From: Eric Leblond Date: Tue, 13 Jun 2017 20:32:50 +0000 (+0200) Subject: bypass: add explicit flag in stream engine X-Git-Tag: suricata-4.0.0-rc1~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2779%2Fhead;p=thirdparty%2Fsuricata.git bypass: add explicit flag in stream engine TCP reassembly is now deactivated more frequently and triggering a bypass on it is resulting in missing some alerts due forgetting about packet based signature. So this patch is introducing a dedicated flag that can be set in the app layer and transmitted in the streaming to trigger bypass. It is currently used by the SSL app layer to trigger bypass when the stream becomes encrypted. --- diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 54cb5edde4..cddf5c02e2 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -141,6 +141,7 @@ typedef struct AppLayerParserCtx_ { } AppLayerParserCtx; struct AppLayerParserState_ { + /* coccinelle: AppLayerParserState:flags:APP_LAYER_PARSER_ */ uint8_t flags; /* Indicates the current transaction that is being inspected. @@ -1076,6 +1077,14 @@ int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow flags & STREAM_TOSERVER ? 1 : 0); } } + /* Set the bypass flag for both the stream in this TcpSession */ + if (pstate->flags & APP_LAYER_PARSER_BYPASS_READY) { + /* Used only if it's TCP */ + TcpSession *ssn = f->protoctx; + if (ssn != NULL) { + StreamTcpSetSessionBypassFlag(ssn); + } + } } } diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index ccf8e99c07..bfd0378914 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -31,10 +31,11 @@ #include "stream-tcp-private.h" /* Flags for AppLayerParserState. */ -#define APP_LAYER_PARSER_EOF 0x01 -#define APP_LAYER_PARSER_NO_INSPECTION 0x02 -#define APP_LAYER_PARSER_NO_REASSEMBLY 0x04 -#define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD 0x08 +#define APP_LAYER_PARSER_EOF BIT_U8(0) +#define APP_LAYER_PARSER_NO_INSPECTION BIT_U8(1) +#define APP_LAYER_PARSER_NO_REASSEMBLY BIT_U8(2) +#define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD BIT_U8(3) +#define APP_LAYER_PARSER_BYPASS_READY BIT_U8(4) /* Flags for AppLayerParserProtoCtx. */ #define APP_LAYER_PARSER_OPT_ACCEPT_GAPS BIT_U64(0) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index dc0b8e1fc8..e450255707 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -1136,9 +1136,10 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, (ssl_state->flags & SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED)) { AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_INSPECTION); - if (ssl_config.no_reassemble == 1) - AppLayerParserStateSetFlag(pstate, - APP_LAYER_PARSER_NO_REASSEMBLY); + if (ssl_config.no_reassemble == 1) { + AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_REASSEMBLY); + AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_BYPASS_READY); + } SCLogDebug("SSLv2 No reassembly & inspection has been set"); } } @@ -1257,6 +1258,7 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, if (ssl_config.no_reassemble == 1) { AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_REASSEMBLY); AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_INSPECTION); + AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_BYPASS_READY); } break; diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h index ef6ede6c82..6a0e36755d 100644 --- a/src/stream-tcp-private.h +++ b/src/stream-tcp-private.h @@ -155,6 +155,8 @@ enum #define STREAMTCP_FLAG_3WHS_CONFIRMED 0x1000 /** App Layer tracking/reassembly is disabled */ #define STREAMTCP_FLAG_APP_LAYER_DISABLED 0x2000 +/** Stream can be bypass */ +#define STREAMTCP_FLAG_BYPASS 0x4000 /* * Per STREAM flags diff --git a/src/stream-tcp-reassemble.h b/src/stream-tcp-reassemble.h index e15c63726f..7c5e8bb1d4 100644 --- a/src/stream-tcp-reassemble.h +++ b/src/stream-tcp-reassemble.h @@ -94,6 +94,7 @@ int StreamTcpReassembleAppLayer (ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, void StreamTcpCreateTestPacket(uint8_t *, uint8_t, uint8_t, uint8_t); void StreamTcpSetSessionNoReassemblyFlag (TcpSession *, char ); +void StreamTcpSetSessionBypassFlag (TcpSession *); void StreamTcpSetDisableRawReassemblyFlag (TcpSession *ssn, char direction); void StreamTcpSetOSPolicy(TcpStream *, Packet *); diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 32d95ea71d..c62e539f75 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -4653,9 +4653,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt, p->flags |= PKT_STREAM_NOPCAPLOG; } - if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) && - (ssn->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) - { + if (ssn->flags & STREAMTCP_FLAG_BYPASS) { /* we can call bypass callback, if enabled */ if (StreamTcpBypassEnabled()) { PacketBypassCallback(p); @@ -5580,6 +5578,16 @@ void StreamTcpSetDisableRawReassemblyFlag (TcpSession *ssn, char direction) (ssn->client.flags |= STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED); } +/** \brief enable bypass + * + * \param ssn TCP Session to set the flag in + * \param direction direction to set the flag in: 0 toserver, 1 toclient + */ +void StreamTcpSetSessionBypassFlag (TcpSession *ssn) +{ + ssn->flags |= STREAMTCP_FLAG_BYPASS; +} + #define PSEUDO_PKT_SET_IPV4HDR(nipv4h,ipv4h) do { \ IPV4_SET_RAW_VER(nipv4h, IPV4_GET_RAW_VER(ipv4h)); \ IPV4_SET_RAW_HLEN(nipv4h, IPV4_GET_RAW_HLEN(ipv4h)); \