((HttpTestRuleOptModule*)m); } static void opt_dtor(snort::IpsOption* p) { delete p; } diff --git a/src/service_inspectors/http_inspect/ips_http_version.h b/src/service_inspectors/http_inspect/ips_http_version.h index 6f98ea984..9c17c552b 100644 --- a/src/service_inspectors/http_inspect/ips_http_version.h +++ b/src/service_inspectors/http_inspect/ips_http_version.h @@ -58,7 +58,7 @@ public: uint32_t hash() const override; bool operator==(const snort::IpsOption& ips) const override; - static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*) + static IpsOption* opt_ctor(snort::Module* m, IpsInfo&) { return new HttpVersionIpsOption((HttpVersionRuleOptModule*)m); } static void opt_dtor(snort::IpsOption* p) { delete p; } diff --git a/src/service_inspectors/http_inspect/test/http_module_test.cc b/src/service_inspectors/http_inspect/test/http_module_test.cc index 60a977d00..d6ff9db83 100755 --- a/src/service_inspectors/http_inspect/test/http_module_test.cc +++ b/src/service_inspectors/http_inspect/test/http_module_test.cc @@ -67,7 +67,7 @@ unsigned ThreadConfig::get_instance_max() { return 1; } } void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } int32_t str_to_code(const char*, const StrCode []) { return 0; } int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; } diff --git a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc index c7f5dfc18..5d764c5eb 100755 --- a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc +++ b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc @@ -65,7 +65,7 @@ snort::SearchTool* js_create_mpse_tag_type() { return nullptr; } snort::SearchTool* js_create_mpse_tag_attr() { return nullptr; } void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } int64_t Parameter::get_int(char const*) { return 0; } diff --git a/src/service_inspectors/iec104/iec104.cc b/src/service_inspectors/iec104/iec104.cc index ea807fd87..573504bb6 100644 --- a/src/service_inspectors/iec104/iec104.cc +++ b/src/service_inspectors/iec104/iec104.cc @@ -27,7 +27,6 @@ #include "iec104.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "profiler/profiler.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/iec104/iec104_decode.cc b/src/service_inspectors/iec104/iec104_decode.cc index f112b6c08..258291655 100644 --- a/src/service_inspectors/iec104/iec104_decode.cc +++ b/src/service_inspectors/iec104/iec104_decode.cc @@ -27,7 +27,6 @@ #include "iec104_decode.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "protocols/packet.h" #include "trace/trace_api.h" diff --git a/src/service_inspectors/iec104/iec104_paf.cc b/src/service_inspectors/iec104/iec104_paf.cc index 2c46cefc0..46251a088 100644 --- a/src/service_inspectors/iec104/iec104_paf.cc +++ b/src/service_inspectors/iec104/iec104_paf.cc @@ -29,7 +29,6 @@ #include "iec104_paf.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "profiler/profiler.h" #include "iec104.h" diff --git a/src/service_inspectors/iec104/iec104_parse_apdu.cc b/src/service_inspectors/iec104/iec104_parse_apdu.cc index d348b37fa..6e8ec5c77 100644 --- a/src/service_inspectors/iec104/iec104_parse_apdu.cc +++ b/src/service_inspectors/iec104/iec104_parse_apdu.cc @@ -25,7 +25,6 @@ #include "iec104_parse_apdu.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "protocols/packet.h" #include "iec104.h" diff --git a/src/service_inspectors/iec104/iec104_parse_information_object_elements.cc b/src/service_inspectors/iec104/iec104_parse_information_object_elements.cc index 4ec7337ef..e409ac7e7 100644 --- a/src/service_inspectors/iec104/iec104_parse_information_object_elements.cc +++ b/src/service_inspectors/iec104/iec104_parse_information_object_elements.cc @@ -27,7 +27,6 @@ #include #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "protocols/packet.h" #include "iec104.h" diff --git a/src/service_inspectors/iec104/iec104_trace.h b/src/service_inspectors/iec104/iec104_trace.h index 057324b3b..875edbfde 100644 --- a/src/service_inspectors/iec104/iec104_trace.h +++ b/src/service_inspectors/iec104/iec104_trace.h @@ -25,7 +25,6 @@ // Detection trace utility #include "main/snort_types.h" -#include "main/thread.h" namespace snort { diff --git a/src/service_inspectors/iec104/ips_iec104_apci_type.cc b/src/service_inspectors/iec104/ips_iec104_apci_type.cc index f1c2b68c3..2a66a7e04 100644 --- a/src/service_inspectors/iec104/ips_iec104_apci_type.cc +++ b/src/service_inspectors/iec104/ips_iec104_apci_type.cc @@ -212,7 +212,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { Iec104ApciTypeModule* mod = (Iec104ApciTypeModule*) m; return new Iec104ApciTypeOption(mod->apci_type); diff --git a/src/service_inspectors/iec104/ips_iec104_asdu_func.cc b/src/service_inspectors/iec104/ips_iec104_asdu_func.cc index 08e9637ba..659b1bc40 100644 --- a/src/service_inspectors/iec104/ips_iec104_asdu_func.cc +++ b/src/service_inspectors/iec104/ips_iec104_asdu_func.cc @@ -285,7 +285,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { Iec104AsduFuncModule* mod = (Iec104AsduFuncModule*) m; return new Iec104AsduFuncOption(mod->func); diff --git a/src/service_inspectors/mms/ips_mms_data.cc b/src/service_inspectors/mms/ips_mms_data.cc index 90fcbb3e7..9402b3d3d 100644 --- a/src/service_inspectors/mms/ips_mms_data.cc +++ b/src/service_inspectors/mms/ips_mms_data.cc @@ -123,7 +123,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module*, OptTreeNode*) +static IpsOption* opt_ctor(Module*, IpsInfo&) { return new MmsDataOption; } diff --git a/src/service_inspectors/mms/ips_mms_func.cc b/src/service_inspectors/mms/ips_mms_func.cc index 626230e77..67bc9be38 100644 --- a/src/service_inspectors/mms/ips_mms_func.cc +++ b/src/service_inspectors/mms/ips_mms_func.cc @@ -27,9 +27,9 @@ #include "framework/ips_option.h" #include "framework/module.h" #include "hash/hash_key_operations.h" +#include "helpers/ber.h" #include "protocols/packet.h" #include "profiler/profiler.h" -#include "utils/util_ber.h" #include "mms.h" @@ -393,7 +393,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { MmsFuncModule* mod = (MmsFuncModule*)m; diff --git a/src/service_inspectors/mms/mms.cc b/src/service_inspectors/mms/mms.cc index 35c1bb768..9c7506d44 100644 --- a/src/service_inspectors/mms/mms.cc +++ b/src/service_inspectors/mms/mms.cc @@ -27,7 +27,6 @@ #include "mms.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "profiler/profiler.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/mms/mms_decode.cc b/src/service_inspectors/mms/mms_decode.cc index 25d4293ec..df749eecf 100644 --- a/src/service_inspectors/mms/mms_decode.cc +++ b/src/service_inspectors/mms/mms_decode.cc @@ -27,12 +27,11 @@ #include "mms_decode.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" +#include "helpers/ber.h" #include "log/messages.h" #include "managers/plugin_manager.h" #include "protocols/packet.h" #include "trace/trace_api.h" -#include "utils/util_ber.h" #include "mms.h" #include "mms_module.h" diff --git a/src/service_inspectors/mms/mms_splitter.cc b/src/service_inspectors/mms/mms_splitter.cc index ca035f63a..33b1111b3 100644 --- a/src/service_inspectors/mms/mms_splitter.cc +++ b/src/service_inspectors/mms/mms_splitter.cc @@ -25,9 +25,8 @@ #include "mms_splitter.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" +#include "helpers/ber.h" #include "profiler/profiler.h" -#include "utils/util_ber.h" #include "mms.h" #include "mms_decode.h" diff --git a/src/service_inspectors/mms/util_tpkt.h b/src/service_inspectors/mms/util_tpkt.h index 548b2995b..549ec660d 100644 --- a/src/service_inspectors/mms/util_tpkt.h +++ b/src/service_inspectors/mms/util_tpkt.h @@ -28,9 +28,9 @@ #include "flow/flow.h" #include "framework/counts.h" #include "framework/cursor.h" +#include "helpers/ber.h" #include "protocols/packet.h" #include "service_inspectors/mms/mms.h" -#include "utils/util_ber.h" namespace snort { @@ -161,11 +161,6 @@ public: ssn_data.packet_data_reset(direction); } - size_t size_of() override - { - return sizeof(*this); - } - public: static unsigned inspector_id; TpktSessionData ssn_data; diff --git a/src/service_inspectors/modbus/ips_modbus_data.cc b/src/service_inspectors/modbus/ips_modbus_data.cc index 2a473c81e..d7d719226 100644 --- a/src/service_inspectors/modbus/ips_modbus_data.cc +++ b/src/service_inspectors/modbus/ips_modbus_data.cc @@ -122,7 +122,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module*, OptTreeNode*) +static IpsOption* opt_ctor(Module*, IpsInfo&) { return new ModbusDataOption; } diff --git a/src/service_inspectors/modbus/ips_modbus_func.cc b/src/service_inspectors/modbus/ips_modbus_func.cc index a795b9ee3..f55105755 100644 --- a/src/service_inspectors/modbus/ips_modbus_func.cc +++ b/src/service_inspectors/modbus/ips_modbus_func.cc @@ -202,7 +202,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { ModbusFuncModule* mod = (ModbusFuncModule*)m; return new ModbusFuncOption(mod->func); diff --git a/src/service_inspectors/modbus/ips_modbus_unit.cc b/src/service_inspectors/modbus/ips_modbus_unit.cc index 5d08572e9..cdf50ce25 100644 --- a/src/service_inspectors/modbus/ips_modbus_unit.cc +++ b/src/service_inspectors/modbus/ips_modbus_unit.cc @@ -147,7 +147,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { ModbusUnitModule* mod = (ModbusUnitModule*)m; return new ModbusUnitOption(mod->unit); diff --git a/src/service_inspectors/modbus/modbus.cc b/src/service_inspectors/modbus/modbus.cc index 215571149..80efed276 100644 --- a/src/service_inspectors/modbus/modbus.cc +++ b/src/service_inspectors/modbus/modbus.cc @@ -24,7 +24,6 @@ #include "modbus.h" -#include "events/event_queue.h" #include "detection/detection_engine.h" #include "profiler/profiler.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/modbus/modbus_decode.cc b/src/service_inspectors/modbus/modbus_decode.cc index 6a8a6c4cb..f29f3cf54 100644 --- a/src/service_inspectors/modbus/modbus_decode.cc +++ b/src/service_inspectors/modbus/modbus_decode.cc @@ -26,7 +26,6 @@ #include "modbus_decode.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "protocols/packet.h" #include "modbus.h" diff --git a/src/service_inspectors/modbus/modbus_paf.cc b/src/service_inspectors/modbus/modbus_paf.cc index c52836b78..c981411cf 100644 --- a/src/service_inspectors/modbus/modbus_paf.cc +++ b/src/service_inspectors/modbus/modbus_paf.cc @@ -27,7 +27,6 @@ #include "modbus_paf.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "modbus.h" #include "modbus_module.h" diff --git a/src/service_inspectors/netflow/CMakeLists.txt b/src/service_inspectors/netflow/CMakeLists.txt index 97a9cb26f..a23e95d4a 100644 --- a/src/service_inspectors/netflow/CMakeLists.txt +++ b/src/service_inspectors/netflow/CMakeLists.txt @@ -1,15 +1,16 @@ set ( NETFLOW_INCLUDES - netflow_cache.h - netflow_headers.h - netflow_module.h netflow_record.h - netflow.h ) + set ( FILE_LIST ${NETFLOW_INCLUDES} + netflow_cache.h + netflow_headers.h netflow_module.cc + netflow_module.h netflow.cc + netflow.h ) if (STATIC_INSPECTORS) @@ -22,4 +23,4 @@ endif (STATIC_INSPECTORS) install(FILES ${NETFLOW_INCLUDES} DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/netflow" -) \ No newline at end of file +) diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index 7915df06f..db6094e72 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -34,6 +34,7 @@ #include "log/messages.h" #include "managers/module_manager.h" #include "main/reload_tuner.h" +#include "main/snort_config.h" #include "pub_sub/netflow_event.h" #include "src/utils/endian.h" #include "time/packet_time.h" diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index 0ced92ebc..ebde7edb2 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -38,7 +38,7 @@ #include "config.h" #endif -#include "detection/detection_util.h" +#include "detection/detection_buf.h" #include "detection/detection_engine.h" #include "framework/data_bus.h" #include "log/messages.h" diff --git a/src/service_inspectors/s7commplus/ips_s7comm_content.cc b/src/service_inspectors/s7commplus/ips_s7comm_content.cc index ad668cfe3..15405ab3f 100644 --- a/src/service_inspectors/s7commplus/ips_s7comm_content.cc +++ b/src/service_inspectors/s7commplus/ips_s7comm_content.cc @@ -122,7 +122,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module*, OptTreeNode*) +static IpsOption* opt_ctor(Module*, IpsInfo&) { return new S7commplusContentOption; } diff --git a/src/service_inspectors/s7commplus/ips_s7comm_func.cc b/src/service_inspectors/s7commplus/ips_s7comm_func.cc index 8e9d10a29..ccda78793 100644 --- a/src/service_inspectors/s7commplus/ips_s7comm_func.cc +++ b/src/service_inspectors/s7commplus/ips_s7comm_func.cc @@ -196,7 +196,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { S7commplusFuncModule* mod = (S7commplusFuncModule*)m; return new S7commplusFuncOption(mod->func); diff --git a/src/service_inspectors/s7commplus/ips_s7comm_opcode.cc b/src/service_inspectors/s7commplus/ips_s7comm_opcode.cc index 5e27bddec..52e815b1a 100644 --- a/src/service_inspectors/s7commplus/ips_s7comm_opcode.cc +++ b/src/service_inspectors/s7commplus/ips_s7comm_opcode.cc @@ -188,7 +188,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* opt_ctor(Module* m, OptTreeNode*) +static IpsOption* opt_ctor(Module* m, IpsInfo&) { S7commplusOpcodeModule* mod = (S7commplusOpcodeModule*)m; return new S7commplusOpcodeOption(mod->opcode); diff --git a/src/service_inspectors/s7commplus/s7comm.cc b/src/service_inspectors/s7commplus/s7comm.cc index ba8fa1386..007e430a6 100644 --- a/src/service_inspectors/s7commplus/s7comm.cc +++ b/src/service_inspectors/s7commplus/s7comm.cc @@ -25,7 +25,6 @@ #include "s7comm.h" -#include "events/event_queue.h" #include "detection/detection_engine.h" #include "profiler/profiler.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/s7commplus/s7comm_decode.cc b/src/service_inspectors/s7commplus/s7comm_decode.cc index 1d9e1407f..cd4425bc0 100644 --- a/src/service_inspectors/s7commplus/s7comm_decode.cc +++ b/src/service_inspectors/s7commplus/s7comm_decode.cc @@ -30,7 +30,6 @@ #include "s7comm_decode.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "protocols/packet.h" #include "s7comm.h" diff --git a/src/service_inspectors/s7commplus/s7comm_paf.cc b/src/service_inspectors/s7commplus/s7comm_paf.cc index 91d9efe3f..2c39a4d61 100644 --- a/src/service_inspectors/s7commplus/s7comm_paf.cc +++ b/src/service_inspectors/s7commplus/s7comm_paf.cc @@ -27,7 +27,6 @@ #include "s7comm_paf.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "s7comm.h" #include "s7comm_decode.h" diff --git a/src/service_inspectors/service_inspectors.cc b/src/service_inspectors/service_inspectors.cc index a67d6d312..86a5b01db 100644 --- a/src/service_inspectors/service_inspectors.cc +++ b/src/service_inspectors/service_inspectors.cc @@ -27,12 +27,11 @@ using namespace snort; +extern const BaseApi* sin_dns[]; extern const BaseApi* sin_file[]; extern const BaseApi* sin_http[]; extern const BaseApi* sin_http2[]; extern const BaseApi* sin_sip[]; -extern const BaseApi* sin_ssl[]; -extern const BaseApi* sin_dns[]; #ifdef STATIC_INSPECTORS extern const BaseApi* sin_bo; @@ -57,6 +56,7 @@ extern const BaseApi* sin_mms[]; extern const BaseApi* sin_modbus[]; extern const BaseApi* sin_netflow[]; extern const BaseApi* sin_s7commplus[]; +extern const BaseApi* sin_ssl[]; #endif const BaseApi* service_inspectors[] = @@ -87,7 +87,6 @@ void load_service_inspectors() PluginManager::load_plugins(sin_http); PluginManager::load_plugins(sin_http2); PluginManager::load_plugins(sin_sip); - PluginManager::load_plugins(sin_ssl); #ifdef STATIC_INSPECTORS PluginManager::load_plugins(sin_cip); @@ -99,6 +98,7 @@ void load_service_inspectors() PluginManager::load_plugins(sin_modbus); PluginManager::load_plugins(sin_netflow); PluginManager::load_plugins(sin_s7commplus); + PluginManager::load_plugins(sin_ssl); #endif } diff --git a/src/service_inspectors/sip/ips_sip.cc b/src/service_inspectors/sip/ips_sip.cc index 890a4003e..58e271d41 100644 --- a/src/service_inspectors/sip/ips_sip.cc +++ b/src/service_inspectors/sip/ips_sip.cc @@ -151,7 +151,7 @@ static Module* header_mod_ctor() return new SipCursorModule(IPS_OPT, header_help, SIP_HEADER); } -static IpsOption* header_opt_ctor(Module*, OptTreeNode*) +static IpsOption* header_opt_ctor(Module*, IpsInfo&) { return new SipIpsOption(IPS_OPT, SIP_HEADER, CAT_SET_FAST_PATTERN); } @@ -196,7 +196,7 @@ static Module* body_mod_ctor() return new SipCursorModule(IPS_OPT, cb_help, SIP_BODY); } -static IpsOption* body_opt_ctor(Module*, OptTreeNode*) +static IpsOption* body_opt_ctor(Module*, IpsInfo&) { return new SipIpsOption(IPS_OPT, SIP_BODY, CAT_SET_FAST_PATTERN); } diff --git a/src/service_inspectors/sip/ips_sip_method.cc b/src/service_inspectors/sip/ips_sip_method.cc index c700a2aa0..bff4af3c0 100644 --- a/src/service_inspectors/sip/ips_sip_method.cc +++ b/src/service_inspectors/sip/ips_sip_method.cc @@ -210,7 +210,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* sip_method_ctor(Module* p, OptTreeNode*) +static IpsOption* sip_method_ctor(Module* p, IpsInfo&) { SipMethodModule* m = (SipMethodModule*)p; return new SipMethodOption(m->methods); diff --git a/src/service_inspectors/sip/ips_sip_stat_code.cc b/src/service_inspectors/sip/ips_sip_stat_code.cc index 7db83936e..6132c563c 100644 --- a/src/service_inspectors/sip/ips_sip_stat_code.cc +++ b/src/service_inspectors/sip/ips_sip_stat_code.cc @@ -193,7 +193,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* sip_stat_code_ctor(Module* p, OptTreeNode*) +static IpsOption* sip_stat_code_ctor(Module* p, IpsInfo&) { SipStatCodeModule* m = (SipStatCodeModule*)p; return new SipStatCodeOption(m->ssod); diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc index 5dcba942e..ba3c2a824 100644 --- a/src/service_inspectors/sip/sip.cc +++ b/src/service_inspectors/sip/sip.cc @@ -24,9 +24,7 @@ #include "sip.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" -#include "managers/inspector_manager.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "pub_sub/sip_events.h" diff --git a/src/service_inspectors/sip/sip_config.h b/src/service_inspectors/sip/sip_config.h index e54a2d134..5e7b891ed 100644 --- a/src/service_inspectors/sip/sip_config.h +++ b/src/service_inspectors/sip/sip_config.h @@ -25,7 +25,6 @@ // Configuration for SIP service inspector #include "framework/counts.h" -#include "main/thread.h" #include "sip_common.h" #define SIP_METHOD_DEFAULT 0x003f diff --git a/src/service_inspectors/sip/sip_dialog.cc b/src/service_inspectors/sip/sip_dialog.cc index f98f98cd9..665d4c182 100644 --- a/src/service_inspectors/sip/sip_dialog.cc +++ b/src/service_inspectors/sip/sip_dialog.cc @@ -26,7 +26,6 @@ #include "sip_dialog.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "framework/data_bus.h" #include "protocols/packet.h" #include "protocols/vlan.h" diff --git a/src/service_inspectors/sip/sip_module.cc b/src/service_inspectors/sip/sip_module.cc index 77cf1913d..22f1c8b1d 100644 --- a/src/service_inspectors/sip/sip_module.cc +++ b/src/service_inspectors/sip/sip_module.cc @@ -81,9 +81,6 @@ static const Parameter s_params[] = { "max_request_name_len", Parameter::PT_INT, "0:65535", "20", "maximum request name field size" }, - { "max_requestName_len", Parameter::PT_INT, "0:65535", "20", - "deprecated - use max_request_name_len instead" }, - { "max_to_len", Parameter::PT_INT, "0:65535", "256", "maximum to field size" }, @@ -218,8 +215,7 @@ bool SipModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("max_from_len") ) conf->maxFromLen = v.get_uint16(); - // FIXIT-L max_requestName_len is deprecated - delete - else if ( v.is("max_request_name_len") or v.is("max_requestName_len") ) + else if ( v.is("max_request_name_len") ) conf->maxRequestNameLen = v.get_uint16(); else if ( v.is("max_to_len") ) diff --git a/src/service_inspectors/sip/sip_parser.cc b/src/service_inspectors/sip/sip_parser.cc index 87963268b..6e5c2f581 100644 --- a/src/service_inspectors/sip/sip_parser.cc +++ b/src/service_inspectors/sip/sip_parser.cc @@ -26,7 +26,6 @@ #include "sip_parser.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "utils/util.h" #include "utils/util_cstring.h" diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index 9f9c8b0be..337533629 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -25,7 +25,6 @@ #include #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "js_norm/js_pdf_norm.h" #include "log/messages.h" #include "log/unified2.h" diff --git a/src/service_inspectors/smtp/smtp_paf.cc b/src/service_inspectors/smtp/smtp_paf.cc index a3b0e6190..fd12c91b6 100644 --- a/src/service_inspectors/smtp/smtp_paf.cc +++ b/src/service_inspectors/smtp/smtp_paf.cc @@ -23,7 +23,6 @@ #include "smtp_paf.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "protocols/packet.h" #include "stream/stream.h" diff --git a/src/service_inspectors/smtp/smtp_util.cc b/src/service_inspectors/smtp/smtp_util.cc index 63265e804..1c323a85e 100644 --- a/src/service_inspectors/smtp/smtp_util.cc +++ b/src/service_inspectors/smtp/smtp_util.cc @@ -25,8 +25,8 @@ #include "smtp_util.h" +#include "detection/detection_buf.h" #include "detection/detection_engine.h" -#include "detection/detection_util.h" #include "protocols/packet.h" #include "stream/stream.h" #include "utils/safec.h" diff --git a/src/service_inspectors/smtp/smtp_xlink2state.cc b/src/service_inspectors/smtp/smtp_xlink2state.cc index ebbde81d3..382fa7fe3 100644 --- a/src/service_inspectors/smtp/smtp_xlink2state.cc +++ b/src/service_inspectors/smtp/smtp_xlink2state.cc @@ -27,7 +27,6 @@ #include "smtp_xlink2state.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "packet_io/active.h" #include "smtp_module.h" diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index 0f75475ad..ae6a04db7 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -30,7 +30,6 @@ #include "ssh.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "profiler/profiler.h" #include "protocols/packet.h" diff --git a/src/service_inspectors/ssl/CMakeLists.txt b/src/service_inspectors/ssl/CMakeLists.txt index 4ab2e345a..9bd4f0a14 100644 --- a/src/service_inspectors/ssl/CMakeLists.txt +++ b/src/service_inspectors/ssl/CMakeLists.txt @@ -16,14 +16,13 @@ set( FILE_LIST ${SSL_INCLUDES} ) -# can't be be linked dynamically yet -#if (STATIC_INSPECTORS) +if (STATIC_INSPECTORS) add_library( ssl OBJECT ${FILE_LIST}) -#else (STATIC_INSPECTORS) - #add_dynamic_module(ssl inspectors ${FILE_LIST}) +else (STATIC_INSPECTORS) + add_dynamic_module(ssl inspectors ${FILE_LIST}) -#endif (STATIC_INSPECTORS) +endif (STATIC_INSPECTORS) install(FILES ${SSL_INCLUDES} DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/ssl/" diff --git a/src/service_inspectors/ssl/ips_ssl_state.cc b/src/service_inspectors/ssl/ips_ssl_state.cc index dbb9f4da6..5d5aefa16 100644 --- a/src/service_inspectors/ssl/ips_ssl_state.cc +++ b/src/service_inspectors/ssl/ips_ssl_state.cc @@ -235,7 +235,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ssl_state_ctor(Module* p, OptTreeNode*) +static IpsOption* ssl_state_ctor(Module* p, IpsInfo&) { SslStateModule* m = (SslStateModule*)p; return new SslStateOption(m->ssod); diff --git a/src/service_inspectors/ssl/ips_ssl_version.cc b/src/service_inspectors/ssl/ips_ssl_version.cc index 0b8fc1474..e040563b0 100644 --- a/src/service_inspectors/ssl/ips_ssl_version.cc +++ b/src/service_inspectors/ssl/ips_ssl_version.cc @@ -236,7 +236,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* ssl_version_ctor(Module* p, OptTreeNode*) +static IpsOption* ssl_version_ctor(Module* p, IpsInfo&) { SslVersionModule* m = (SslVersionModule*)p; return new SslVersionOption(m->svod); diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index 0845e62d7..0fd4fe45a 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -28,9 +28,7 @@ #include #include -#include "detection/detect.h" #include "detection/detection_engine.h" -#include "events/event_queue.h" #include "log/messages.h" #include "profiler/profiler.h" #include "protocols/packet.h" @@ -577,8 +575,6 @@ const InspectApi ssl_api = nullptr // reset }; -#undef BUILDING_SO // FIXIT-L can't be linked dynamically yet - extern const BaseApi* ips_ssl_state; extern const BaseApi* ips_ssl_version; diff --git a/src/service_inspectors/wizard/curse_book.h b/src/service_inspectors/wizard/curse_book.h index 0ba6fcc76..569869b69 100644 --- a/src/service_inspectors/wizard/curse_book.h +++ b/src/service_inspectors/wizard/curse_book.h @@ -67,7 +67,7 @@ private: static bool s7commplus_curse(const uint8_t* data, unsigned len, CurseTracker*); #ifdef CATCH_TEST_BUILD public: -#endif +#endif static bool ssl_v2_curse(const uint8_t* data, unsigned len, CurseTracker*); }; diff --git a/src/service_inspectors/wizard/dce_curse.h b/src/service_inspectors/wizard/dce_curse.h index f8ad532e8..477182bf6 100644 --- a/src/service_inspectors/wizard/dce_curse.h +++ b/src/service_inspectors/wizard/dce_curse.h @@ -42,7 +42,7 @@ enum DCE_State class DceTracker { -public: +public: DCE_State state = DCE_State::DCE_STATE__0; uint32_t helper; }; diff --git a/src/service_inspectors/wizard/mms_curse.h b/src/service_inspectors/wizard/mms_curse.h index 29a5b0612..77ef3c06d 100644 --- a/src/service_inspectors/wizard/mms_curse.h +++ b/src/service_inspectors/wizard/mms_curse.h @@ -42,7 +42,7 @@ enum MMS_State class MmsTracker { -public: +public: MMS_State state = MMS_State::MMS_STATE__TPKT_VER; MMS_State last_state = MMS_State::MMS_STATE__TPKT_VER; }; diff --git a/src/service_inspectors/wizard/s7commplus_curse.h b/src/service_inspectors/wizard/s7commplus_curse.h index a541b281c..447c6308c 100644 --- a/src/service_inspectors/wizard/s7commplus_curse.h +++ b/src/service_inspectors/wizard/s7commplus_curse.h @@ -50,7 +50,7 @@ enum S7commplus_State class S7commplusTracker { -public: +public: S7commplus_State state = S7commplus_State::S7COMMPLUS_STATE__TPKT_VER; S7commplus_State last_state = S7commplus_State::S7COMMPLUS_STATE__TPKT_VER; uint16_t func = 0; diff --git a/src/sfip/sf_ip.cc b/src/sfip/sf_ip.cc index 2b2589632..e2857cdec 100644 --- a/src/sfip/sf_ip.cc +++ b/src/sfip/sf_ip.cc @@ -29,7 +29,6 @@ #include // For ceil -#include "main/thread.h" #include "utils/util.h" #include "utils/util_net.h" diff --git a/src/sfip/sf_ip.h b/src/sfip/sf_ip.h index bb31fb219..ced35af0c 100644 --- a/src/sfip/sf_ip.h +++ b/src/sfip/sf_ip.h @@ -546,3 +546,4 @@ inline std::ostream& operator<<(std::ostream& os, const SfIp* addr) SO_PUBLIC const char* snort_inet_ntop(int family, const void* ip_raw, char* buf, int bufsize); } // namespace snort #endif + diff --git a/src/side_channel/side_channel.h b/src/side_channel/side_channel.h index 061d2b4d0..c73b43261 100644 --- a/src/side_channel/side_channel.h +++ b/src/side_channel/side_channel.h @@ -21,8 +21,8 @@ #include -#include "framework/bits.h" #include "framework/connector.h" +#include "utils/bits.h" #define MAXIMUM_SC_MESSAGE_CONTENT 1024 #define DISPATCH_ALL_RECEIVE 0 diff --git a/src/side_channel/test/side_channel_module_test.cc b/src/side_channel/test/side_channel_module_test.cc index 6c5ec1959..fcd1d0e8f 100644 --- a/src/side_channel/test/side_channel_module_test.cc +++ b/src/side_channel/test/side_channel_module_test.cc @@ -57,7 +57,7 @@ void SideChannelManager::instantiate(const SCConnectors*, const PortBitSet* port } void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char*, FILE*) { } namespace snort { diff --git a/src/stream/CMakeLists.txt b/src/stream/CMakeLists.txt index b531c27b0..a31e9b29a 100644 --- a/src/stream/CMakeLists.txt +++ b/src/stream/CMakeLists.txt @@ -25,6 +25,7 @@ add_library( stream_paf OBJECT flush_bucket.cc flush_bucket.h paf.cc + paf_stats.h ) install (FILES ${STREAM_INCLUDES} diff --git a/src/stream/base/stream_ha.cc b/src/stream/base/stream_ha.cc index 6dd545150..d3e2ba05c 100644 --- a/src/stream/base/stream_ha.cc +++ b/src/stream/base/stream_ha.cc @@ -23,10 +23,10 @@ #include "stream_ha.h" +#include #include #include "flow/flow_key.h" -#include "managers/inspector_manager.h" #include "pub_sub/stream_event_ids.h" #include "stream/stream.h" diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index 27e845bb5..f67ccc229 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -70,7 +70,6 @@ #include "ip_defrag.h" -#include "detection/detect.h" #include "detection/detection_engine.h" #include "log/messages.h" #include "main/analyzer.h" @@ -82,7 +81,6 @@ #include "time/timersub.h" #include "trace/trace_api.h" #include "utils/safec.h" -#include "utils/stats.h" #include "utils/util.h" #include "ip_session.h" diff --git a/src/stream/paf.cc b/src/stream/paf.cc index 2873dd844..22dde5f78 100644 --- a/src/stream/paf.cc +++ b/src/stream/paf.cc @@ -24,9 +24,11 @@ #endif #include "paf.h" +#include "paf_stats.h" #include "detection/detection_engine.h" #include "protocols/packet.h" +#include "protocols/tcp.h" using namespace snort; diff --git a/src/stream/paf.h b/src/stream/paf.h index 67e6c3677..6d5606b27 100644 --- a/src/stream/paf.h +++ b/src/stream/paf.h @@ -26,8 +26,6 @@ #define PAF_H #include "main/snort_types.h" -#include "main/thread.h" -#include "profiler/profiler_defs.h" #include "stream/stream_splitter.h" namespace snort @@ -35,12 +33,10 @@ namespace snort struct Packet; } -extern THREAD_LOCAL snort::ProfileStats pafPerfStats; - void* paf_new(unsigned max); // create new paf config (per policy) void paf_delete(void*); // free config -struct SO_PUBLIC PAF_State // per session direction +struct PAF_State // per session direction { uint32_t seq; // stream cursor uint32_t pos; // last flush position @@ -60,7 +56,7 @@ inline uint32_t paf_position (PAF_State* ps) return ps->seq; } -SO_PUBLIC inline uint32_t paf_initialized (PAF_State* ps) +inline uint32_t paf_initialized (PAF_State* ps) { return ( ps->paf != snort::StreamSplitter::START ); } diff --git a/src/stream/paf_stats.h b/src/stream/paf_stats.h new file mode 100644 index 000000000..28b3fdf4b --- /dev/null +++ b/src/stream/paf_stats.h @@ -0,0 +1,31 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// paf_stats.h author Russ Combs + +#ifndef PAF_STATS_H +#define PAF_STATS_H + +// private PAF accessors (not installed) + +#include "profiler/profiler_defs.h" + +extern THREAD_LOCAL snort::ProfileStats pafPerfStats; + +#endif + diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 9d73723ae..05b515976 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -35,8 +35,8 @@ #include "framework/data_bus.h" #include "main/snort.h" #include "main/snort_config.h" -#include "network_inspectors/packet_tracer/packet_tracer.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "protocols/vlan.h" #include "pub_sub/stream_event_ids.h" #include "stream/base/stream_module.h" @@ -79,15 +79,10 @@ Flow* Stream::new_flow(const FlowKey* key) { return flow_con->new_flow(key); } void Stream::delete_flow(const FlowKey* key) -{ - flow_con->release_flow(key); -} +{ flow_con->release_flow(key); } void Stream::delete_flow(Flow* flow) -{ - if (flow_con) - flow_con->release_flow(flow, PruneReason::NONE); -} +{ flow_con->release_flow(flow, PruneReason::NONE); } //------------------------------------------------------------------------- // key foo @@ -153,26 +148,6 @@ FlowData* Stream::get_flow_data( return flow->get_flow_data(flowdata_id); } -FlowData* Stream::get_flow_data( - PktType type, IpProtocol proto, - const SfIp* srcIP, uint16_t srcPort, - const SfIp* dstIP, uint16_t dstPort, - uint16_t vlan, uint32_t mplsId, - uint32_t addressSpaceID, unsigned flowdata_id, uint32_t tenant_id, - int16_t ingress_group, int16_t egress_group) -{ - Flow* flow = get_flow( - type, proto, srcIP, srcPort, dstIP, dstPort, - vlan, mplsId, addressSpaceID, tenant_id, ingress_group, - egress_group); - - if (!flow) - return nullptr; - - return flow->get_flow_data(flowdata_id); -} - -//------------------------------------------------------------------------- //------------------------------------------------------------------------- // session status //------------------------------------------------------------------------- diff --git a/src/stream/stream.h b/src/stream/stream.h index 28e257709..6f57a7477 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -193,15 +193,6 @@ public: bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false, bool expect_persist = false); - // Get pointer to application data for a flow based on the lookup tuples for cases where - // Snort does not have an active packet that is relevant. - static FlowData* get_flow_data( - PktType type, IpProtocol proto, - const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2, - uint16_t vlanId, uint32_t mplsId, uint32_t addrSpaceId, unsigned flowdata_id, - uint32_t tenant_id, int16_t ingress_group = DAQ_PKTHDR_UNKNOWN, - int16_t egress_group = DAQ_PKTHDR_UNKNOWN); - // Get pointer to application data for a flow using the FlowKey as the lookup criteria static FlowData* get_flow_data(const FlowKey*, unsigned flowdata_id); @@ -223,7 +214,6 @@ public: // Handle session block pending state static void check_flow_closed(Packet*); - // Populate a flow key from the Packet static void populate_flow_key(const Packet*, FlowKey*); static void set_snort_protocol_id_from_ha(Flow*, const SnortProtocolId); diff --git a/src/stream/tcp/ips_stream_reassemble.cc b/src/stream/tcp/ips_stream_reassemble.cc index ad359447c..39286e7c2 100644 --- a/src/stream/tcp/ips_stream_reassemble.cc +++ b/src/stream/tcp/ips_stream_reassemble.cc @@ -238,7 +238,7 @@ static void mod_dtor(Module* m) delete m; } -static IpsOption* reassemble_ctor(Module* p, OptTreeNode*) +static IpsOption* reassemble_ctor(Module* p, IpsInfo&) { ReassembleModule* m = (ReassembleModule*)p; return new ReassembleOption(m->srod); @@ -286,7 +286,6 @@ const BaseApi* ips_stream_reassemble = &reassemble_api.base; TEST_CASE("IPS Stream Reassemble", "[ips_stream_reassemble][stream_tcp]") { // initialization code here - REQUIRE( ( ips_stream_reassemble->api_version == (BASE_API_VERSION << 16) ) ); REQUIRE( ( strcmp(ips_stream_reassemble->name, s_name) == 0 ) ); ReassembleModule* reassembler = ( ReassembleModule* )ips_stream_reassemble->mod_ctor(); REQUIRE( reassembler != nullptr ); diff --git a/src/stream/tcp/ips_stream_size.cc b/src/stream/tcp/ips_stream_size.cc index 225d1b7e6..f4ff3ab7a 100644 --- a/src/stream/tcp/ips_stream_size.cc +++ b/src/stream/tcp/ips_stream_size.cc @@ -213,7 +213,7 @@ static Module* size_mod_ctor() static void mod_dtor(Module* m) { delete m; } -static IpsOption* size_ctor(Module* p, OptTreeNode*) +static IpsOption* size_ctor(Module* p, IpsInfo&) { SizeModule* m = (SizeModule*)p; return new SizeOption(m->ssod, m->direction); diff --git a/src/stream/tcp/tcp_defs.h b/src/stream/tcp/tcp_defs.h index c76e847b2..5cf65a71c 100644 --- a/src/stream/tcp/tcp_defs.h +++ b/src/stream/tcp/tcp_defs.h @@ -22,7 +22,7 @@ #ifndef TCP_DEFS_H #define TCP_DEFS_H -#include "main/thread.h" +#include namespace snort { diff --git a/src/stream/tcp/tcp_event_logger.cc b/src/stream/tcp/tcp_event_logger.cc index c3de7576d..11bb79c81 100644 --- a/src/stream/tcp/tcp_event_logger.cc +++ b/src/stream/tcp/tcp_event_logger.cc @@ -29,7 +29,7 @@ #include "detection/rules.h" #include "filters/sfrf.h" #include "main/snort_config.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "tcp_module.h" @@ -64,7 +64,6 @@ struct tcp_event_sid tcp_event_sids[] = { EVENT_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD, "DATA_AFTER_RST_RCVD" }, { EVENT_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM, "WINDOW_SLAM" }, { EVENT_NO_3WHS, STREAM_TCP_NO_3WHS, "NO_3WHS" }, - { EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT, "BAD_SEGMENT" }, { EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, "EXCESSIVE_OVERLAP" }, { EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT, "MAX_SMALL_SEGS_EXCEEDED" }, { EVENT_MAX_QUEUED_BYTES_EXCEEDED, STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED, "MAX_QUEUED_BYTES_EXCEEDED" }, diff --git a/src/stream/tcp/tcp_event_logger.h b/src/stream/tcp/tcp_event_logger.h index eb346a9af..3d8a9a275 100644 --- a/src/stream/tcp/tcp_event_logger.h +++ b/src/stream/tcp/tcp_event_logger.h @@ -42,11 +42,10 @@ #define EVENT_DATA_AFTER_RST_RCVD 0x00004000 #define EVENT_WINDOW_SLAM 0x00008000 #define EVENT_NO_3WHS 0x00010000 -#define EVENT_BAD_SEGMENT 0x00020000 -#define EVENT_EXCESSIVE_OVERLAP 0x00040000 -#define EVENT_MAX_SMALL_SEGS_EXCEEDED 0x00080000 -#define EVENT_MAX_QUEUED_BYTES_EXCEEDED 0x00100000 -#define EVENT_MAX_QUEUED_SEGS_EXCEEDED 0x00200000 +#define EVENT_EXCESSIVE_OVERLAP 0x00020000 +#define EVENT_MAX_SMALL_SEGS_EXCEEDED 0x00040000 +#define EVENT_MAX_QUEUED_BYTES_EXCEEDED 0x00080000 +#define EVENT_MAX_QUEUED_SEGS_EXCEEDED 0x00100000 class TcpEventLogger { diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc index 183ece674..f99d60399 100644 --- a/src/stream/tcp/tcp_module.cc +++ b/src/stream/tcp/tcp_module.cc @@ -28,6 +28,7 @@ #include "main/snort_config.h" #include "profiler/profiler_defs.h" #include "stream/paf.h" +#include "stream/paf_stats.h" #include "trace/trace.h" #include "tcp_trace.h" @@ -133,8 +134,6 @@ THREAD_LOCAL TcpStats tcpStats; "data sent on stream not accepting data" #define STREAM_TCP_BAD_TIMESTAMP_STR \ "TCP timestamp is outside of PAWS window" -#define STREAM_TCP_BAD_SEGMENT_STR \ - "bad segment, adjusted size <= 0 (deprecated)" #define STREAM_TCP_WINDOW_TOO_LARGE_STR \ "window size (after scaling) larger than policy allows" #define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS_STR \ @@ -248,7 +247,6 @@ static const RuleMap stream_tcp_rules[] = { STREAM_TCP_DATA_ON_SYN, STREAM_TCP_DATA_ON_SYN_STR }, { STREAM_TCP_DATA_ON_CLOSED, STREAM_TCP_DATA_ON_CLOSED_STR }, { STREAM_TCP_BAD_TIMESTAMP, STREAM_TCP_BAD_TIMESTAMP_STR }, - { STREAM_TCP_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT_STR }, { STREAM_TCP_WINDOW_TOO_LARGE, STREAM_TCP_WINDOW_TOO_LARGE_STR }, { STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS_STR }, { STREAM_TCP_DATA_AFTER_RESET, STREAM_TCP_DATA_AFTER_RESET_STR }, diff --git a/src/stream/tcp/tcp_module.h b/src/stream/tcp/tcp_module.h index 95c87e2eb..4b6f00999 100644 --- a/src/stream/tcp/tcp_module.h +++ b/src/stream/tcp/tcp_module.h @@ -31,7 +31,7 @@ #define STREAM_TCP_DATA_ON_SYN 2 #define STREAM_TCP_DATA_ON_CLOSED 3 #define STREAM_TCP_BAD_TIMESTAMP 4 -#define STREAM_TCP_BAD_SEGMENT 5 +//#define STREAM_TCP_BAD_SEGMENT 5 deleted #define STREAM_TCP_WINDOW_TOO_LARGE 6 #define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS 7 #define STREAM_TCP_DATA_AFTER_RESET 8 diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc index 4471cda88..79f5326d7 100644 --- a/src/stream/tcp/tcp_normalizer.cc +++ b/src/stream/tcp/tcp_normalizer.cc @@ -26,11 +26,11 @@ #include "tcp_normalizer.h" #include "stream/stream.h" +#include "packet_io/packet_tracer.h" #include "tcp_module.h" #include "tcp_stream_session.h" #include "tcp_stream_tracker.h" -#include "packet_tracer/packet_tracer.h" using namespace snort; diff --git a/src/stream/tcp/tcp_normalizer.h b/src/stream/tcp/tcp_normalizer.h index 7ddd568a0..17c5c8d62 100644 --- a/src/stream/tcp/tcp_normalizer.h +++ b/src/stream/tcp/tcp_normalizer.h @@ -24,7 +24,8 @@ #include "tcp_defs.h" -#include "main/thread.h" +#include + #include "normalize/normalize.h" #include "normalize/norm_stats.h" #include "protocols/tcp_options.h" diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index fc003fcfd..cba454cde 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -29,9 +29,8 @@ #include "detection/detection_engine.h" #include "log/log.h" -#include "main/analyzer.h" #include "packet_io/active.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "profiler/profiler.h" #include "protocols/packet_manager.h" #include "time/packet_time.h" @@ -597,7 +596,9 @@ int TcpReassembler::flush_to_seq( tcpStats.rebuilt_packets++; tcpStats.rebuilt_bytes += flushed_bytes; - if ( !Analyzer::get_local_analyzer()->inspect_rebuilt(pdu) ) + DetectionEngine de; + + if ( !de.inspect(pdu) ) last_pdu = pdu; else last_pdu = nullptr; @@ -641,7 +642,9 @@ int TcpReassembler::do_zero_byte_flush(TcpReassemblerState& trs, Packet* p, uint trs.flush_count++; show_rebuilt_packet(trs, pdu); - Analyzer::get_local_analyzer()->inspect_rebuilt(pdu); + + DetectionEngine de; + de.inspect(pdu); } return bytes_copied; diff --git a/src/stream/tcp/tcp_segment_descriptor.cc b/src/stream/tcp/tcp_segment_descriptor.cc index ac2b5aee2..23fc6c23e 100644 --- a/src/stream/tcp/tcp_segment_descriptor.cc +++ b/src/stream/tcp/tcp_segment_descriptor.cc @@ -26,7 +26,7 @@ #include "tcp_segment_descriptor.h" #include "detection/rules.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "protocols/tcp_options.h" #include "stream/tcp/tcp_defs.h" #include "stream/tcp/tcp_stream_tracker.h" diff --git a/src/stream/tcp/tcp_segment_descriptor.h b/src/stream/tcp/tcp_segment_descriptor.h index 64361e8d0..6ba4dd128 100644 --- a/src/stream/tcp/tcp_segment_descriptor.h +++ b/src/stream/tcp/tcp_segment_descriptor.h @@ -28,6 +28,7 @@ #include "flow/flow.h" #include "detection/ips_context.h" +#include "main/snort_config.h" #include "packet_io/active.h" #include "protocols/packet.h" #include "protocols/tcp.h" diff --git a/src/stream/tcp/tcp_segment_node.cc b/src/stream/tcp/tcp_segment_node.cc index 42ea2671e..8836165e3 100644 --- a/src/stream/tcp/tcp_segment_node.cc +++ b/src/stream/tcp/tcp_segment_node.cc @@ -25,7 +25,6 @@ #include "tcp_segment_node.h" -#include "main/thread.h" #include "utils/util.h" #include "segment_overlap_editor.h" diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index 60a3201c6..a0c4e39a8 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -51,10 +51,10 @@ #include "detection/detection_engine.h" #include "detection/rules.h" #include "log/log.h" +#include "packet_io/packet_tracer.h" #include "profiler/profiler.h" #include "protocols/eth.h" #include "pub_sub/intrinsic_event_ids.h" -#include "packet_tracer/packet_tracer.h" #include "stream_tcp.h" #include "tcp_ha.h" diff --git a/src/stream/tcp/tcp_state_listen.cc b/src/stream/tcp/tcp_state_listen.cc index 12b7efc53..49ef29170 100644 --- a/src/stream/tcp/tcp_state_listen.cc +++ b/src/stream/tcp/tcp_state_listen.cc @@ -25,7 +25,7 @@ #include "tcp_state_listen.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "pub_sub/stream_event_ids.h" #include "stream/stream.h" diff --git a/src/stream/tcp/tcp_state_none.cc b/src/stream/tcp/tcp_state_none.cc index 55727ac3c..de26c2a6f 100644 --- a/src/stream/tcp/tcp_state_none.cc +++ b/src/stream/tcp/tcp_state_none.cc @@ -25,7 +25,7 @@ #include "tcp_state_none.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "pub_sub/stream_event_ids.h" #include "stream/stream.h" diff --git a/src/stream/tcp/tcp_stream_session.cc b/src/stream/tcp/tcp_stream_session.cc index d005ef5b4..513e9f40c 100644 --- a/src/stream/tcp/tcp_stream_session.cc +++ b/src/stream/tcp/tcp_stream_session.cc @@ -26,7 +26,7 @@ #include "tcp_stream_session.h" #include "framework/data_bus.h" -#include "packet_tracer/packet_tracer.h" +#include "packet_io/packet_tracer.h" #include "pub_sub/stream_event_ids.h" #include "stream/stream.h" #include "stream/tcp/tcp_ha.h" diff --git a/src/stream/tcp/tcp_trace.cc b/src/stream/tcp/tcp_trace.cc index 611e62993..bfbf7ee4e 100644 --- a/src/stream/tcp/tcp_trace.cc +++ b/src/stream/tcp/tcp_trace.cc @@ -26,7 +26,6 @@ #include "tcp_trace.h" #include "trace/trace_api.h" -#include "utils/stats.h" #include "tcp_module.h" #include "tcp_session.h" diff --git a/src/stream/tcp/tcp_trace.h b/src/stream/tcp/tcp_trace.h index fddf362c6..0ae6597b2 100644 --- a/src/stream/tcp/tcp_trace.h +++ b/src/stream/tcp/tcp_trace.h @@ -21,7 +21,6 @@ #ifndef TCP_TRACE_H #define TCP_TRACE_H -#include "main/thread.h" namespace snort { diff --git a/src/stream/test/stream_splitter_test.cc b/src/stream/test/stream_splitter_test.cc index 3e089110b..b2f51ecfd 100644 --- a/src/stream/test/stream_splitter_test.cc +++ b/src/stream/test/stream_splitter_test.cc @@ -24,6 +24,7 @@ #include "stream/stream_splitter.h" #include "detection/detection_engine.h" +#include "main/snort_config.h" #include "stream/flush_bucket.h" #include "stream/stream.h" diff --git a/src/stream/udp/CMakeLists.txt b/src/stream/udp/CMakeLists.txt index 7c23d6917..9020a0394 100644 --- a/src/stream/udp/CMakeLists.txt +++ b/src/stream/udp/CMakeLists.txt @@ -1,17 +1,17 @@ set(UDP_STREAM_INCLUDES - stream_udp.h - udp_ha.h - udp_module.h - udp_session.h + udp_session.h ) add_library( stream_udp OBJECT stream_udp.cc + stream_udp.h udp_ha.cc + udp_ha.h udp_module.cc + udp_module.h udp_session.cc ) install(FILES ${UDP_STREAM_INCLUDES} DESTINATION "${INCLUDE_INSTALL_PATH}/stream/udp" -) \ No newline at end of file +) diff --git a/src/stream/udp/udp_session.h b/src/stream/udp/udp_session.h index 0d94b91f0..e1d0f16d0 100644 --- a/src/stream/udp/udp_session.h +++ b/src/stream/udp/udp_session.h @@ -23,7 +23,6 @@ #include #include "flow/session.h" -#include "main/snort_types.h" class SO_PUBLIC UdpSession : public Session { @@ -40,8 +39,5 @@ public: struct timeval ssn_time = {}; }; -void udp_stats(); -void udp_reset(); - #endif diff --git a/src/stream/user/user_session.cc b/src/stream/user/user_session.cc index 3f8e41c1e..ef9bd9a2d 100644 --- a/src/stream/user/user_session.cc +++ b/src/stream/user/user_session.cc @@ -25,7 +25,7 @@ #include "detection/detection_engine.h" #include "detection/rules.h" -#include "main/analyzer.h" +#include "framework/pig_pen.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" #include "trace/trace_api.h" @@ -165,7 +165,7 @@ void UserTracker::detect( up->packet_flags |= (p->packet_flags & (PKT_STREAM_EST|PKT_STREAM_UNEST_UNI)); debug_logf(stream_user_trace, up, "detect[%d]\n", up->dsize); - Analyzer::get_local_analyzer()->inspect_rebuilt(up); + PigPen::inspect_rebuilt(up); } int UserTracker::scan(Packet* p, uint32_t& flags) diff --git a/src/target_based/host_attributes.cc b/src/target_based/host_attributes.cc index c031c8647..ca2777752 100644 --- a/src/target_based/host_attributes.cc +++ b/src/target_based/host_attributes.cc @@ -30,7 +30,6 @@ #include "main/shell.h" #include "main/snort.h" #include "main/snort_config.h" -#include "main/thread.h" using namespace snort; diff --git a/src/time/packet_time.cc b/src/time/packet_time.cc index 18b69dbef..2a16326e7 100644 --- a/src/time/packet_time.cc +++ b/src/time/packet_time.cc @@ -35,7 +35,6 @@ #include "packet_time.h" -#include "main/thread.h" #include "time/timersub.h" static THREAD_LOCAL struct timeval s_recent_packet = { 0, 0 }; diff --git a/src/trace/trace.h b/src/trace/trace.h index 3c8ee6959..4a658eddf 100644 --- a/src/trace/trace.h +++ b/src/trace/trace.h @@ -21,11 +21,11 @@ #define TRACE_H #include +#include #include +#include #include -#include "main/thread.h" - #define DEFAULT_TRACE_LOG_LEVEL 1 #define TRACE_CRITICAL_LEVEL 2 #define TRACE_ERROR_LEVEL 3 diff --git a/src/trace/trace_api.cc b/src/trace/trace_api.cc index 58fe56f59..08e1760ff 100644 --- a/src/trace/trace_api.cc +++ b/src/trace/trace_api.cc @@ -25,10 +25,9 @@ #include -#include "framework/packet_constraints.h" #include "main/snort.h" #include "main/snort_config.h" -#include "main/thread.h" +#include "packet_io/packet_constraints.h" #include "protocols/packet.h" #include "utils/safec.h" diff --git a/src/trace/trace_config.cc b/src/trace/trace_config.cc index 0aad4443e..d2c832c38 100644 --- a/src/trace/trace_config.cc +++ b/src/trace/trace_config.cc @@ -26,8 +26,8 @@ #include #include "framework/module.h" -#include "framework/packet_constraints.h" #include "managers/module_manager.h" +#include "packet_io/packet_constraints.h" #include "trace_logger.h" diff --git a/src/trace/trace_module.cc b/src/trace/trace_module.cc index 018b26181..04dc106df 100644 --- a/src/trace/trace_module.cc +++ b/src/trace/trace_module.cc @@ -25,9 +25,9 @@ #include -#include "framework/packet_constraints.h" #include "main/snort_config.h" #include "managers/module_manager.h" +#include "packet_io/packet_constraints.h" #include "trace_config.h" #include "trace_loggers.h" diff --git a/src/trace/trace_parser.h b/src/trace/trace_parser.h index 84d02f87b..208025849 100644 --- a/src/trace/trace_parser.h +++ b/src/trace/trace_parser.h @@ -23,7 +23,7 @@ #include #include -#include "framework/packet_constraints.h" +#include "packet_io/packet_constraints.h" namespace snort { diff --git a/src/trace/trace_swap.cc b/src/trace/trace_swap.cc index cdb8123e9..bba83c184 100644 --- a/src/trace/trace_swap.cc +++ b/src/trace/trace_swap.cc @@ -27,10 +27,10 @@ #include "control/control.h" #include "framework/module.h" -#include "framework/packet_constraints.h" #include "log/messages.h" #include "main/analyzer_command.h" #include "main/snort_config.h" +#include "packet_io/packet_constraints.h" #include "trace_api.h" #include "trace_config.h" diff --git a/src/utils/CMakeLists.txt b/src/utils/CMakeLists.txt index 8e9766f73..26cda0a55 100644 --- a/src/utils/CMakeLists.txt +++ b/src/utils/CMakeLists.txt @@ -1,45 +1,32 @@ set( UTIL_INCLUDES - boyer_moore.h + bits.h cpp_macros.h endian.h - event_gen.h - infractions.h - kmap.h - memcap_allocator.h - primed_allocator.h safec.h - sflsq.h - stats.h util.h - util_ber.h util_cstring.h util_unfold.h - util_utf.h - util_numa.h ) add_library ( utils OBJECT ${UTIL_INCLUDES} ${SNPRINTF_SOURCES} - boyer_moore.cc + chunk.cc + chunk.h dnet_header.h - kmap.cc sflsq.cc + sflsq.h snort_bounds.h stats.cc - streambuf.cc - streambuf.h + stats.h util.cc - util_ber.cc util_cstring.cc util_jsnorm.cc util_jsnorm.h util_net.cc util_net.h util_unfold.cc - util_utf.cc - util_numa.h ${TEST_FILES} ) @@ -47,5 +34,3 @@ install (FILES ${UTIL_INCLUDES} DESTINATION "${INCLUDE_INSTALL_PATH}/utils" ) -add_subdirectory(test) - diff --git a/src/framework/bits.h b/src/utils/bits.h similarity index 100% rename from src/framework/bits.h rename to src/utils/bits.h diff --git a/src/helpers/chunk.cc b/src/utils/chunk.cc similarity index 100% rename from src/helpers/chunk.cc rename to src/utils/chunk.cc diff --git a/src/helpers/chunk.h b/src/utils/chunk.h similarity index 100% rename from src/helpers/chunk.h rename to src/utils/chunk.h diff --git a/src/utils/dev_notes.txt b/src/utils/dev_notes.txt index 5d5d1f1b7..c2649ac9d 100644 --- a/src/utils/dev_notes.txt +++ b/src/utils/dev_notes.txt @@ -1,48 +1,4 @@ -This unit contains a mixed bag of legacy utilities that haven't found a home in any -other directory. In many cases, the STL provides better options. +This unit contains a mixed bag of legacy utilities that haven't found a home in +any other directory. In many cases, the STL provides better options. Fully +formed utility classes should go in src/helpers/. - -On stream buffer, there are two classes inherited from std::streambuf: - -* istreambuf_glue class for reading operations -* ostreambuf_infl class for writing operations - -The input stream buffer presents a continuous sequence of bytes to the client, -gathered from different sources. For example: - - char* s1 = "world"; - char* s2 = "!"; - char* s3 = "Hello "; - -These sources being fed to the stream buffer as s3, s1, s2 will form -"Hello world!" sequence. - -In order to do that, istreambuf_glue class represents each source as a chunk of -data, which has its own position in the resulting sequence. -The chunk structure contains a pointer to the source, source size, and -the chunk's offset in the resulting sequence. - -Reading is done sequentially within the current chunk. When the end of chunk -reached, the buffer switches to the next one, setting std::streambuf pointers. - -Positioning the cursor is done in two steps: - -1. Calculate the final cursor position (absolute or by offset). - -2. Find the right chunk and local offset in it to set cursor there. - -Currently, no intermediate buffering done between chunks (like alignment, -prepending/appending the next chunk). The buffer doesn't take ownership over -the source's memory. - -The output stream buffer is mostly like std::stringbuf. The main purpose of it -is having an extensible dynamic array, where clients could write their data, -not worrying about resizing and memory management. - -Aside from that, ostreambuf_infl can give away ownership over its memory, -which could be useful for final consumer. - -From performance perspective, ostreambuf_infl can reserve an amount of memory -before actual operations. Also, memory extending is done by predefined -portions of 2^11^, 2^12^, 2^13^, 2^14^, 2^15^, 2^15^, 2^15^... -This tries to minimize the number of memory reallocation. diff --git a/src/utils/stats.cc b/src/utils/stats.cc index bdf3ba82c..b1f73ea97 100644 --- a/src/utils/stats.cc +++ b/src/utils/stats.cc @@ -26,116 +26,38 @@ #include #include -#include "control/control.h" #include "detection/detection_engine.h" #include "file_api/file_stats.h" #include "filters/sfthreshold.h" #include "framework/module.h" -#include "helpers/process.h" +#include "log/log_stats.h" #include "log/messages.h" +#include "main/process.h" #include "main/snort_config.h" #include "memory/memory_cap.h" #include "managers/module_manager.h" #include "packet_io/active.h" #include "packet_io/sfdaq.h" #include "packet_io/trough.h" -#include "profiler/profiler.h" +#include "profiler/profiler_impl.h" #include "protocols/packet_manager.h" #include "time/timersub.h" #include "util.h" -#define STATS_SEPARATOR \ - "--------------------------------------------------" #define USECS_PER_SEC 1000000.0 ProcessCount proc_stats; namespace snort { - THREAD_LOCAL PacketCount pc; -static THREAD_LOCAL ControlConn* s_ctrlcon = nullptr; - -//------------------------------------------------------------------------- - -static inline void LogSeparator(FILE* fh = stdout) -{ - LogfRespond(s_ctrlcon, fh, "%s\n", STATS_SEPARATOR); -} - -void LogText(const char* s, FILE* fh) -{ - LogfRespond(s_ctrlcon, fh, "%s\n", s); -} - -void LogLabel(const char* s, FILE* fh) -{ - if ( *s == ' ' ) - { - LogfRespond(s_ctrlcon, fh, "%s\n", s); - } - else - { - LogSeparator(fh); - LogfRespond(s_ctrlcon, fh, "%s\n", s); - } -} - -void LogValue(const char* s, const char* v, FILE* fh) -{ - LogfRespond(s_ctrlcon, fh, "%25.25s: %s\n", s, v); -} - -void LogCount(const char* s, uint64_t c, FILE* fh) -{ - if ( c ) - { - LogfRespond(s_ctrlcon, fh, "%25.25s: " STDu64 "\n", s, c); - } -} - -void LogStat(const char* s, uint64_t n, uint64_t tot, FILE* fh) -{ - if ( n ) - { - LogfRespond(s_ctrlcon, fh, "%25.25s: " FMTu64("-12") "\t(%7.3f%%)\n", s, n, CalcPct(n, tot)); - } -} - -void LogStat(const char* s, double d, FILE* fh) -{ - if ( d ) - { - LogfRespond(s_ctrlcon, fh, "%25.25s: %g\n", s, d); - } -} } using namespace snort; //------------------------------------------------------------------------- -double CalcPct(uint64_t cnt, uint64_t total) -{ - double pct = 0.0; - - if (total == 0.0) - { - pct = (double)cnt; - } - else - { - pct = (double)cnt / (double)total; - } - - pct *= 100.0; - - return pct; -} - -//------------------------------------------------------------------------- - static struct timeval starttime = {0, 0}, endtime = {0, 0}, currtime = {0, 0}; void TimeStart() @@ -195,7 +117,7 @@ static void timing_stats() if ( uint64_t pps = (uint64_t)llround(num_pkts / total_secs) ) LogMessage("%25.25s: " STDu64 "\n", "pkts/sec", pps); - if ( uint64_t mbps = (uint64_t)llround(8 * num_byts / total_secs / 1024 / 1024) ) + if ( uint64_t mbps = (uint64_t)llround(8 * num_byts / total_secs / 1e6) ) LogMessage("%25.25s: " STDu64 "\n", "Mbits/sec", mbps); } @@ -227,9 +149,6 @@ const PegInfo pc_names[] = { CountType::SUM, "offload_fallback", "fast pattern offload search fallback attempts" }, { CountType::SUM, "offload_failures", "fast pattern offload search failures" }, { CountType::SUM, "offload_suspends", "fast pattern search suspends due to offload context chains" }, - { CountType::SUM, "pcre_match_limit", "total number of times pcre hit the match limit" }, - { CountType::SUM, "pcre_recursion_limit", "total number of times pcre hit the recursion limit" }, - { CountType::SUM, "pcre_error", "total number of times pcre returns error" }, { CountType::SUM, "cont_creations", "total number of continuations created" }, { CountType::SUM, "cont_recalls", "total number of continuations recalled" }, { CountType::SUM, "cont_flows", "total number of flows using continuation" }, @@ -262,7 +181,8 @@ const PegInfo proc_names[] = void DropStats(ControlConn* ctrlcon) { - s_ctrlcon = ctrlcon; + set_log_conn(ctrlcon); + ModuleManager::accumulate_dump_stats(); LogLabel("Packet Statistics"); ModuleManager::get_module("daq")->show_stats(); @@ -278,7 +198,7 @@ void DropStats(ControlConn* ctrlcon) ModuleManager::get_module("memory")->show_stats(); memory::MemoryCap::print(SnortConfig::log_verbose()); - s_ctrlcon = nullptr; + set_log_conn(nullptr); } //------------------------------------------------------------------------- @@ -351,7 +271,7 @@ void show_stats( void show_stats( PegCount* pegs, const PegInfo* info, - const IndexVec& peg_idxs, const char* module_name, FILE* fh) + const std::vector& peg_idxs, const char* module_name, FILE* fh) { bool head = false; diff --git a/src/utils/stats.h b/src/utils/stats.h index 1599588cc..b36e2ac40 100644 --- a/src/utils/stats.h +++ b/src/utils/stats.h @@ -23,13 +23,11 @@ // Provides facilities for displaying Snort exit stats #include +#include #include #include "framework/counts.h" #include "main/snort_types.h" -#include "main/thread.h" - -using IndexVec = std::vector; class ControlConn; @@ -60,9 +58,6 @@ struct PacketCount PegCount offload_fallback; PegCount offload_failures; PegCount offload_suspends; - PegCount pcre_match_limit; - PegCount pcre_recursion_limit; - PegCount pcre_error; PegCount cont_creations; PegCount cont_recalls; PegCount cont_flows; @@ -97,29 +92,18 @@ extern const PegInfo proc_names[]; namespace snort { -extern SO_PUBLIC THREAD_LOCAL PacketCount pc; - -SO_PUBLIC inline PegCount get_packet_number() { return pc.analyzed_pkts; } - -SO_PUBLIC void LogLabel(const char*, FILE* = stdout); -SO_PUBLIC void LogText(const char*, FILE* = stdout); -SO_PUBLIC void LogValue(const char*, const char*, FILE* = stdout); -SO_PUBLIC void LogCount(const char*, uint64_t, FILE* = stdout); - -SO_PUBLIC void LogStat(const char*, uint64_t n, uint64_t tot, FILE* = stdout); -SO_PUBLIC void LogStat(const char*, double, FILE* = stdout); +extern THREAD_LOCAL PacketCount pc; } void sum_stats(PegCount* sums, PegCount* counts, unsigned n, bool dump_stats = false); void show_stats(PegCount*, const PegInfo*, const char* module_name = nullptr); void show_stats(PegCount*, const PegInfo*, unsigned n, const char* module_name = nullptr); -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char* module_name, FILE*); +void show_stats(PegCount*, const PegInfo*, const std::vector&, const char* module_name, FILE*); void show_percent_stats(PegCount*, const char*[], unsigned n, const char* module_name = nullptr); void sum_stats(SimpleStats* sums, SimpleStats* counts); void show_stats(SimpleStats*, const char* module_name); -double CalcPct(uint64_t, uint64_t); void DropStats(ControlConn* ctrlcon = nullptr); void PrintStatistics(); void TimeStart(); diff --git a/src/utils/test/CMakeLists.txt b/src/utils/test/CMakeLists.txt deleted file mode 100644 index 1c6a91c68..000000000 --- a/src/utils/test/CMakeLists.txt +++ /dev/null @@ -1,16 +0,0 @@ -add_cpputest( boyer_moore_test - SOURCES - ../boyer_moore.cc -) - -add_cpputest( memcap_allocator_test ) - -add_catch_test( streambuf_test - SOURCES - ../streambuf.cc -) - -add_catch_test( grouped_list_test - SOURCES - ../grouped_list.h -) diff --git a/src/utils/util.cc b/src/utils/util.cc index 7b8610def..80561ad52 100644 --- a/src/utils/util.cc +++ b/src/utils/util.cc @@ -24,43 +24,13 @@ #include "util.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include #include -#include - -#ifdef HAVE_HYPERSCAN -#include -#endif - -#ifdef HAVE_LZMA -#include -#endif - -#ifdef HAVE_LIBML -#include -#endif - -extern "C" { -#include -} #include -#include #include #include "log/messages.h" #include "main/snort_config.h" -#include "packet_io/sfdaq.h" -#include "protocols/packet.h" // For NUM_IP_PROTOS #include "util_cstring.h" @@ -82,408 +52,6 @@ extern "C" { using namespace snort; -/**************************************************************************** - * Store interesting data in memory that would not otherwise be visible - * in a CORE(5) file - ***************************************************************************/ -#ifdef BUILD - #define SNORT_VERSION_STRING ("### Snort Version " VERSION " Build " BUILD "\n") -#else - #define SNORT_VERSION_STRING ("### Snort Version " VERSION "\n") -#endif -#define SNORT_VERSION_STRLEN sizeof(SNORT_VERSION_STRING) -char __snort_version_string[SNORT_VERSION_STRLEN]; - -void StoreSnortInfoStrings() -{ - strncpy(__snort_version_string, SNORT_VERSION_STRING, - sizeof(__snort_version_string)); -} - -#undef SNORT_VERSION_STRING -#undef SNORT_VERSION_STRLEN - -int DisplayBanner() -{ - const char* ljv = LUAJIT_VERSION; - while ( *ljv && !isdigit(*ljv) ) - ++ljv; - - LogMessage("\n"); - LogMessage(" ,,_ -*> Snort++ <*-\n"); -#ifdef BUILD - LogMessage(" o\" )~ Version %s (Build %s)\n", VERSION, BUILD); -#else - LogMessage(" o\" )~ Version %s\n", VERSION); -#endif - LogMessage(" '''' By Martin Roesch & The Snort Team\n"); - LogMessage(" http://snort.org/contact#team\n"); - LogMessage(" Copyright (C) 2014-2024 Cisco and/or its affiliates." - " All rights reserved.\n"); - LogMessage(" Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n"); - LogMessage(" Using DAQ version %s\n", daq_version_string()); - LogMessage(" Using LuaJIT version %s\n", ljv); - LogMessage(" Using %s\n", OpenSSL_version(SSLEAY_VERSION)); - LogMessage(" Using %s\n", pcap_lib_version()); - LogMessage(" Using PCRE version %s\n", pcre_version()); - LogMessage(" Using ZLIB version %s\n", zlib_version); -#ifdef HAVE_HYPERSCAN - LogMessage(" Using Hyperscan version %s\n", hs_version()); -#endif -#ifdef HAVE_LZMA - LogMessage(" Using LZMA version %s\n", lzma_version_string()); -#endif -#ifdef HAVE_LIBML - LogMessage(" Using LibML version %s\n", libml_version()); -#endif - LogMessage("\n"); - - return 0; -} - -// get offset seconds from GMT -int gmt2local(time_t t) -{ - if (t == 0) - t = time(nullptr); - - struct tm gmt; - struct tm* lt = gmtime_r(&t, &gmt); - if (lt == nullptr) - return 0; - - struct tm loc; - localtime_r(&t, &loc); - - int dt = (loc.tm_hour - gmt.tm_hour) * 60 * 60 + - (loc.tm_min - gmt.tm_min) * 60; - - int dir = loc.tm_year - gmt.tm_year; - - if (dir == 0) - dir = loc.tm_yday - gmt.tm_yday; - - dt += dir * 24 * 60 * 60; - - return(dt); -} - -static FILE* pid_lockfile = nullptr; -static FILE* pid_file = nullptr; - -void CreatePidFile(pid_t pid) -{ - SnortConfig* sc = SnortConfig::get_main_conf(); - - sc->pid_filename = sc->log_dir; - sc->pid_filename += "/snort.pid"; - - std::string pid_lockfilename; - - if ( !sc->no_lock_pid_file() ) - { - pid_lockfilename = sc->pid_filename; - pid_lockfilename += ".lck"; - - /* First, lock the PID file */ - pid_lockfile = fopen(pid_lockfilename.c_str(), "w"); - - if ( pid_lockfile ) - { - struct flock lock; - int lock_fd = fileno(pid_lockfile); - - lock.l_type = F_WRLCK; - lock.l_whence = SEEK_SET; - lock.l_start = 0; - lock.l_len = 0; - - if (fcntl(lock_fd, F_SETLK, &lock) == -1) - { - ClosePidFile(); - ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"", - sc->pid_filename.c_str(), (int)pid); - return; - } - } - } - - /* Okay, were able to lock PID file, now open and write PID */ - pid_file = fopen(sc->pid_filename.c_str(), "w"); - if (pid_file) - { - LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid, - sc->pid_filename.c_str()); - fprintf(pid_file, "%d\n", (int)pid); - fflush(pid_file); - } - else - { - if (pid_lockfile) - { - fclose(pid_lockfile); - pid_lockfile = nullptr; - } - const char* error = get_error(errno); - ErrorMessage("Failed to create pid file %s, Error: %s\n", - sc->pid_filename.c_str(), error); - sc->pid_filename.clear(); - } - if ( !pid_lockfilename.empty() ) - unlink(pid_lockfilename.c_str()); -} - -void ClosePidFile() -{ - if (pid_file) - { - fclose(pid_file); - pid_file = nullptr; - } - if (pid_lockfile) - { - fclose(pid_lockfile); - pid_lockfile = nullptr; - } -} - -// set safe UserID and GroupID, if needed -bool SetUidGid(int user_id, int group_id) -{ - // Were any changes requested? - if (group_id == -1 && user_id == -1) - return true; - - if (group_id != -1) - { - if (setgid(group_id) < 0) - { - ParseError("Cannot set GID: %d", group_id); - return false; - } - LogMessage("Set GID to %d\n", group_id); - } - - if (user_id != -1) - { - if (setuid(user_id) < 0) - { - ParseError("Cannot set UID: %d", user_id); - return false; - } - LogMessage("Set UID to %d\n", user_id); - } - - return true; -} - -// set the groups of the process based on the UserID with the GroupID added -void InitGroups(int user_id, int group_id) -{ - if ((user_id != -1) && (getuid() == 0)) - { - struct passwd* pw = getpwuid(user_id); // main thread only - - if (pw != nullptr) - { - /* getpwuid and initgroups may use the same static buffers */ - char* username = snort_strdup(pw->pw_name); - - if (initgroups(username, group_id) < 0) - ParseError("Can not initgroups(%s,%d)", username, group_id); - - snort_free(username); - } - - /** Just to be on the safe side... **/ - endgrent(); - endpwent(); - } -} - -//------------------------------------------------------------------------- - -// FIXIT-L this is a duplicate of PacketManager::get_proto_name() -void InitProtoNames() -{ - if ( !protocol_names ) - protocol_names = (char**)snort_calloc(NUM_IP_PROTOS, sizeof(char*)); - - for ( int i = 0; i < NUM_IP_PROTOS; i++ ) - { - struct protoent* pt = getprotobynumber(i); // main thread only - - if (pt != nullptr) - { - protocol_names[i] = snort_strdup(pt->p_name); - - for ( size_t j = 0; j < strlen(protocol_names[i]); j++ ) - protocol_names[i][j] = toupper(protocol_names[i][j]); - } - else - { - char protoname[10]; - SnortSnprintf(protoname, sizeof(protoname), "PROTO:%03d", i); - protocol_names[i] = snort_strdup(protoname); - } - } -} - -void CleanupProtoNames() -{ - if (protocol_names != nullptr) - { - int i; - - for (i = 0; i < NUM_IP_PROTOS; i++) - { - if (protocol_names[i] != nullptr) - snort_free(protocol_names[i]); - } - - snort_free(protocol_names); - protocol_names = nullptr; - } -} - -// read the BPF filters in from a file, return the processed BPF string -std::string read_infile(const char* key, const char* fname) -{ - int fd = open(fname, O_RDONLY); - struct stat buf; - - if (fd < 0) - { - ErrorMessage("Failed to open file: %s with error: %s", fname, get_error(errno)); - return ""; - } - - if (fstat(fd, &buf) < 0) - { - ParseError("can't stat %s: %s", fname, get_error(errno)); - close(fd); - return ""; - } - - //check that its a regular file and not a directory or special file - if (!S_ISREG(buf.st_mode) ) - { - ParseError("not a regular file: %s", fname); - close(fd); - return ""; - } - - std::string line; - std::ifstream bpf_file(fname); - - if (bpf_file.is_open()) - { - std::stringstream file_content; - file_content << bpf_file.rdbuf(); - line = file_content.str(); - - bpf_file.close(); - } - else - { - ParseError("can't open file %s = %s: %s", key, fname, get_error(errno)); - close(fd); - return ""; - } - close(fd); - return line; -} - -typedef char PathBuf[PATH_MAX+1]; - -static const char* CurrentWorkingDir(PathBuf& buf) -{ - if ( !getcwd(buf, sizeof(buf)-1) ) - return nullptr; - - buf[sizeof(buf)-1] = '\0'; - return buf; -} - -static char* GetAbsolutePath(const char* dir, PathBuf& buf) -{ - assert(dir); - errno = 0; - - if ( !realpath(dir, buf) ) - { - LogMessage("Couldn't determine absolute path for '%s': %s\n", dir, get_error(errno)); - return nullptr; - } - - return buf; -} - -// Chroot and adjust the log_dir reference -bool EnterChroot(std::string& root_dir, std::string& log_dir) -{ - if (log_dir.empty()) - { - ParseError("Log directory not specified"); - return false; - } - PathBuf pwd; - PathBuf abs_log_dir; - - if ( !GetAbsolutePath(log_dir.c_str(), abs_log_dir) ) - return false; - - /* change to the desired root directory */ - if (chdir(root_dir.c_str()) != 0) - { - ParseError("EnterChroot: Can not chdir to \"%s\": %s", root_dir.c_str(), - get_error(errno)); - return false; - } - - /* always returns an absolute pathname */ - const char* abs_root_dir = CurrentWorkingDir(pwd); - if (!abs_root_dir) - { - ParseError("Couldn't retrieve current working directory"); - return false; - } - size_t abs_root_dir_len = strlen(abs_root_dir); - - if (strncmp(abs_root_dir, abs_log_dir, abs_root_dir_len)) - { - ParseError("Specified log directory is not contained with the chroot jail"); - return false; - } - - if (chroot(abs_root_dir) < 0) - { - ParseError("Can not chroot to \"%s\": absolute: %s: %s", - root_dir.c_str(), abs_root_dir, get_error(errno)); - return false; - } - - - /* Immediately change to the root directory of the jail. */ - if (chdir("/") < 0) - { - ParseError("Can not chdir to \"/\" after chroot: %s", - get_error(errno)); - return false; - } - - - if (abs_root_dir_len >= strlen(abs_log_dir)) - log_dir = "/"; - else - log_dir = abs_log_dir + abs_root_dir_len; - - - LogMessage("Chroot directory = %s\n", root_dir.c_str()); - - return true; -} - unsigned int get_random_seed() { unsigned int seed; @@ -527,8 +95,6 @@ void SetNoCores() namespace snort { -char** protocol_names = nullptr; - const char* get_error(int errnum) { static THREAD_LOCAL char buf[128]; @@ -882,11 +448,6 @@ bool rotate_file_for_max_size(const char* file_owner, const char* old_file, } #ifdef UNIT_TEST -TEST_CASE("gmt2local_time_out_of_range", "[util]") -{ - REQUIRE((gmt2local(0xffffffff1fff2f)==0)); -} - TEST_CASE("uint8_to_printable_str go over all options", "[util]") { std::string print_str; @@ -910,5 +471,5 @@ TEST_CASE("uint8_to_printable_str end with |", "[util]") uint8_to_printable_str(pattern, 2, print_str); CHECK((strcmp(print_str.c_str(),"a|00 |") == 0)); } - #endif + diff --git a/src/utils/util.h b/src/utils/util.h index 4926790be..c6916d6c0 100644 --- a/src/utils/util.h +++ b/src/utils/util.h @@ -63,24 +63,9 @@ #define SECONDS_PER_HOUR 3600 /* number of seconds in a hour */ #define SECONDS_PER_MIN 60 /* number of seconds in a minute */ -void StoreSnortInfoStrings(); -int DisplayBanner(); -int gmt2local(time_t); -std::string read_infile(const char* key, const char* fname); -void CleanupProtoNames(); -void CreatePidFile(pid_t); -void ClosePidFile(); -bool SetUidGid(int, int); -void InitGroups(int, int); -bool EnterChroot(std::string& root_dir, std::string& log_dir); -void InitProtoNames(); unsigned int get_random_seed(); bool get_file_size(const std::string&, size_t&); -#if defined(NOCOREFILE) -void SetNoCores(); -#endif - namespace { inline void COPY4(uint32_t* dst, const uint32_t* src) @@ -123,9 +108,6 @@ inline pid_t gettid() namespace snort { -// FIXIT-M provide getter function to for standardized access into the protocol_names array -SO_PUBLIC extern char** protocol_names; - SO_PUBLIC const char* get_error(int errnum); SO_PUBLIC char* snort_strdup(const char*); SO_PUBLIC char* snort_strndup(const char*, size_t); diff --git a/src/utils/util_cstring.h b/src/utils/util_cstring.h index e2a87d6ae..fc1dd4650 100644 --- a/src/utils/util_cstring.h +++ b/src/utils/util_cstring.h @@ -22,6 +22,7 @@ #define UTIL_CSTRING_H // Utility functions and macros for interacting with and parsing C strings +// these functions are deprecated; use C++ strings instead #include #include @@ -42,7 +43,6 @@ namespace snort SO_PUBLIC int safe_snprintf(char*, size_t, const char*, ... ) __attribute__((format (printf, 3, 4))); -// these functions are deprecated; use C++ strings instead SO_PUBLIC int SnortSnprintf(char*, size_t, const char*, ...) __attribute__((format (printf, 3, 4))); SO_PUBLIC int SnortSnprintfAppend(char*, size_t, const char*, ...) diff --git a/src/utils/util_jsnorm.cc b/src/utils/util_jsnorm.cc index e33623619..5ddc16637 100644 --- a/src/utils/util_jsnorm.cc +++ b/src/utils/util_jsnorm.cc @@ -24,14 +24,12 @@ #include "util_jsnorm.h" +#include + #include #include #include -#include "main/thread.h" - -namespace snort -{ #define INVALID_HEX_VAL (-1) #define MAX_BUF 8 #define NON_ASCII_CHAR 0xff @@ -51,6 +49,8 @@ namespace snort #define ANY '\0' +namespace +{ enum ActionPNorm { PNORM_ACT_DQUOTES, @@ -102,6 +102,70 @@ enum ActionJSNorm ACT_UNESCAPE }; +struct JSNorm +{ + uint8_t state; // cppcheck-suppress unusedStructMember + uint8_t event; + uint8_t match; + uint8_t other; + uint8_t action; +}; + +struct Dbuf +{ + char* data; + uint16_t size; + uint16_t len; +}; + +struct PNormState +{ + uint8_t fsm; + uint8_t fsm_other; + uint8_t prev_event; + uint8_t d_quotes; + uint8_t s_quotes; + uint16_t num_spaces; + char* overwrite; + Dbuf output; +}; + +struct SFCCState +{ + uint8_t fsm; + uint8_t buf[MAX_BUF]; + uint8_t buflen; + uint16_t cur_flags; + uint16_t alert_flags; + Dbuf output; +}; + +struct JSNormState +{ + uint8_t fsm; + uint8_t prev_event; + uint16_t num_spaces; + uint8_t* unicode_map; + char* overwrite; + Dbuf dest; +}; + +struct UnescapeState +{ + uint8_t fsm; + uint8_t multiple_levels; + uint8_t prev_event; + uint16_t alert_flags; + uint16_t num_spaces; + int iNorm; + int paren_count; + uint8_t* unicode_map; + char* overwrite; + ActionUnsc prev_action; + Dbuf output; +}; +} // anonymous + static const int hex_lookup[256] = { INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, @@ -170,69 +234,6 @@ static const int valid_chars[256] = 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; -struct JSNorm -{ - uint8_t state; // cppcheck-suppress unusedStructMember - uint8_t event; - uint8_t match; - uint8_t other; - uint8_t action; -}; - -struct Dbuf -{ - char* data; - uint16_t size; - uint16_t len; -}; - -struct PNormState -{ - uint8_t fsm; - uint8_t fsm_other; - uint8_t prev_event; - uint8_t d_quotes; - uint8_t s_quotes; - uint16_t num_spaces; - char* overwrite; - Dbuf output; -}; - -struct SFCCState -{ - uint8_t fsm; - uint8_t buf[MAX_BUF]; - uint8_t buflen; - uint16_t cur_flags; - uint16_t alert_flags; - Dbuf output; -}; - -struct JSNormState -{ - uint8_t fsm; - uint8_t prev_event; - uint16_t num_spaces; - uint8_t* unicode_map; - char* overwrite; - Dbuf dest; -}; - -struct UnescapeState -{ - uint8_t fsm; - uint8_t multiple_levels; - uint8_t prev_event; - uint16_t alert_flags; - uint16_t num_spaces; - int iNorm; - int paren_count; - uint8_t* unicode_map; - char* overwrite; - ActionUnsc prev_action; - Dbuf output; -}; - // STATES for SFCC #define S0 0 #define S1 (S0+3) @@ -441,6 +442,8 @@ static const JSNorm javascript_norm[] = { Z6+ 0, ANY, Z0+ 0, Z0+ 0, ACT_NOP } }; +using snort::JSState; + static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, char** dst, size_t dst_len, uint16_t* bytes_copied, JSState* js, uint8_t* iis_unicode_map); @@ -1228,6 +1231,8 @@ static int JSNorm_scan_fsm(JSNormState* s, int c, const char* src, uint16_t srcl return(JSNorm_exec(s, (ActionJSNorm)m->action, c, src, srclen, ptr, js)); } +namespace snort +{ int JSNormalizeDecode(const char* src, uint16_t srclen, char* dst, uint16_t destlen, const char** ptr, int* bytes_copied, JSState* js, uint8_t* iis_unicode_map) { @@ -1273,4 +1278,3 @@ int JSNormalizeDecode(const char* src, uint16_t srclen, char* dst, uint16_t dest } } -