From 6b9ea751e2df26427af2bcfe365d621dc8d66f63 Mon Sep 17 00:00:00 2001 From: "Michael Altizer (mialtize)" Date: Fri, 26 Jul 2019 18:32:29 -0400 Subject: [PATCH] Merge pull request #1688 in SNORT/snort3 from ~MIALTIZE/snort3:msg_meta to master Squashed commit of the following: commit 719c0784502cea317152659ae8e16e2f9ea29b9b Author: Michael Altizer Date: Fri Jul 12 21:19:47 2019 -0400 codec: Adapt to new DAQ message metadata source for Real IP/port info --- src/codecs/ip/cd_ipv4.cc | 10 ++++---- src/codecs/ip/cd_ipv6.cc | 10 ++++---- src/codecs/ip/cd_tcp.cc | 9 ++++--- src/codecs/ip/cd_udp.cc | 9 ++++--- src/codecs/link/cd_vlan.cc | 5 +++- src/flow/flow.cc | 2 ++ src/flow/flow_control.cc | 30 +++++++++++----------- src/flow/flow_key.cc | 4 +-- src/framework/codec.h | 6 ++--- src/piglet_plugins/pp_codec_iface.cc | 34 +++++++++++++++++-------- src/protocols/packet_manager.cc | 33 +++++++++++------------- src/stream/libtcp/tcp_stream_session.cc | 14 ---------- src/stream/libtcp/tcp_stream_session.h | 6 ----- src/stream/tcp/tcp_session.cc | 2 +- 14 files changed, 86 insertions(+), 88 deletions(-) diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index f47d11a0f..9f9e9e66c 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -22,6 +22,7 @@ #include "config.h" #endif +#include #include #include @@ -220,14 +221,13 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) // set the api now since this layer has been verified as valid snort.ip_api.set(iph); // update to real IP when needed - if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and codec.ip_layer_cnt == 1) + const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO); + if (napti && codec.ip_layer_cnt == 1) { SfIp real_src; SfIp real_dst; - real_src.set(&raw.pkth->real_sIP, - ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_SIP_V6) ? AF_INET6 : AF_INET)); - real_dst.set(&raw.pkth->real_dIP, - ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_DIP_V6) ? AF_INET6 : AF_INET)); + real_src.set(&napti->src_addr, daq_napt_info_src_addr_family(napti)); + real_dst.set(&napti->dst_addr, daq_napt_info_dst_addr_family(napti)); snort.ip_api.update(real_src, real_dst); } diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc index 72b124000..ba7f016f5 100644 --- a/src/codecs/ip/cd_ipv6.cc +++ b/src/codecs/ip/cd_ipv6.cc @@ -22,6 +22,7 @@ #include "config.h" #endif +#include #include #include "codecs/codec_module.h" @@ -202,14 +203,13 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) snort.ip_api.set(ip6h); // update to real IP when needed - if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and codec.ip_layer_cnt == 1) + const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO); + if (napti && codec.ip_layer_cnt == 1) { SfIp real_src; SfIp real_dst; - real_src.set(&raw.pkth->real_sIP, - ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_SIP_V6) ? AF_INET6 : AF_INET)); - real_dst.set(&raw.pkth->real_dIP, - ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_DIP_V6) ? AF_INET6 : AF_INET)); + real_src.set(&napti->src_addr, daq_napt_info_src_addr_family(napti)); + real_dst.set(&napti->dst_addr, daq_napt_info_dst_addr_family(napti)); snort.ip_api.update(real_src, real_dst); } diff --git a/src/codecs/ip/cd_tcp.cc b/src/codecs/ip/cd_tcp.cc index 81b621b0f..bb0c46598 100644 --- a/src/codecs/ip/cd_tcp.cc +++ b/src/codecs/ip/cd_tcp.cc @@ -22,6 +22,8 @@ #include "config.h" #endif +#include + #include "codecs/codec_module.h" #include "framework/codec.h" #include "log/log.h" @@ -254,10 +256,11 @@ bool TcpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) snort.set_pkt_type(PktType::TCP); snort.tcph = tcph; - if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and (codec.ip_layer_cnt == 1)) + const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO); + if (napti && codec.ip_layer_cnt == 1) { - snort.sp = ntohs(raw.pkth->n_real_sPort); - snort.dp = ntohs(raw.pkth->n_real_dPort); + snort.sp = ntohs(napti->src_port); + snort.dp = ntohs(napti->dst_port); } else { diff --git a/src/codecs/ip/cd_udp.cc b/src/codecs/ip/cd_udp.cc index 4dc49ae2b..59f26dc87 100644 --- a/src/codecs/ip/cd_udp.cc +++ b/src/codecs/ip/cd_udp.cc @@ -22,6 +22,8 @@ #include "config.h" #endif +#include + #include "codecs/codec_module.h" #include "framework/codec.h" #include "log/text_log.h" @@ -286,10 +288,11 @@ bool UdpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) uint16_t src_port; uint16_t dst_port; - if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and (codec.ip_layer_cnt == 1)) + const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO); + if (napti && codec.ip_layer_cnt == 1) { - src_port = ntohs(raw.pkth->n_real_sPort); - dst_port = ntohs(raw.pkth->n_real_dPort); + src_port = ntohs(napti->src_port); + dst_port = ntohs(napti->dst_port); } else { diff --git a/src/codecs/link/cd_vlan.cc b/src/codecs/link/cd_vlan.cc index 36af4aa30..e92b122fb 100644 --- a/src/codecs/link/cd_vlan.cc +++ b/src/codecs/link/cd_vlan.cc @@ -21,6 +21,8 @@ #include "config.h" #endif +#include + #include "codecs/codec_module.h" #include "framework/codec.h" #include "log/text_log.h" @@ -92,7 +94,8 @@ bool VlanCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) codec.lyr_len = sizeof(vlan::VlanTagHdr); - if (raw.pkth->flags & DAQ_PKT_FLAG_IGNORE_VLAN) + const DAQ_PktHdr_t* pkth = daq_msg_get_pkthdr(raw.daq_msg); + if (pkth->flags & DAQ_PKT_FLAG_IGNORE_VLAN) return true; // Vlan IDs 0 and 4095 are reserved. diff --git a/src/flow/flow.cc b/src/flow/flow.cc index db315555e..83c6a1ede 100644 --- a/src/flow/flow.cc +++ b/src/flow/flow.cc @@ -369,6 +369,8 @@ void Flow::set_direction(Packet* p) { ip::IpApi* ip_api = &p->ptrs.ip_api; + // FIXIT-M This does not work properly for NAT "real" v6 addresses on top of v4 packet data + // (it will only compare a portion of the address) if (ip_api->is_ip4()) { if (ip_api->get_src()->fast_eq4(client_ip)) diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 29d320985..625a4e9aa 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -207,60 +207,59 @@ static bool is_bidirectional(const Flow* flow) return (flow->ssn_state.session_flags & bidir) == bidir; } -// FIXIT-L init_roles* should take const Packet* -static void init_roles_ip(Packet* p, Flow* flow) +static void init_roles_ip(const Packet* p, Flow* flow) { flow->ssn_state.direction = FROM_CLIENT; flow->client_ip.set(*p->ptrs.ip_api.get_src()); flow->server_ip.set(*p->ptrs.ip_api.get_dst()); } -static void init_roles_tcp(Packet* p, Flow* flow) +static void init_roles_tcp(const Packet* p, Flow* flow) { if ( p->ptrs.tcph->is_syn_only() ) { flow->ssn_state.direction = FROM_CLIENT; flow->client_ip.set(*p->ptrs.ip_api.get_src()); - flow->client_port = ntohs(p->ptrs.tcph->th_sport); + flow->client_port = p->ptrs.sp; flow->server_ip.set(*p->ptrs.ip_api.get_dst()); - flow->server_port = ntohs(p->ptrs.tcph->th_dport); + flow->server_port = p->ptrs.dp; } else if ( p->ptrs.tcph->is_syn_ack() ) { flow->ssn_state.direction = FROM_SERVER; flow->client_ip.set(*p->ptrs.ip_api.get_dst()); - flow->client_port = ntohs(p->ptrs.tcph->th_dport); + flow->client_port = p->ptrs.dp; flow->server_ip.set(*p->ptrs.ip_api.get_src()); - flow->server_port = ntohs(p->ptrs.tcph->th_sport); + flow->server_port = p->ptrs.sp; } else if (p->ptrs.sp > p->ptrs.dp) { flow->ssn_state.direction = FROM_CLIENT; flow->client_ip.set(*p->ptrs.ip_api.get_src()); - flow->client_port = ntohs(p->ptrs.tcph->th_sport); + flow->client_port = p->ptrs.sp; flow->server_ip.set(*p->ptrs.ip_api.get_dst()); - flow->server_port = ntohs(p->ptrs.tcph->th_dport); + flow->server_port = p->ptrs.dp; } else { flow->ssn_state.direction = FROM_SERVER; flow->client_ip.set(*p->ptrs.ip_api.get_dst()); - flow->client_port = ntohs(p->ptrs.tcph->th_dport); + flow->client_port = p->ptrs.dp; flow->server_ip.set(*p->ptrs.ip_api.get_src()); - flow->server_port = ntohs(p->ptrs.tcph->th_sport); + flow->server_port = p->ptrs.sp; } } -static void init_roles_udp(Packet* p, Flow* flow) +static void init_roles_udp(const Packet* p, Flow* flow) { flow->ssn_state.direction = FROM_CLIENT; flow->client_ip.set(*p->ptrs.ip_api.get_src()); - flow->client_port = ntohs(p->ptrs.udph->uh_sport); + flow->client_port = p->ptrs.sp; flow->server_ip.set(*p->ptrs.ip_api.get_dst()); - flow->server_port = ntohs(p->ptrs.udph->uh_dport); + flow->server_port = p->ptrs.dp; } -static void init_roles_user(Packet* p, Flow* flow) +static void init_roles_user(const Packet* p, Flow* flow) { if ( p->ptrs.decode_flags & DECODE_C2S ) { @@ -280,6 +279,7 @@ static void init_roles_user(Packet* p, Flow* flow) } } +// FIXIT-L init_roles should take const Packet* static void init_roles(Packet* p, Flow* flow) { switch ( flow->pkt_type ) diff --git a/src/flow/flow_key.cc b/src/flow/flow_key.cc index c0a04bf98..45001e334 100644 --- a/src/flow/flow_key.cc +++ b/src/flow/flow_key.cc @@ -239,7 +239,7 @@ bool FlowKey::init( * that IP is stored in port_l. */ - if (srcIP->is_ip4()) + if (srcIP->is_ip4() && dstIP->is_ip4()) { version = 4; reversed = init4(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId); @@ -271,7 +271,7 @@ bool FlowKey::init( uint16_t srcPort = id & 0xFFFF; uint16_t dstPort = id >> 16; - if (srcIP->is_ip4()) + if (srcIP->is_ip4() && dstIP->is_ip4()) { version = 4; init4(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false); diff --git a/src/framework/codec.h b/src/framework/codec.h index e23a33b59..8f8391b6e 100644 --- a/src/framework/codec.h +++ b/src/framework/codec.h @@ -32,7 +32,6 @@ struct TextLog; struct _daq_msg; -struct _daq_pkt_hdr; namespace snort { @@ -67,12 +66,11 @@ constexpr uint8_t MAX_TTL = 255; struct RawData { const struct _daq_msg* daq_msg; - const _daq_pkt_hdr* pkth; const uint8_t* data; uint32_t len; - RawData(const struct _daq_msg* daq_msg, const _daq_pkt_hdr* pkth, const uint8_t* data, uint32_t len) : - daq_msg(daq_msg), pkth(pkth), data(data), len(len) { } + RawData(const struct _daq_msg* daq_msg, const uint8_t* data, uint32_t len) : + daq_msg(daq_msg), data(data), len(len) { } }; /* Decode Flags */ diff --git a/src/piglet_plugins/pp_codec_iface.cc b/src/piglet_plugins/pp_codec_iface.cc index 344c94edd..676e937c6 100644 --- a/src/piglet_plugins/pp_codec_iface.cc +++ b/src/piglet_plugins/pp_codec_iface.cc @@ -23,13 +23,14 @@ #include "pp_codec_iface.h" +#include + #include "framework/codec.h" #include "lua/lua_arg.h" #include "log/text_log.h" #include "pp_buffer_iface.h" #include "pp_codec_data_iface.h" -#include "pp_daq_pkthdr_iface.h" #include "pp_decode_data_iface.h" #include "pp_enc_state_iface.h" #include "pp_flow_iface.h" @@ -104,25 +105,36 @@ static const luaL_Reg methods[] = { bool result; - auto& daq = DAQHeaderIface.get(L, 1); auto& cd = CodecDataIface.get(L, 3); auto& dd = DecodeDataIface.get(L, 4); auto& self = CodecIface.get(L); + size_t len = 0; + const uint8_t* data; + if ( RawBufferIface.is(L, 2) ) { - RawData rd(nullptr, &daq, get_data(RawBufferIface.get(L, 2)), get_data_length(RawBufferIface.get(L, 2))); - result = self.decode(rd, cd, dd); + data = get_data(RawBufferIface.get(L, 2)); + len = get_data_length(RawBufferIface.get(L, 2)); } else - { - size_t len = 0; - const uint8_t* data = reinterpret_cast(luaL_checklstring(L, 2, &len)); - RawData rd(nullptr, &daq, data, len); - - result = self.decode(rd, cd, dd); - } + data = reinterpret_cast(luaL_checklstring(L, 2, &len)); + + // Create a fake DAQ packet message to pass through decoding since there is assumed to + // be one. The constness of the data should be safe since codecs shouldn't attempt to + // modify message data. + DAQ_PktHdr_t daq_pkth = { }; + daq_pkth.pktlen = len; + DAQ_Msg_t daq_msg = { }; + daq_msg.type = DAQ_MSG_TYPE_PACKET; + daq_msg.hdr = &daq_pkth; + daq_msg.hdr_len = sizeof(daq_pkth); + daq_msg.data = const_cast(data); + daq_msg.data_len = len; + + RawData rd(&daq_msg, daq_msg.data, daq_msg.data_len); + result = self.decode(rd, cd, dd); lua_pushboolean(L, result); diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc index adb545526..4980599c9 100644 --- a/src/protocols/packet_manager.cc +++ b/src/protocols/packet_manager.cc @@ -136,7 +136,7 @@ void PacketManager::decode( ProtocolIndex mapped_prot = CodecManager::grinder; ProtocolId prev_prot_id = CodecManager::grinder_id; - RawData raw(p->daq_msg, pkthdr, pkt, pktlen); + RawData raw(p->daq_msg, pkt, pktlen); CodecData codec_data(ProtocolId::FINISHED_DECODE); if ( cooked ) @@ -621,7 +621,8 @@ static void set_hdr( if ( !phdr ) phdr = p->pkth; - DAQ_PktHdr_t* pkth = const_cast(c->pkth); + assert(c->pkth == c->context->pkth); + DAQ_PktHdr_t* pkth = c->context->pkth; pkth->ingress_index = phdr->ingress_index; pkth->ingress_group = phdr->ingress_group; pkth->egress_index = phdr->egress_index; @@ -629,13 +630,6 @@ static void set_hdr( pkth->flags = phdr->flags & (~DAQ_PKT_FLAG_HW_TCP_CS_GOOD); pkth->address_space_id = phdr->address_space_id; pkth->opaque = opaque; - if (pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) - { - pkth->n_real_sPort = phdr->n_real_sPort; - pkth->n_real_dPort = phdr->n_real_dPort; - pkth->real_sIP = phdr->real_sIP; - pkth->real_dIP = phdr->real_dIP; - } } //------------------------------------------------------------------------- @@ -663,10 +657,10 @@ int PacketManager::format_tcp( c->user_network_policy_id = p->user_network_policy_id; // setup pkt capture header - DAQ_PktHdr_t* pkth = const_cast(c->pkth); c->pktlen = 0; - pkth->pktlen = 0; - pkth->ts = p->pkth->ts; + assert(c->pkth == c->context->pkth); + c->context->pkth->pktlen = 0; + c->context->pkth->ts = p->pkth->ts; total_rebuilt_pkts++; return 0; @@ -769,10 +763,10 @@ int PacketManager::encode_format( c->user_network_policy_id = p->user_network_policy_id; // setup pkt capture header - DAQ_PktHdr_t* pkth = const_cast(c->pkth); c->pktlen = len; - pkth->pktlen = len; - pkth->ts = p->pkth->ts; + assert(c->pkth == c->context->pkth); + c->context->pkth->pktlen = len; + c->context->pkth->ts = p->pkth->ts; layer::set_packet_pointer(c); // ensure we are looking at the new packet total_rebuilt_pkts++; @@ -834,12 +828,15 @@ void PacketManager::encode_update(Packet* p) tmp_api, flags, const_cast(l.start), l.length, len); } - // see IP6_Update() for an explanation of this ... if ( !(p->packet_flags & PKT_MODIFIED) || (p->packet_flags & PKT_RESIZED) ) { - DAQ_PktHdr_t* pkth = const_cast(p->pkth); p->pktlen = len; - pkth->pktlen = len; + // Only attempt to update the DAQ packet header for manufactured (defragged) packets. If + // this is the original wire packet, leave the header alone; the drop/inject for resize + // will use pktlen from Packet for the injection length. + // FIXIT-L there should be a better way to detect that this is manufactured packet + if (p->pkth == p->context->pkth) + p->context->pkth->pktlen = len; } } diff --git a/src/stream/libtcp/tcp_stream_session.cc b/src/stream/libtcp/tcp_stream_session.cc index b3e2fa1ae..e11ac3797 100644 --- a/src/stream/libtcp/tcp_stream_session.cc +++ b/src/stream/libtcp/tcp_stream_session.cc @@ -339,13 +339,6 @@ void TcpStreamSession::SetPacketHeaderFoo(const Packet* p) } daq_flags = p->pkth->flags; address_space_id = p->pkth->address_space_id; - if (daq_flags & DAQ_PKT_FLAG_REAL_ADDRESSES) - { - memcpy(real_src_ip.u6_addr8, &p->pkth->real_sIP, sizeof(ip::snort_in6_addr)); - memcpy(real_dst_ip.u6_addr8, &p->pkth->real_dIP, sizeof(ip::snort_in6_addr)); - real_src_port = p->pkth->n_real_sPort; - real_dst_port = p->pkth->n_real_dPort; - } } void TcpStreamSession::GetPacketHeaderFoo(DAQ_PktHdr_t* pkth, uint32_t dir) @@ -367,13 +360,6 @@ void TcpStreamSession::GetPacketHeaderFoo(DAQ_PktHdr_t* pkth, uint32_t dir) pkth->opaque = 0; pkth->flags = daq_flags; pkth->address_space_id = address_space_id; - if (daq_flags & DAQ_PKT_FLAG_REAL_ADDRESSES) - { - memcpy(&pkth->real_sIP, real_src_ip.u6_addr8, sizeof(ip::snort_in6_addr)); - memcpy(&pkth->real_dIP, real_dst_ip.u6_addr8, sizeof(ip::snort_in6_addr)); - pkth->n_real_sPort = real_src_port; - pkth->n_real_dPort = real_dst_port; - } } void TcpStreamSession::SwapPacketHeaderFoo() diff --git a/src/stream/libtcp/tcp_stream_session.h b/src/stream/libtcp/tcp_stream_session.h index c195a938f..9c0979236 100644 --- a/src/stream/libtcp/tcp_stream_session.h +++ b/src/stream/libtcp/tcp_stream_session.h @@ -148,12 +148,6 @@ public: TcpStreamConfig* config = nullptr; TcpEventLogger tel; -private: - snort::ip::snort_in6_addr real_src_ip; - snort::ip::snort_in6_addr real_dst_ip; - uint16_t real_src_port = 0; - uint16_t real_dst_port = 0; - protected: TcpStreamSession(snort::Flow*); virtual void set_os_policy() = 0; diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index 390521e4d..5700889c5 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -328,7 +328,7 @@ void TcpSession::process_tcp_stream(TcpSegmentDescriptor& tsd) if (tsd.get_pkt()->packet_flags & PKT_IGNORE) return; - SetPacketHeaderFoo(tsd.get_pkt() ); + SetPacketHeaderFoo(tsd.get_pkt()); if ( flow_exceeds_config_thresholds(tsd) ) return; -- 2.47.3