From cdcb81821f3e42a4da1daeae08317074e2b02199 Mon Sep 17 00:00:00 2001 From: "Michael Altizer (mialtize)" Date: Tue, 19 Nov 2019 22:29:09 +0000 Subject: [PATCH] Merge pull request #1848 in SNORT/snort3 from ~BBANTWAL/snort3:fix_offload_sclear to master Squashed commit of the following: commit 2a913fe450cc4d25ed02fed62827c97c98b83791 Author: Bhagya Tholpady Date: Tue Nov 19 14:35:19 2019 -0500 detection: disable rule evaluation when detection is disabled for offload packets commit 520f55a8bfea4f6b43b5a452e9beaad6dfa837c0 Author: Bhagya Tholpady Date: Tue Nov 19 12:53:21 2019 -0500 flow: check if there are offloaded packets in the flow before clearing out the alert count commit 12163b08cc3718f82b1df982dee826aff31ec7b8 Author: Bhagya Tholpady Date: Mon Nov 18 14:26:24 2019 -0500 detection: move the inspector manager thread local flag used to determine whether or not to call inspector clear to context --- src/detection/detection_engine.cc | 5 +++-- src/detection/ips_context.cc | 1 + src/detection/ips_context.h | 1 + src/managers/inspector_manager.cc | 7 +++---- src/stream/tcp/tcp_reassembler.cc | 3 ++- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 2b6ccfb14..040c09c1b 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -488,8 +488,9 @@ void DetectionEngine::complete(Packet* p) ContextSwitcher* sw = Analyzer::get_switcher(); sw->resume(p->context); - - fp_complete(p); + + if ( p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT) ) + fp_complete(p); } void DetectionEngine::resume(Packet* p) diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc index 29f97bad8..1d6e0b29d 100644 --- a/src/detection/ips_context.cc +++ b/src/detection/ips_context.cc @@ -65,6 +65,7 @@ IpsContext::IpsContext(unsigned size) : active_rules = CONTENT; check_tags = false; + clear_inspectors = false; } IpsContext::~IpsContext() diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index 5793699e4..17ec32ab3 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -155,6 +155,7 @@ public: ActiveRules active_rules; State state; bool check_tags; + bool clear_inspectors; static const unsigned buf_size = Codec::PKT_MAX; diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 35e6a4d34..25aac0e86 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -161,7 +161,6 @@ static PHList s_trash2; static bool s_sorted = false; static THREAD_LOCAL vector* s_tl_handlers = nullptr; -static THREAD_LOCAL bool s_clear = false; struct FrameworkConfig { @@ -1021,7 +1020,7 @@ void InspectorManager::full_inspection(Packet* p) else if ( flow->gadget && flow->gadget->likes(p) ) { flow->gadget->eval(p); - s_clear = true; + p->context->clear_inspectors = true; } } @@ -1098,12 +1097,12 @@ void InspectorManager::probe(Packet* p) void InspectorManager::clear(Packet* p) { - if ( !s_clear ) + if ( !p->context->clear_inspectors ) return; if ( p->flow and p->flow->gadget ) p->flow->gadget->clear(p); - s_clear = false; + p->context->clear_inspectors = false; } diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index fcc79aa86..54fc67c03 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -261,7 +261,8 @@ void TcpReassembler::purge_alerts(TcpReassemblerState& trs) StreamAlertInfo* ai = trs.tracker->alerts + i; Stream::log_extra_data(flow, trs.xtradata_mask, ai->event_id, ai->event_second); } - trs.tracker->alert_count = 0; + if ( !flow->is_suspended() ) + trs.tracker->alert_count = 0; } void TcpReassembler::purge_to_seq(TcpReassemblerState& trs, uint32_t flush_seq) -- 2.47.3