From fd35d7b557a95a3c7ab978eae5b8bcc2bf1b63eb Mon Sep 17 00:00:00 2001 From: Russ Combs Date: Thu, 20 Oct 2016 07:36:51 -0400 Subject: [PATCH] add DetectionContext move event queue to ips context move dce rebuilt packets to ips context --- src/detection/ips_context.cc | 10 ++ src/detection/ips_context.h | 2 + src/events/event_queue.cc | 82 ++----------- src/events/event_queue.h | 9 -- src/events/sfeventq.h | 12 +- src/main/snort.cc | 57 +++++++-- src/main/snort.h | 12 ++ src/protocols/packet.cc | 1 - src/service_inspectors/dce_rpc/dce_co.cc | 21 +--- src/service_inspectors/dce_rpc/dce_common.cc | 112 +++--------------- src/service_inspectors/dce_rpc/dce_common.h | 9 +- src/service_inspectors/dce_rpc/dce_smb.cc | 66 +---------- src/service_inspectors/dce_rpc/dce_smb.h | 1 - src/service_inspectors/dce_rpc/dce_smb2.cc | 3 +- .../dce_rpc/dce_smb_commands.cc | 4 +- .../dce_rpc/dce_smb_transaction.cc | 4 - .../dce_rpc/dce_smb_utils.cc | 27 +---- .../dce_rpc/dce_smb_utils.h | 5 - src/service_inspectors/dce_rpc/dce_tcp.cc | 73 +----------- src/service_inspectors/dce_rpc/dce_tcp.h | 3 - src/service_inspectors/dce_rpc/dce_udp.cc | 61 +--------- src/service_inspectors/dce_rpc/dce_udp.h | 1 - .../dce_rpc/dce_udp_processing.cc | 16 +-- src/service_inspectors/dce_rpc/smb_message.cc | 1 - src/service_inspectors/dnp3/dnp3.cc | 4 +- src/stream/ip/ip_defrag.cc | 2 - src/stream/stream.cc | 7 ++ src/stream/tcp/tcp_reassembler.cc | 1 - 28 files changed, 141 insertions(+), 465 deletions(-) diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc index afd0ffdd3..78bc5f575 100644 --- a/src/detection/ips_context.cc +++ b/src/detection/ips_context.cc @@ -25,6 +25,9 @@ #endif #include +#include "events/event_queue.h" +#include "events/sfeventq.h" +#include "main/snort_config.h" #ifdef UNIT_TEST #include "catch/catch.hpp" @@ -52,6 +55,10 @@ IpsContext::IpsContext(unsigned size) : data(size, nullptr) { packet = new Packet(false); pkth = new DAQ_PktHdr_t; + buf = new uint8_t[65536]; // FIXIT-H use codec max or let pkt do it + + const EventQueueConfig* qc = snort_conf->event_queue_config; + equeue = sfeventq_new(qc->max_events, qc->log_events, sizeof(EventNode)); } IpsContext::~IpsContext() @@ -60,6 +67,9 @@ IpsContext::~IpsContext() if ( p ) delete p; + sfeventq_free(equeue); + + delete buf; delete pkth; delete packet; } diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index 83619d477..a216cf230 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -64,6 +64,8 @@ public: public: Packet* packet; DAQ_PktHdr_t* pkth; + uint8_t* buf; + struct SF_EVENTQ* equeue; private: std::vector data; diff --git a/src/events/event_queue.cc b/src/events/event_queue.cc index fe70f7074..be0eddb14 100644 --- a/src/events/event_queue.cc +++ b/src/events/event_queue.cc @@ -61,43 +61,14 @@ #include "detection/fp_detect.h" #include "filters/sfthreshold.h" #include "log/messages.h" +#include "main/snort.h" #include "parser/parser.h" #include "utils/stats.h" #include "utils/util.h" #include "sfeventq.h" -typedef struct s_SNORT_EVENTQ_USER -{ - void* pkt; -} SNORT_EVENTQ_USER; - -#define NUM_EVENT_QUEUES 3 -static THREAD_LOCAL SF_EVENTQ* event_queue[NUM_EVENT_QUEUES]; - -static THREAD_LOCAL unsigned qIndex = 0; static THREAD_LOCAL unsigned s_events = 0; -static THREAD_LOCAL unsigned qOverflow = 0; - -//------------------------------------------------- -// the push/pop methods ensure that qIndex stays in -// bounds and that it is only popped after it was -// successfully pushed. -void SnortEventqPush() -{ - if ( qIndex < NUM_EVENT_QUEUES-1 ) - qIndex++; - else - qOverflow++; -} - -void SnortEventqPop() -{ - if ( qOverflow > 0 ) - qOverflow--; - else if ( qIndex > 0 ) - qIndex--; -} //------------------------------------------------- /* @@ -138,7 +109,8 @@ int SnortEventqAdd(const OptTreeNode* otn) return 0; } - EventNode* en = (EventNode*)sfeventq_event_alloc(event_queue[qIndex]); + SF_EVENTQ* pq = Snort::get_event_queue(); + EventNode* en = (EventNode*)sfeventq_event_alloc(pq); if ( !en ) return -1; @@ -146,7 +118,7 @@ int SnortEventqAdd(const OptTreeNode* otn) en->otn = otn; en->rtn = rtn; - if ( sfeventq_add(event_queue[qIndex], en) ) + if ( sfeventq_add(pq, en) ) return -1; s_events++; @@ -162,7 +134,8 @@ int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType type) if ( !otn ) return 0; - EventNode* en = (EventNode*)sfeventq_event_alloc(event_queue[qIndex]); + SF_EVENTQ* pq = Snort::get_event_queue(); + EventNode* en = (EventNode*)sfeventq_event_alloc(pq); if ( !en ) return -1; @@ -171,7 +144,7 @@ int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType type) en->rtn = nullptr; // lookup later after ips policy selection en->type = type; - if ( sfeventq_add(event_queue[qIndex], en) ) + if ( sfeventq_add(pq, en) ) return -1; s_events++; @@ -184,27 +157,6 @@ bool event_is_enabled(uint32_t gid, uint32_t sid) return ( otn != nullptr ); } -void SnortEventqNew(EventQueueConfig* eq_config) -{ - int i; - - for ( i = 0; i < NUM_EVENT_QUEUES; i++ ) - { - event_queue[i] = sfeventq_new(eq_config->max_events, - eq_config->log_events, sizeof(EventNode)); - - if (event_queue[i] == NULL) - FatalError("Failed to initialize Snort event queue.\n"); - } -} - -void SnortEventqFree() -{ - int i; - for ( i = 0; i < NUM_EVENT_QUEUES; i++ ) - sfeventq_free(event_queue[i]); -} - static int LogSnortEvents(void* event, void* user) { if ( !event || !user ) @@ -223,34 +175,23 @@ static int LogSnortEvents(void* event, void* user) if ( s_events > 0 ) s_events--; - SNORT_EVENTQ_USER* snort_user = (SNORT_EVENTQ_USER*)user; - - fpLogEvent(en->rtn, en->otn, (Packet*)snort_user->pkt); - + fpLogEvent(en->rtn, en->otn, (Packet*)user); sfthreshold_reset(); return 0; } /* -** NAME -** SnortEventqLog:: -*/ -/** ** We return whether we logged events or not. We've add a eventq user ** structure so we can track whether the events logged were rule events ** or preprocessor/decoder events. The reason being that we don't want ** to flush a TCP stream for preprocessor/decoder events, and cause ** early flushing of the stream. -** -** @return 1 logged events -** @return 0 did not log events or logged only decoder/preprocessor events */ int SnortEventqLog(Packet* p) { - SNORT_EVENTQ_USER user; - user.pkt = (void*)p; - sfeventq_action(event_queue[qIndex], LogSnortEvents, (void*)&user); + SF_EVENTQ* pq = Snort::get_event_queue(); + sfeventq_action(pq, LogSnortEvents, (void*)p); return 0; } @@ -267,7 +208,8 @@ void SnortEventqResetCounts() void SnortEventqReset() { - sfeventq_reset(event_queue[qIndex]); + SF_EVENTQ* pq = Snort::get_event_queue(); + sfeventq_reset(pq); reset_counts(); } diff --git a/src/events/event_queue.h b/src/events/event_queue.h index f8f1edd98..cacffc322 100644 --- a/src/events/event_queue.h +++ b/src/events/event_queue.h @@ -26,9 +26,6 @@ #define SNORT_EVENTQ_PRIORITY 1 #define SNORT_EVENTQ_CONTENT_LEN 2 -struct Packet; -struct OptTreeNode; - struct EventQueueConfig { int max_events; @@ -47,9 +44,6 @@ struct EventNode EventQueueConfig* EventQueueConfigNew(); void EventQueueConfigFree(EventQueueConfig*); -void SnortEventqNew(EventQueueConfig*); -void SnortEventqFree(); - SO_PUBLIC void SnortEventqReset(); void SnortEventqResetCounts(); @@ -58,8 +52,5 @@ SO_PUBLIC int SnortEventqAdd(const struct OptTreeNode*); SO_PUBLIC int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType = RULE_TYPE__NONE); SO_PUBLIC bool event_is_enabled(uint32_t gid, uint32_t sid); -SO_PUBLIC void SnortEventqPush(); -SO_PUBLIC void SnortEventqPop(); - #endif diff --git a/src/events/sfeventq.h b/src/events/sfeventq.h index 8cc4f29ca..4efd40e41 100644 --- a/src/events/sfeventq.h +++ b/src/events/sfeventq.h @@ -20,15 +20,15 @@ #ifndef SFEVENTQ_H #define SFEVENTQ_H -typedef struct s_SF_EVENTQ_NODE +struct SF_EVENTQ_NODE { void* event; - struct s_SF_EVENTQ_NODE* prev; - struct s_SF_EVENTQ_NODE* next; -} SF_EVENTQ_NODE; + SF_EVENTQ_NODE* prev; + SF_EVENTQ_NODE* next; +}; -typedef struct s_SF_EVENTQ +struct SF_EVENTQ { /* ** Handles the actual ordering and memory @@ -61,7 +61,7 @@ typedef struct s_SF_EVENTQ */ int cur_nodes; int cur_events; -} SF_EVENTQ; +}; SF_EVENTQ* sfeventq_new(int max_nodes, int log_nodes, int event_size); void* sfeventq_event_alloc(SF_EVENTQ*); diff --git a/src/main/snort.cc b/src/main/snort.cc index 528f35673..f7a6cf4be 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -42,6 +42,7 @@ #include "filters/rate_filter.h" #include "filters/sfthreshold.h" #include "flow/ha.h" +#include "framework/endianness.h" #include "framework/mpse.h" #include "helpers/process.h" #include "host_tracker/host_cache.h" @@ -654,7 +655,7 @@ bool Snort::thread_init_privileged(const char* intf) void Snort::thread_init_unprivileged() { // using dummy values until further integration - const unsigned max_contexts = 5; + const unsigned max_contexts = 20; const unsigned max_data = 1; s_switcher = new ContextSwitcher(max_contexts); @@ -668,10 +669,7 @@ void Snort::thread_init_unprivileged() // so it is done here instead of init() Active::init(snort_conf); - SnortEventqNew(snort_conf->event_queue_config); - InitTag(); - EventTrace_Init(); detection_filter_init(snort_conf->detection_filter_config); @@ -726,21 +724,60 @@ void Snort::thread_term() CleanupTag(); FileService::thread_term(); - SnortEventqFree(); Active::term(); delete s_switcher; } +DetectionContext::DetectionContext() +{ + s_switcher->interrupt(); +} + +DetectionContext::~DetectionContext() +{ Snort::clear_detect_packet(); } + +Packet* DetectionContext::get_packet() +{ return Snort::get_detect_packet(); } + +SF_EVENTQ* Snort::get_event_queue() +{ + return s_switcher->get_context()->equeue; +} + Packet* Snort::set_detect_packet() { + // this approach is a hack until verified + // looks like we need to stay in the current context until + // rebuild is successful; any events while rebuilding will + // be logged against the current packet. const IpsContext* c = s_switcher->interrupt(); Packet* p = c->packet; + s_switcher->complete(); + p->pkth = c->pkth; + p->data = c->buf; + p->reset(); + return p; +} + +Packet* Snort::get_detect_packet() +{ + Packet* p = s_switcher->get_context()->packet; return p; } void Snort::clear_detect_packet() { + Packet* p = get_detect_packet(); + SnortEventqLog(p); + SnortEventqReset(); + + if ( p->endianness ) + { + delete p->endianness; + p->endianness = nullptr; + } + s_switcher->complete(); } @@ -753,11 +790,10 @@ void Snort::detect_rebuilt_packet(Packet* p) auto save_do_detect = do_detect; auto save_do_detect_content = do_detect_content; - SnortEventqPush(); + DetectionContext dc; main_hook(p); - SnortEventqPop(); - DetectReset(); + DetectReset(); // FIXIT-H context do_detect = save_do_detect; do_detect_content = save_do_detect_content; @@ -872,11 +908,6 @@ DAQ_Verdict Snort::packet_callback( s_switcher->start(); s_packet = s_switcher->get_context()->packet; - { - Profile eventq_profile(eventqPerfStats); - SnortEventqReset(); - } - sfthreshold_reset(); ActionManager::reset_queue(); diff --git a/src/main/snort.h b/src/main/snort.h index a78cdb343..5230e8f2e 100644 --- a/src/main/snort.h +++ b/src/main/snort.h @@ -33,6 +33,15 @@ struct SnortConfig; typedef void (* MainHook_f)(Packet*); +class DetectionContext +{ +public: + DetectionContext(); + ~DetectionContext(); + + Packet* get_packet(); +}; + class Snort { public: @@ -54,9 +63,12 @@ public: static void capture_packet(); static Packet* set_detect_packet(); + static Packet* get_detect_packet(); static void clear_detect_packet(); static void detect_rebuilt_packet(Packet*); + static struct SF_EVENTQ* get_event_queue(); + static DAQ_Verdict process_packet( Packet*, const DAQ_PktHdr_t*, const uint8_t* pkt, bool is_frag=false); diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc index 566c320bb..91b0fcc09 100644 --- a/src/protocols/packet.cc +++ b/src/protocols/packet.cc @@ -149,7 +149,6 @@ const char* Packet::get_type() const if ( num_layers > 0 ) return PacketManager::get_proto_name(layers[num_layers-1].prot_id); - assert(false); return "None"; default: diff --git a/src/service_inspectors/dce_rpc/dce_co.cc b/src/service_inspectors/dce_rpc/dce_co.cc index 855a2b922..843fc3e3a 100644 --- a/src/service_inspectors/dce_rpc/dce_co.cc +++ b/src/service_inspectors/dce_rpc/dce_co.cc @@ -26,6 +26,7 @@ #include "dce_co.h" #include "main/snort_debug.h" +#include "main/snort.h" #include "utils/util.h" #include "dce_smb.h" @@ -1325,26 +1326,20 @@ static Packet* dce_co_reassemble(DCE2_SsnData* sd, DCE2_CoTracker* cot, ********************************************************************/ static void DCE2_CoReassemble(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoRpktType co_rtype) { + DetectionContext dc; + DceRpcCoHdr* co_hdr = nullptr; Packet* rpkt = dce_co_reassemble(sd,cot,co_rtype,&co_hdr); if ( !rpkt ) return; - /* Push packet onto stack */ - if (DCE2_PushPkt(rpkt,sd) != DCE2_RET__SUCCESS) - { - DebugMessage(DEBUG_DCE_COMMON, "Failed to push packet onto packet stack.\n"); - return; - } DCE2_CoSetRopts(sd, cot, co_hdr, rpkt); DebugMessage(DEBUG_DCE_COMMON, "Reassembled CO fragmented packet:\n"); DCE2_PrintPktData(rpkt->data, rpkt->dsize); DCE2_Detect(sd); - DCE2_PopPkt(sd); - co_reassembled = 1; } @@ -2188,6 +2183,8 @@ static Packet* DCE2_CoGetSegRpkt(DCE2_SsnData* sd, ********************************************************************/ static void DCE2_CoSegDecode(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoSeg* seg) { + DetectionContext dc; + const uint8_t* frag_ptr = nullptr; uint16_t frag_len = 0; dce2CommonStats* dce_common_stats = dce_get_proto_stats_ptr(sd); @@ -2232,12 +2229,6 @@ static void DCE2_CoSegDecode(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoSeg* return; } - if (DCE2_PushPkt(rpkt,sd) != DCE2_RET__SUCCESS) - { - DebugMessage(DEBUG_DCE_COMMON, "Failed to push packet onto packet stack.\n"); - return; - } - /* All is good. Decode the pdu */ DCE2_CoDecode(sd, cot, frag_ptr, frag_len); @@ -2248,8 +2239,6 @@ static void DCE2_CoSegDecode(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoSeg* * detection engine hasn't seen yet */ if (!co_reassembled) DCE2_Detect(sd); - - DCE2_PopPkt(sd); } static DCE2_Ret DCE2_HandleSegmentation(DCE2_Buffer* seg_buf, const uint8_t* data_ptr, diff --git a/src/service_inspectors/dce_rpc/dce_common.cc b/src/service_inspectors/dce_rpc/dce_common.cc index 4ef5fa2bc..8ede77530 100644 --- a/src/service_inspectors/dce_rpc/dce_common.cc +++ b/src/service_inspectors/dce_rpc/dce_common.cc @@ -27,6 +27,7 @@ #include "detection/detect.h" #include "ips_options/extract.h" #include "log/messages.h" +#include "main/snort.h" #include "utils/safec.h" #include "dce_smb_utils.h" @@ -34,8 +35,6 @@ #include "dce_udp.h" THREAD_LOCAL int dce2_detected = 0; -THREAD_LOCAL DCE2_CStack* dce2_pkt_stack = nullptr; -THREAD_LOCAL int dce2_inspector_instances = 0; static const char* dce2_get_policy_name(DCE2_Policy policy) { @@ -180,6 +179,7 @@ static void dce2_protocol_detect(DCE2_SsnData* sd, Packet* pkt) { if (sd->trans == DCE2_TRANS_TYPE__TCP) { + // FIXIT-M this doesn't look right; profile immediately goes out of scope Profile profile(dce2_tcp_pstat_detect); } else if (sd->trans == DCE2_TRANS_TYPE__SMB) @@ -193,27 +193,23 @@ static void dce2_protocol_detect(DCE2_SsnData* sd, Packet* pkt) // FIXIT-M add HTTP case when these are ported // Same for all other instances of profiling - SnortEventqPush(); snort_detect(pkt); - SnortEventqPop(); dce2_detected = 1; } void DCE2_Detect(DCE2_SsnData* sd) { - Packet* top_pkt; - top_pkt = (Packet*)DCE2_CStackTop(dce2_pkt_stack); - if (top_pkt == nullptr) - { - DebugMessage(DEBUG_DCE_COMMON,"No packet on top of stack.\n"); + DetectionContext dc; + Packet* top_pkt = dc.get_packet(); + + if ( !top_pkt->endianness ) return; - } - DebugMessage(DEBUG_DCE_COMMON, "Detecting ------------------------------------------------\n"); - DebugMessage(DEBUG_DCE_COMMON, " Rule options:\n"); + DCE2_PrintRoptions(&sd->ropts); DebugMessage(DEBUG_DCE_COMMON, "Payload:\n"); DCE2_PrintPktData(top_pkt->data, top_pkt->dsize); + if (sd->ropts.stub_data != nullptr) { DebugMessage(DEBUG_DCE_COMMON,"\nStub data:\n"); @@ -309,72 +305,6 @@ bool DceEndianness::get_offset_endianness(int32_t offset, int8_t& endian) return true; } -static void dce_push_pkt_log(Packet* pkt,DCE2_SsnData* sd) -{ - if (sd->trans == DCE2_TRANS_TYPE__TCP) - { - Profile profile(dce2_tcp_pstat_log); - } - else if (sd->trans == DCE2_TRANS_TYPE__SMB) - { - Profile profile(dce2_smb_pstat_log); - } - else - { - Profile profile(dce2_udp_pstat_log); - } - - SnortEventqPush(); - SnortEventqLog(pkt); - SnortEventqReset(); - SnortEventqPop(); -} - -// FIXIT-L revisit packet stack since it may not be needed - -DCE2_Ret DCE2_PushPkt(Packet* p,DCE2_SsnData* sd) -{ - Packet* top_pkt; - top_pkt = (Packet*)DCE2_CStackTop(dce2_pkt_stack); - - if (top_pkt != nullptr) - { - dce_push_pkt_log(top_pkt,sd); - } - if (DCE2_CStackPush(dce2_pkt_stack, (void*)p) != DCE2_RET__SUCCESS) - return DCE2_RET__ERROR; - - return DCE2_RET__SUCCESS; -} - -void DCE2_PopPkt(DCE2_SsnData* sd) -{ - Packet* pop_pkt = (Packet*)DCE2_CStackPop(dce2_pkt_stack); - - if (sd->trans == DCE2_TRANS_TYPE__TCP) - { - Profile profile(dce2_tcp_pstat_log); - } - else if (sd->trans == DCE2_TRANS_TYPE__UDP) - { - Profile profile(dce2_udp_pstat_log); - } - else - { - Profile profile(dce2_smb_pstat_log); - } - - if (pop_pkt == nullptr) - { - DebugMessage(DEBUG_DCE_COMMON, "No packet to pop off stack.\n"); - return; - } - SnortEventqPush(); - SnortEventqLog(pop_pkt); - SnortEventqReset(); - SnortEventqPop(); -} - uint16_t DCE2_GetRpktMaxData(DCE2_SsnData* sd, DCE2_RpktType rtype) { Packet* p = sd->wire_pkt; @@ -413,7 +343,7 @@ uint16_t DCE2_GetRpktMaxData(DCE2_SsnData* sd, DCE2_RpktType rtype) DebugFormat(DEBUG_DCE_COMMON,"Invalid reassembly packet type: %d\n",rtype); return 0; } - return (DCE2_REASSEMBLY_BUF_SIZE - overhead); + return (Packet::max_dsize - overhead); } static void dce2_fill_rpkt_info(Packet* rpkt, Packet* p) @@ -434,19 +364,18 @@ static void dce2_fill_rpkt_info(Packet* rpkt, Packet* p) Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, const uint8_t* data, uint32_t data_len) { - Packet* rpkt = nullptr; + Packet* rpkt = Snort::set_detect_packet(); + rpkt->endianness = new DceEndianness(); uint16_t data_overhead = 0; switch (rpkt_type) { case DCE2_RPKT_TYPE__SMB_SEG: - rpkt = dce2_smb_rpkt[rpkt_type - DCE2_SMB_RPKT_TYPE_START]; dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_SMB_SEG; break; case DCE2_RPKT_TYPE__SMB_TRANS: - rpkt = dce2_smb_rpkt[rpkt_type - DCE2_SMB_RPKT_TYPE_START]; dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_SMB_TRANS; if (DCE2_SsnFromClient(p)) @@ -464,7 +393,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, break; case DCE2_RPKT_TYPE__SMB_CO_SEG: - rpkt = dce2_smb_rpkt[rpkt_type - DCE2_SMB_RPKT_TYPE_START]; dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_DCE_SEG; if (DCE2_SsnFromClient(p)) @@ -482,7 +410,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, break; case DCE2_RPKT_TYPE__SMB_CO_FRAG: - rpkt = dce2_smb_rpkt[rpkt_type - DCE2_SMB_RPKT_TYPE_START]; dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG; if (DCE2_SsnFromClient(p)) @@ -504,7 +431,6 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, break; case DCE2_RPKT_TYPE__UDP_CL_FRAG: - rpkt = dce2_udp_rpkt; dce2_fill_rpkt_info(rpkt, p); rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG; data_overhead = DCE2_MOCK_HDR_LEN__CL; @@ -514,8 +440,8 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, case DCE2_RPKT_TYPE__TCP_CO_SEG: case DCE2_RPKT_TYPE__TCP_CO_FRAG: - rpkt = dce2_tcp_rpkt[rpkt_type - DCE2_TCP_RPKT_TYPE_START]; dce2_fill_rpkt_info(rpkt, p); + if (rpkt_type == DCE2_RPKT_TYPE__TCP_CO_FRAG) { rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG; @@ -543,14 +469,14 @@ Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type, return nullptr; } - if ((data_overhead + data_len) > DCE2_REASSEMBLY_BUF_SIZE) - data_len -= (data_overhead + data_len) - DCE2_REASSEMBLY_BUF_SIZE; + if ((data_overhead + data_len) > Packet::max_dsize) + data_len -= (data_overhead + data_len) - Packet::max_dsize; - if (data_len > DCE2_REASSEMBLY_BUF_SIZE - data_overhead) + if (data_len > Packet::max_dsize - data_overhead) return nullptr; memcpy_s((void*)(rpkt->data + data_overhead), - DCE2_REASSEMBLY_BUF_SIZE - data_overhead, data, data_len); + Packet::max_dsize - data_overhead, data, data_len); rpkt->dsize = data_len + data_overhead; return rpkt; @@ -565,16 +491,16 @@ DCE2_Ret DCE2_AddDataToRpkt(Packet* rpkt, const uint8_t* data, uint32_t data_len return DCE2_RET__ERROR; // FIXIT-L PORT_IF_NEEDED packet size and hdr check - const uint8_t* pkt_data_end = rpkt->data + DCE2_REASSEMBLY_BUF_SIZE; + const uint8_t* pkt_data_end = rpkt->data + Packet::max_dsize; const uint8_t* payload_end = rpkt->data + rpkt->dsize; if ((payload_end + data_len) > pkt_data_end) data_len = pkt_data_end - payload_end; - if (data_len > DCE2_REASSEMBLY_BUF_SIZE - rpkt->dsize) + if (data_len > Packet::max_dsize - rpkt->dsize) return DCE2_RET__ERROR; - memcpy_s((void*)(payload_end), DCE2_REASSEMBLY_BUF_SIZE - rpkt->dsize, + memcpy_s((void*)(payload_end), Packet::max_dsize - rpkt->dsize, data, data_len); rpkt->dsize += (uint16_t)data_len; diff --git a/src/service_inspectors/dce_rpc/dce_common.h b/src/service_inspectors/dce_rpc/dce_common.h index 32143b6e3..585f3052f 100644 --- a/src/service_inspectors/dce_rpc/dce_common.h +++ b/src/service_inspectors/dce_rpc/dce_common.h @@ -34,12 +34,8 @@ extern const InspectApi dce2_smb_api; extern const InspectApi dce2_tcp_api; extern const InspectApi dce2_udp_api; extern THREAD_LOCAL int dce2_detected; -extern THREAD_LOCAL int dce2_inspector_instances; -extern THREAD_LOCAL DCE2_CStack* dce2_pkt_stack; #define GID_DCE2 133 -#define DCE2_PKT_STACK__SIZE 10 -#define DCE2_REASSEMBLY_BUF_SIZE 65535u enum DCE2_Policy { @@ -402,10 +398,7 @@ bool dce2_set_co_config(Value&, dce2CoProtoConf&); void print_dce2_co_config(dce2CoProtoConf&); bool dce2_paf_abort(Flow*, DCE2_SsnData*); void DCE2_Detect(DCE2_SsnData*); -Packet* DCE2_GetRpkt(Packet*, DCE2_RpktType, - const uint8_t*, uint32_t); -DCE2_Ret DCE2_PushPkt(Packet*,DCE2_SsnData*); -void DCE2_PopPkt(DCE2_SsnData*); +Packet* DCE2_GetRpkt(Packet*, DCE2_RpktType, const uint8_t*, uint32_t); uint16_t DCE2_GetRpktMaxData(DCE2_SsnData*, DCE2_RpktType); DCE2_Ret DCE2_AddDataToRpkt(Packet*, const uint8_t*, uint32_t); DCE2_SsnData* get_dce2_session_data(Packet*); diff --git a/src/service_inspectors/dce_rpc/dce_smb.cc b/src/service_inspectors/dce_rpc/dce_smb.cc index 619d0808b..a2232d4b5 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.cc +++ b/src/service_inspectors/dce_rpc/dce_smb.cc @@ -37,11 +37,7 @@ #include "dce_smb_utils.h" #include "dce_smb2.h" -THREAD_LOCAL int dce2_smb_inspector_instances = 0; - THREAD_LOCAL dce2SmbStats dce2_smb_stats; -THREAD_LOCAL Packet* dce2_smb_rpkt[DCE2_SMB_RPKT_TYPE_MAX] = { nullptr, nullptr, nullptr, - nullptr }; // used here THREAD_LOCAL ProfileStats dce2_smb_pstat_main; @@ -395,14 +391,9 @@ void Dce2Smb::eval(Packet* p) } dce2_smb_sess = dce2_handle_smb_session(p, &config); + if (dce2_smb_sess) { - //FIXIT-L evaluate moving pushpkt out of session pstats - if (DCE2_PushPkt(p,&dce2_smb_sess->sd) != DCE2_RET__SUCCESS) - { - DebugMessage(DEBUG_DCE_SMB, "Failed to push packet onto packet stack.\n"); - return; - } p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT; dce2_detected = 0; @@ -414,7 +405,6 @@ void Dce2Smb::eval(Packet* p) DCE2_Detect(&dce2_smb_sess->sd); DCE2_ResetRopts(&dce2_smb_sess->sd.ropts); - DCE2_PopPkt(&dce2_smb_sess->sd); delete p->endianness; p->endianness = nullptr; @@ -455,56 +445,6 @@ static void dce2_smb_dtor(Inspector* p) delete p; } -static void dce2_smb_thread_init() -{ - if (dce2_inspector_instances == 0) - { - dce2_pkt_stack = DCE2_CStackNew(DCE2_PKT_STACK__SIZE, nullptr); - } - if (dce2_smb_inspector_instances == 0) - { - for (int i=0; i < DCE2_SMB_RPKT_TYPE_MAX; i++) - { - Packet* p = (Packet*)snort_calloc(sizeof(Packet)); - p->data = (uint8_t*)snort_calloc(DCE2_REASSEMBLY_BUF_SIZE); - p->endianness = (Endianness*)new DceEndianness(); - p->dsize = DCE2_REASSEMBLY_BUF_SIZE; - dce2_smb_rpkt[i] = p; - } - } - dce2_smb_inspector_instances++; - dce2_inspector_instances++; -} - -static void dce2_smb_thread_term() -{ - dce2_inspector_instances--; - dce2_smb_inspector_instances--; - - if (dce2_smb_inspector_instances == 0) - { - for (int i=0; idata) - { - snort_free((void*)p->data); - } - delete p->endianness; - snort_free(p); - dce2_smb_rpkt[i] = nullptr; - } - } - } - if (dce2_inspector_instances == 0) - { - DCE2_CStackDestroy(dce2_pkt_stack); - dce2_pkt_stack = nullptr; - } -} - const InspectApi dce2_smb_api = { { @@ -525,8 +465,8 @@ const InspectApi dce2_smb_api = "dce_smb", dce2_smb_init, nullptr, // pterm - dce2_smb_thread_init, // tinit - dce2_smb_thread_term, // tterm + nullptr, // tinit + nullptr, // tterm dce2_smb_ctor, dce2_smb_dtor, nullptr, // ssn diff --git a/src/service_inspectors/dce_rpc/dce_smb.h b/src/service_inspectors/dce_rpc/dce_smb.h index 53719584e..accc25824 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.h +++ b/src/service_inspectors/dce_rpc/dce_smb.h @@ -190,7 +190,6 @@ struct dce2SmbStats }; extern THREAD_LOCAL dce2SmbStats dce2_smb_stats; -extern THREAD_LOCAL Packet* dce2_smb_rpkt[DCE2_SMB_RPKT_TYPE_MAX]; extern THREAD_LOCAL ProfileStats dce2_smb_pstat_main; extern THREAD_LOCAL ProfileStats dce2_smb_pstat_session; extern THREAD_LOCAL ProfileStats dce2_smb_pstat_new_session; diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc index 4e2450792..fb613edc7 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2.cc @@ -784,7 +784,6 @@ void DCE2_Smb2Process(DCE2_SmbSsnData* ssd) Packet* p = ssd->sd.wire_pkt; const uint8_t* data_ptr = p->data; uint16_t data_len = p->dsize; - Smb2Hdr* smb_hdr; if (!FileService::is_file_service_enabled()) return; @@ -802,7 +801,7 @@ void DCE2_Smb2Process(DCE2_SmbSsnData* ssd) if (p->is_pdu_start()) { uint32_t next_command_offset; - smb_hdr = (Smb2Hdr*)(data_ptr + sizeof(NbssHdr)); + Smb2Hdr* smb_hdr = (Smb2Hdr*)(data_ptr + sizeof(NbssHdr)); next_command_offset = alignedNtohl(&(smb_hdr->next_command)); if (next_command_offset + sizeof(NbssHdr) > p->dsize) { diff --git a/src/service_inspectors/dce_rpc/dce_smb_commands.cc b/src/service_inspectors/dce_rpc/dce_smb_commands.cc index 7471f6fe2..ed0b33138 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_commands.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_commands.cc @@ -428,13 +428,11 @@ static DCE2_Ret DCE2_SmbWriteAndXRawRequest(DCE2_SmbSsnData* ssd, const SmbNtHdr return DCE2_RET__ERROR; } - DebugMessage(DEBUG_DCE_SMB, - "Reassembled WriteAndX raw mode request\n"); + DebugMessage(DEBUG_DCE_SMB, "Reassembled WriteAndX raw mode request\n"); DCE2_PrintPktData(rpkt->data, rpkt->dsize); (void)DCE2_SmbProcessRequestData(ssd, fid, data_ptr, data_len, 0); - DCE2_SmbReturnRpkt(ssd); DCE2_BufferEmpty(ftracker->fp_writex_raw->buf); } } diff --git a/src/service_inspectors/dce_rpc/dce_smb_transaction.cc b/src/service_inspectors/dce_rpc/dce_smb_transaction.cc index 9b8c46926..899b9c725 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_transaction.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_transaction.cc @@ -1196,8 +1196,6 @@ DCE2_Ret DCE2_SmbTransaction(DCE2_SmbSsnData* ssd, const SmbNtHdr* smb_hdr, status = DCE2_SmbProcessResponseData(ssd, data_ptr, data_len); - DCE2_SmbReturnRpkt(ssd); - if (status != DCE2_RET__SUCCESS) return status; } @@ -1658,8 +1656,6 @@ DCE2_Ret DCE2_SmbTransactionSecondary(DCE2_SmbSsnData* ssd, const SmbNtHdr* smb_ status = DCE2_SmbTransactionReq(ssd, ttracker, data_ptr, data_len, DCE2_BufferData(ttracker->pbuf), DCE2_BufferLength(ttracker->pbuf)); - - DCE2_SmbReturnRpkt(ssd); } break; diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index ffd6d1773..c563ee5d9 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -1310,14 +1310,6 @@ Packet* DCE2_SmbGetRpkt(DCE2_SmbSsnData* ssd, return nullptr; } - if (DCE2_PushPkt(rpkt, &ssd->sd) != DCE2_RET__SUCCESS) - { - DebugFormat(DEBUG_DCE_SMB, - "%s(%d) Failed to push packet onto packet stack.", - __FILE__, __LINE__); - return nullptr; - } - *data = rpkt->data; *data_len = rpkt->dsize; @@ -1463,8 +1455,6 @@ void DCE2_SmbSegAlert(DCE2_SmbSsnData* ssd, uint32_t rule_id) return; dce_alert(GID_DCE2, rule_id, (dce2CommonStats*)&dce2_smb_stats); - - DCE2_SmbReturnRpkt(ssd); } static void DCE2_SmbResetFileChunks(DCE2_SmbFileTracker* ftracker) @@ -1900,8 +1890,8 @@ void DCE2_SmbProcessFileData(DCE2_SmbSsnData* ssd, } if ((file_data_depth != -1) && - ((ftracker->ff_file_offset == ftracker->ff_bytes_processed) - && ((file_data_depth == 0) || (ftracker->ff_bytes_processed < (uint64_t)file_data_depth)))) + ((ftracker->ff_file_offset == ftracker->ff_bytes_processed) && + ((file_data_depth == 0) || (ftracker->ff_bytes_processed < (uint64_t)file_data_depth)))) { set_file_data((uint8_t*)data_ptr, (data_len > UINT16_MAX) ? UINT16_MAX : (uint16_t)data_len); @@ -1998,26 +1988,19 @@ void DCE2_SmbProcessFileData(DCE2_SmbSsnData* ssd, void DCE2_FileDetect() { - Packet* top_pkt = (Packet*)DCE2_CStackTop(dce2_pkt_stack); - if (top_pkt == nullptr) - { - DebugMessage(DEBUG_DCE_SMB,"No packet on top of stack.\n"); - return; - } - DebugMessage(DEBUG_DCE_SMB, "Detecting ------------------------------------------------\n"); + Packet* top_pkt = Snort::set_detect_packet(); + DetectionContext dc; + DebugMessage(DEBUG_DCE_SMB, "Payload:\n"); DCE2_PrintPktData(top_pkt->data, top_pkt->dsize); Profile profile(dce2_smb_pstat_smb_file_detect); - SnortEventqPush(); snort_detect(top_pkt); - SnortEventqPop(); // Reset file data pointer after detecting set_file_data(nullptr, 0); dce2_detected = 1; - DebugMessage(DEBUG_DCE_SMB, "----------------------------------------------------------\n"); } static void DCE2_SmbSetNewFileAPIFileTracker(DCE2_SmbSsnData* ssd) diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.h b/src/service_inspectors/dce_rpc/dce_smb_utils.h index a2b31b1e6..68792747a 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.h +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.h @@ -338,11 +338,6 @@ inline bool DCE2_SmbIsTransactionComplete(DCE2_SmbTransactionTracker* ttracker) return false; } -inline void DCE2_SmbReturnRpkt(DCE2_SmbSsnData* ssd) -{ - DCE2_PopPkt(&ssd->sd); -} - inline DCE2_Buffer** DCE2_SmbGetSegBuffer(DCE2_SmbSsnData* ssd) { if (DCE2_SsnFromServer(ssd->sd.wire_pkt)) diff --git a/src/service_inspectors/dce_rpc/dce_tcp.cc b/src/service_inspectors/dce_rpc/dce_tcp.cc index fc4d33ca0..1c0cd646d 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp.cc @@ -40,13 +40,6 @@ Dce2TcpFlowData::~Dce2TcpFlowData() DCE2_CoCleanTracker(&dce2_tcp_session.co_tracker); } -THREAD_LOCAL int dce2_tcp_inspector_instances = 0; - -// FIXIT-L currently using separate buffers for segment and fragment reassembly -// as in Snort2x code. Doesn't seem necessary for TCP but may be the case for -// SMB/HTTP ..keeping logic consistent for now -THREAD_LOCAL Packet* dce2_tcp_rpkt[DCE2_TCP_RPKT_TYPE_MAX] = { nullptr, nullptr }; - THREAD_LOCAL dce2TcpStats dce2_tcp_stats; THREAD_LOCAL ProfileStats dce2_tcp_pstat_main; @@ -176,24 +169,16 @@ void Dce2Tcp::eval(Packet* p) if (dce2_tcp_sess) { - // FIXIT-L evaluate moving pushpkt out of session pstats - if (DCE2_PushPkt(p,&dce2_tcp_sess->sd) != DCE2_RET__SUCCESS) - { - DebugMessage(DEBUG_DCE_TCP, "Failed to push packet onto packet stack.\n"); - return; - } p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT; dce2_detected = 0; dce2_tcp_stats.tcp_pkts++; - p->endianness = (Endianness*)new DceEndianness(); - DCE2_CoProcess( - &dce2_tcp_sess->sd, &dce2_tcp_sess->co_tracker, p->data, p->dsize); + p->endianness = new DceEndianness(); + DCE2_CoProcess(&dce2_tcp_sess->sd, &dce2_tcp_sess->co_tracker, p->data, p->dsize); if (!dce2_detected) DCE2_Detect(&dce2_tcp_sess->sd); DCE2_ResetRopts(&dce2_tcp_sess->sd.ropts); - DCE2_PopPkt(&dce2_tcp_sess->sd); delete p->endianness; p->endianness = nullptr; @@ -232,56 +217,6 @@ static void dce2_tcp_init() Dce2TcpFlowData::init(); } -static void dce2_tcp_thread_init() -{ - if (dce2_inspector_instances == 0) - { - dce2_pkt_stack = DCE2_CStackNew(DCE2_PKT_STACK__SIZE, nullptr); - } - if (dce2_tcp_inspector_instances == 0) - { - for (int i=0; i < DCE2_TCP_RPKT_TYPE_MAX; i++) - { - Packet* p = (Packet*)snort_calloc(sizeof(Packet)); - p->data = (uint8_t*)snort_calloc(DCE2_REASSEMBLY_BUF_SIZE); - p->endianness = (Endianness*)new DceEndianness(); - p->dsize = DCE2_REASSEMBLY_BUF_SIZE; - dce2_tcp_rpkt[i] = p; - } - } - dce2_tcp_inspector_instances++; - dce2_inspector_instances++; -} - -static void dce2_tcp_thread_term() -{ - dce2_inspector_instances--; - dce2_tcp_inspector_instances--; - - if (dce2_tcp_inspector_instances == 0) - { - for (int i=0; idata) - { - snort_free((void*)p->data); - } - delete p->endianness; - snort_free(p); - dce2_tcp_rpkt[i] = nullptr; - } - } - } - if (dce2_inspector_instances == 0) - { - DCE2_CStackDestroy(dce2_pkt_stack); - dce2_pkt_stack = nullptr; - } -} - const InspectApi dce2_tcp_api = { { @@ -302,8 +237,8 @@ const InspectApi dce2_tcp_api = "dce_tcp", dce2_tcp_init, nullptr, // pterm - dce2_tcp_thread_init, // tinit - dce2_tcp_thread_term, // tterm + nullptr, // tinit + nullptr, // tterm dce2_tcp_ctor, dce2_tcp_dtor, nullptr, // ssn diff --git a/src/service_inspectors/dce_rpc/dce_tcp.h b/src/service_inspectors/dce_rpc/dce_tcp.h index 7766b5a08..0ef149bf5 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.h +++ b/src/service_inspectors/dce_rpc/dce_tcp.h @@ -28,8 +28,6 @@ #define DCE2_TCP_NAME "dce_tcp" #define DCE2_TCP_HELP "dce over tcp inspection" -#define DCE2_TCP_RPKT_TYPE_MAX 2 -#define DCE2_TCP_RPKT_TYPE_START 5 struct dce2TcpStats { @@ -70,7 +68,6 @@ struct dce2TcpStats }; extern THREAD_LOCAL dce2TcpStats dce2_tcp_stats; -extern THREAD_LOCAL Packet* dce2_tcp_rpkt[DCE2_TCP_RPKT_TYPE_MAX]; extern THREAD_LOCAL ProfileStats dce2_tcp_pstat_main; extern THREAD_LOCAL ProfileStats dce2_tcp_pstat_session; extern THREAD_LOCAL ProfileStats dce2_tcp_pstat_new_session; diff --git a/src/service_inspectors/dce_rpc/dce_udp.cc b/src/service_inspectors/dce_rpc/dce_udp.cc index 04ba694b7..5271c7640 100644 --- a/src/service_inspectors/dce_rpc/dce_udp.cc +++ b/src/service_inspectors/dce_rpc/dce_udp.cc @@ -30,8 +30,6 @@ #include "dce_udp_module.h" -THREAD_LOCAL int dce2_udp_inspector_instances = 0; - THREAD_LOCAL dce2UdpStats dce2_udp_stats; THREAD_LOCAL ProfileStats dce2_udp_pstat_main; @@ -43,8 +41,6 @@ THREAD_LOCAL ProfileStats dce2_udp_pstat_cl_acts; THREAD_LOCAL ProfileStats dce2_udp_pstat_cl_frag; THREAD_LOCAL ProfileStats dce2_udp_pstat_cl_reass; -THREAD_LOCAL Packet* dce2_udp_rpkt = nullptr; - static void DCE2_ClCleanTracker(DCE2_ClTracker* clt) { if (clt == nullptr) @@ -162,15 +158,10 @@ void Dce2Udp::eval(Packet* p) if (dce2_udp_sess) { - if (DCE2_PushPkt(p,&dce2_udp_sess->sd) != DCE2_RET__SUCCESS) - { - DebugMessage(DEBUG_DCE_UDP, "Failed to push packet onto packet stack.\n"); - return; - } p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT; dce2_detected = 0; - p->endianness = (Endianness*)new DceEndianness(); + p->endianness = new DceEndianness(); dce2_udp_stats.udp_pkts++; DCE2_ClProcess(&dce2_udp_sess->sd, &dce2_udp_sess->cl_tracker); @@ -179,7 +170,6 @@ void Dce2Udp::eval(Packet* p) DCE2_Detect(&dce2_udp_sess->sd); DCE2_ResetRopts(&dce2_udp_sess->sd.ropts); - DCE2_PopPkt(&dce2_udp_sess->sd); delete p->endianness; p->endianness = nullptr; @@ -218,51 +208,6 @@ static void dce2_udp_init() Dce2UdpFlowData::init(); } -static void dce2_udp_thread_init() -{ - if (dce2_inspector_instances == 0) - { - dce2_pkt_stack = DCE2_CStackNew(DCE2_PKT_STACK__SIZE, nullptr); - } - - if (dce2_udp_inspector_instances == 0) - { - dce2_udp_rpkt = (Packet*)snort_calloc(sizeof(Packet)); - dce2_udp_rpkt->data = (uint8_t*)snort_calloc(DCE2_REASSEMBLY_BUF_SIZE); - dce2_udp_rpkt->endianness = (Endianness*)new DceEndianness(); - dce2_udp_rpkt->dsize = DCE2_REASSEMBLY_BUF_SIZE; - } - - dce2_udp_inspector_instances++; - dce2_inspector_instances++; -} - -static void dce2_udp_thread_term() -{ - dce2_inspector_instances--; - dce2_udp_inspector_instances--; - - if (dce2_udp_inspector_instances == 0) - { - if ( dce2_udp_rpkt != nullptr ) - { - if (dce2_udp_rpkt->data) - { - snort_free((void*)dce2_udp_rpkt->data); - } - delete dce2_udp_rpkt->endianness; - snort_free(dce2_udp_rpkt); - dce2_udp_rpkt = nullptr; - } - } - - if (dce2_inspector_instances == 0) - { - DCE2_CStackDestroy(dce2_pkt_stack); - dce2_pkt_stack = nullptr; - } -} - const InspectApi dce2_udp_api = { { @@ -283,8 +228,8 @@ const InspectApi dce2_udp_api = "dce_udp", dce2_udp_init, nullptr, // pterm - dce2_udp_thread_init, // tinit - dce2_udp_thread_term, // tterm + nullptr, // tinit + nullptr, // tterm dce2_udp_ctor, dce2_udp_dtor, nullptr, // ssn diff --git a/src/service_inspectors/dce_rpc/dce_udp.h b/src/service_inspectors/dce_rpc/dce_udp.h index d11a039bb..e7b6fd434 100644 --- a/src/service_inspectors/dce_rpc/dce_udp.h +++ b/src/service_inspectors/dce_rpc/dce_udp.h @@ -71,7 +71,6 @@ extern THREAD_LOCAL ProfileStats dce2_udp_pstat_log; extern THREAD_LOCAL ProfileStats dce2_udp_pstat_cl_acts; extern THREAD_LOCAL ProfileStats dce2_udp_pstat_cl_frag; extern THREAD_LOCAL ProfileStats dce2_udp_pstat_cl_reass; -extern THREAD_LOCAL Packet* dce2_udp_rpkt; struct DceRpcClHdr /* Connectionless header */ { diff --git a/src/service_inspectors/dce_rpc/dce_udp_processing.cc b/src/service_inspectors/dce_rpc/dce_udp_processing.cc index 9c8c4458c..f78b69744 100644 --- a/src/service_inspectors/dce_rpc/dce_udp_processing.cc +++ b/src/service_inspectors/dce_rpc/dce_udp_processing.cc @@ -34,6 +34,7 @@ #include "flow/session.h" #include "main/snort_debug.h" +#include "main/snort.h" #include "utils/safec.h" #include "utils/util.h" @@ -554,9 +555,11 @@ static int DCE2_ClFragCompare(const void* a, const void* b) // Reassembles fragments into reassembly buffer and copies to // reassembly packet. -static void DCE2_ClFragReassemble(DCE2_SsnData* sd, DCE2_ClActTracker* at, const - DceRpcClHdr* cl_hdr) +static void DCE2_ClFragReassemble( + DCE2_SsnData* sd, DCE2_ClActTracker* at, const DceRpcClHdr* cl_hdr) { + DetectionContext dc; + uint8_t dce2_cl_rbuf[IP_MAXPACKET]; DCE2_ClFragTracker* ft = &at->frag_tracker; uint8_t* rdata = dce2_cl_rbuf; @@ -597,14 +600,6 @@ static void DCE2_ClFragReassemble(DCE2_SsnData* sd, DCE2_ClActTracker* at, const const uint8_t* stub_data = rpkt->data + DCE2_MOCK_HDR_LEN__CL; - if (DCE2_PushPkt(rpkt, sd) != DCE2_RET__SUCCESS) - { - DebugFormat(DEBUG_DCE_UDP, - "%s(%d) Failed to push packet onto packet stack.", - __FILE__, __LINE__); - return; - } - /* Cache relevant values for rule option processing */ sd->ropts.first_frag = 1; DCE2_CopyUuid(&sd->ropts.iface, &ft->iface, DCERPC_BO_FLAG__NONE); @@ -625,7 +620,6 @@ static void DCE2_ClFragReassemble(DCE2_SsnData* sd, DCE2_ClActTracker* at, const sd->ropts.stub_data = stub_data; DCE2_Detect(sd); - DCE2_PopPkt(sd); dce2_udp_stats.cl_frag_reassembled++; } diff --git a/src/service_inspectors/dce_rpc/smb_message.cc b/src/service_inspectors/dce_rpc/smb_message.cc index 7c8fe5d7a..788fe8274 100644 --- a/src/service_inspectors/dce_rpc/smb_message.cc +++ b/src/service_inspectors/dce_rpc/smb_message.cc @@ -1833,7 +1833,6 @@ static void DCE2_Smb1Process(DCE2_SmbSsnData* ssd) if (!DCE2_BufferIsEmpty(*seg_buf)) { - DCE2_SmbReturnRpkt(ssd); DCE2_BufferDestroy(*seg_buf); *seg_buf = nullptr; } diff --git a/src/service_inspectors/dnp3/dnp3.cc b/src/service_inspectors/dnp3/dnp3.cc index 9ef66fae1..a64915c41 100644 --- a/src/service_inspectors/dnp3/dnp3.cc +++ b/src/service_inspectors/dnp3/dnp3.cc @@ -134,9 +134,7 @@ static bool dnp3_process_udp(dnp3ProtoConf& config, dnp3_session_data_t* dnp3_se break; } - dnp3_full_reassembly(config,dnp3_sess, p, pdu_start, - pdu_length); - + dnp3_full_reassembly(config, dnp3_sess, p, pdu_start, pdu_length); bytes_processed += pdu_length; } diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index 319134719..56b8259a7 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -886,10 +886,8 @@ static void FragRebuild(FragTracker* ft, Packet* p) #endif encap_frag_cnt++; - SnortEventqPush(); PacketManager::encode_set_pkt(p); Snort::process_packet(dpkt, dpkt->pkth, dpkt->pkt, true); - SnortEventqPop(); encap_frag_cnt--; trace_log(stream_ip, diff --git a/src/stream/stream.cc b/src/stream/stream.cc index bc25cbbf5..9fc52a05a 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -27,6 +27,7 @@ #include "flow/flow_key.h" #include "flow/ha.h" #include "flow/prune_stats.h" +#include "main/snort.h" #include "main/snort_config.h" #include "main/snort_debug.h" #include "packet_io/active.h" @@ -346,6 +347,12 @@ void Stream::purge_flows() if ( !flow_con ) return; + // FIXIT-H stream tcp needs to do this and prep pkt to handle + // shutdown alerts while rebuilding (during flush before a + // rebuilt packet is available) + Snort::set_detect_packet(); + DetectionContext dc; + flow_con->purge_flows(PktType::IP); flow_con->purge_flows(PktType::ICMP); flow_con->purge_flows(PktType::TCP); diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index d913f1229..f9ae6bb24 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -693,7 +693,6 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags) break; } - Snort::clear_detect_packet(); return bytes_processed; } -- 2.47.2