Merge pull request #1070 in SNORT/snort3 from control to master

author Russ Combs (rucombs) <rucombs@cisco.com>

Fri, 17 Nov 2017 18:30:18 +0000 (13:30 -0500)

committer Russ Combs (rucombs) <rucombs@cisco.com>

Fri, 17 Nov 2017 18:30:18 +0000 (13:30 -0500)
author Russ Combs (rucombs) <rucombs@cisco.com>
Fri, 17 Nov 2017 18:30:18 +0000 (13:30 -0500)
committer Russ Combs (rucombs) <rucombs@cisco.com>
Fri, 17 Nov 2017 18:30:18 +0000 (13:30 -0500)
diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc

index 055b1d6811c9781b70372ea4883e0f24ef43ca73..0fe7dd1304ee412845e59e66709050b739f5aaa8 100644 (file)
--- a/src/flow/flow_control.cc
+++ b/src/flow/flow_control.cc
@@ -449,7 +449,6 @@ unsigned FlowControl::process(Flow* flow, Packet* p)
      case Flow::FlowState::INSPECT:
          assert(flow->ssn_client);
          assert(flow->ssn_server);
-        flow->session->process(p);
          break;
  
      case Flow::FlowState::ALLOW:
@@ -615,6 +614,8 @@ void FlowControl::process_tcp(Packet* p)
  
      tcp_count += process(flow, p);
  
+    // FIXIT-M refactor to unlink_uni immediately after session
+    // is processed by inspector manager (all flows)
      if ( flow->next && is_bidirectional(flow) )
          tcp_cache->unlink_uni(flow);
  }
diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc

index 32f638b612f27aadc6a9c46b062c6f2c2ecb1079..95fb6d987005ff37eb2196a689fda991c33ec2a8 100644 (file)
--- a/src/managers/inspector_manager.cc
+++ b/src/managers/inspector_manager.cc
@@ -814,7 +814,10 @@ static bool configure(SnortConfig* sc, FrameworkPolicy* fp, bool cloned)
      sort(fp->ilist.begin(), fp->ilist.end(), PHInstance::comp);
      fp->vectorize();
  
-    if ( fp->session.num && !fp->binder )
+    // FIXIT-M checking for wizard here would avoid fatals for
+    // can't bind wizard but this exposes other issues that must
+    // be fixed first.
+    if ( fp->session.num and !fp->binder /*and fp->wizard*/ )
          instantiate_binder(sc, fp);
  
      return ok;
@@ -934,26 +937,40 @@ void InspectorManager::full_inspection(Packet* p)
      }
  }
  
-// FIXIT-M split stream base processing out of it_session so that flow lookup
-// can be done first to avoid executing it_packet on disabled flows.  also
-// leverage knowledge of flow creation so that reputation (possibly a new
-// it_xxx) is run just once per flow (and all non-flow packets).
+void InspectorManager::execute_control(Packet* p)
+{
+    SnortConfig* sc = SnortConfig::get_conf();
+    FrameworkPolicy* fp = get_default_inspection_policy(sc)->framework_policy;
+    ::execute(p, fp->control.vec, fp->control.num);
+}
+
+// FIXIT-M leverage knowledge of flow creation so that reputation (possibly a
+// new it_xxx) is run just once per flow (and all non-flow packets).
  
  void InspectorManager::execute(Packet* p)
  {
      FrameworkPolicy* fp = get_inspection_policy()->framework_policy;
      assert(fp);
  
-    if ( !p->is_cooked() )
-        ::execute(p, fp->packet.vec, fp->packet.num);
-
      if ( !p->has_paf_payload() )
+    {
+        // FIXIT-L there is at most one in session; stream_base should
+        // be elevated from inspector to framework component (it is just
+        // a flow control wrapper) and use eval() instead of process()
+        // for stream_*.
          ::execute(p, fp->session.vec, fp->session.num);
-
+        fp = get_inspection_policy()->framework_policy;
+    }
      // must check between each ::execute()
      if ( p->disable_inspect )
         return;
  
+    if ( !p->is_cooked() )
+        ::execute(p, fp->packet.vec, fp->packet.num);
+
+    if ( p->disable_inspect )
+       return;
+
      if ( !p->flow )
      {
          ::execute(p, fp->network.vec, fp->network.num);
@@ -961,10 +978,13 @@ void InspectorManager::execute(Packet* p)
          if ( p->disable_inspect )
             return;
  
-        ::execute(p, fp->control.vec, fp->control.num);
+        execute_control(p);
      }
      else
      {
+        if ( !p->has_paf_payload() and p->flow->flow_state == Flow::FlowState::INSPECT )
+            p->flow->session->process(p);
+
          if ( !p->flow->service )
              ::execute(p, fp->network.vec, fp->network.num);
  
@@ -975,7 +995,7 @@ void InspectorManager::execute(Packet* p)
              full_inspection(p);
  
          if ( !p->disable_inspect and !p->flow->is_inspection_disabled() )
-            ::execute(p, fp->control.vec, fp->control.num);
+            execute_control(p);
      }
  }
  
diff --git a/src/managers/inspector_manager.h b/src/managers/inspector_manager.h

index aa449a7113e236874b501bf78fa371c5a586d9a2..782856bf2163066fd947134ed9dac4caf7f86f67 100644 (file)
--- a/src/managers/inspector_manager.h
+++ b/src/managers/inspector_manager.h
@@ -89,6 +89,7 @@ public:
  private:
      static void bumble(Packet*);
      static void full_inspection(Packet*);
+    static void execute_control(Packet*);
  };
  
  #endif
diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc

index f1b8a233ca55cdf30d36499945805649a3f17755..bec5453b4433d84babdbef818b188f791a403530 100644 (file)
--- a/src/service_inspectors/sip/sip.cc
+++ b/src/service_inspectors/sip/sip.cc
@@ -29,6 +29,7 @@
  #include "managers/inspector_manager.h"
  #include "profiler/profiler.h"
  #include "protocols/packet.h"
+#include "stream/stream_splitter.h"
  
  #include "sip_module.h"
  #include "sip_utils.h"
@@ -256,6 +257,11 @@ public:
      void eval(Packet*) override;
      bool get_buf(InspectionBuffer::Type, Packet*, InspectionBuffer&) override;
  
+    // FIXIT-M implement a sip aware splitter
+    // this will work for single segment PDUs only
+    class StreamSplitter* get_splitter(bool to_server) override
+    { return new LogSplitter(to_server); }
+
  private:
      SIP_PROTO_CONF* config;
  };
diff --git a/src/service_inspectors/wizard/wiz_module.h b/src/service_inspectors/wizard/wiz_module.h

index 66888c9e44cc3620d87320a337657bd7d14ec7ff..1bd46f12dd276e3461469bd9486432d96e9b5594 100644 (file)
--- a/src/service_inspectors/wizard/wiz_module.h
+++ b/src/service_inspectors/wizard/wiz_module.h
@@ -53,7 +53,7 @@ public:
      CurseBook* get_curse_book();
  
      Usage get_usage() const override
-    { return GLOBAL; }
+    { return INSPECT; }
  
  private:
      void add_spells(MagicBook*, std::string&);
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc

index 647bdb11169c0effd80f4663298f0be4c612a2c0..15a677e3175515b889f2a7fc2e37eefaa4e60e83 100644 (file)
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -857,6 +857,9 @@ void TcpSession::check_for_repeated_syn(TcpSegmentDescriptor& tsd)
  
  void TcpSession::flush_server(Packet* p)
  {
+    if ( !tcp_init )
+        return;
+
      server->set_tf_flags(TF_FORCE_FLUSH);
  
      // If rebuilt packet, don't flush now because we'll overwrite the packet being processed.
@@ -875,6 +878,9 @@ void TcpSession::flush_server(Packet* p)
  
  void TcpSession::flush_client(Packet* p)
  {
+    if ( !tcp_init )
+        return;
+
      client->set_tf_flags(TF_FORCE_FLUSH);
  
      // If rebuilt packet, don't flush now because we'll overwrite the packet being processed.
@@ -890,9 +896,10 @@ void TcpSession::flush_client(Packet* p)
      client->clear_tf_flags(TF_FORCE_FLUSH);
  }
  
-void TcpSession::flush_tracker(TcpStreamTracker* tracker, Packet* p, uint32_t dir, bool final_flush)
+void TcpSession::flush_tracker(
+    TcpStreamTracker* tracker, Packet* p, uint32_t dir, bool final_flush)
  {
-    if( final_flush && ( !tracker->splitter || !tracker->splitter->finish(flow) ) )
+    if ( final_flush && ( !tracker->splitter || !tracker->splitter->finish(flow) ) )
           return;
  
       DebugFormat(DEBUG_STREAM_STATE, "Flushing tracker on packet from %s\n",
diff --git a/tools/snort2lua/data/data_types/dt_var.cc b/tools/snort2lua/data/data_types/dt_var.cc

index 1e8558d5997753d81afea05a186f0ee782b955a4..75b873a97e7a0ffcc43d1265487bf067fd8c4290 100644 (file)
--- a/tools/snort2lua/data/data_types/dt_var.cc
+++ b/tools/snort2lua/data/data_types/dt_var.cc
@@ -27,12 +27,6 @@ Variable::Variable(const std::string& name, int depth)
      this->depth = depth;
  }
  
-Variable::Variable(const std::string& name)
-{
-    this->name = name;
-    this->depth = 0;
-}
-
  Variable::~Variable()
  {
      for (VarData* v : vars)
@@ -60,6 +54,14 @@ std::string Variable::get_value(DataApi* ld)
      return variable;
  }
  
+void Variable::set_value(std::string val, bool quoted)
+{
+    VarData* vd = new VarData();
+    vd->type = quoted ? VarType::STRING : VarType::VARIABLE;
+    vd->data = val;
+    vars.push_back(vd);
+}
+
  // does this need a new variable?
  bool Variable::add_value(std::string elem)
  {
diff --git a/tools/snort2lua/data/data_types/dt_var.h b/tools/snort2lua/data/data_types/dt_var.h

index a86c9eb141e51f64c7d97976373d97b8f90500c8..b9ca2f97f7e1c4773a6cfc9494ab641b277243b5 100644 (file)
--- a/tools/snort2lua/data/data_types/dt_var.h
+++ b/tools/snort2lua/data/data_types/dt_var.h
@@ -29,13 +29,13 @@ class DataApi;
  class Variable
  {
  public:
-    Variable(const std::string& name, int depth);
-    Variable(const std::string& name);
+    Variable(const std::string& name, int depth = 0);
      virtual ~Variable();
  
      inline const std::string& get_name() { return name; }
      std::string get_value(DataApi*);
      bool add_value(std::string);
+    void set_value(std::string, bool quoted);
      
      void set_print_whitespace(bool w)
      { print_whitespace = w; }
diff --git a/tools/snort2lua/data/dt_data.cc b/tools/snort2lua/data/dt_data.cc

index 177ba2b256c2978d3bdb3c43eb85b200e1f6db80..f7c17480c7c77447af6070f644ececd52cc7c25e 100644 (file)
--- a/tools/snort2lua/data/dt_data.cc
+++ b/tools/snort2lua/data/dt_data.cc
@@ -261,6 +261,13 @@ void DataApi::failed_conversion(const std::istringstream& stream, const std::str
          errors->add_text("^^^^ unknown_syntax=" + unknown_option);
  }
  
+void DataApi::set_variable(const std::string& name, const std::string& value, bool quoted)
+{
+    Variable* var = new Variable(name);
+    vars.push_back(var);
+    var->set_value(value, quoted);
+}
+
  bool DataApi::add_variable(const std::string& name, const std::string& value)
  {
      for (auto v : vars)
diff --git a/tools/snort2lua/data/dt_data.h b/tools/snort2lua/data/dt_data.h

index 48ed4b5cfd9c741c02b76682f71234c974158472..91d8a42a0279d82e2b9adbe54efac1b13c2f49f9 100644 (file)
--- a/tools/snort2lua/data/dt_data.h
+++ b/tools/snort2lua/data/dt_data.h
@@ -104,6 +104,7 @@ public:
      // FILE CREATION AND ADDITIONS
  
      // add a variable to this file
+    void set_variable(const std::string& name, const std::string& value, bool quoted);
      bool add_variable(const std::string& name, const std::string& value);
      // add a Snort style include file
      bool add_include_file(const std::string& name);
diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc

index 5038ceb570b2f08dab1ea6300e8a68918ea508f8..a9f327a156bff20152c5389bd3abfb5bc137fca6 100644 (file)
--- a/tools/snort2lua/helpers/converter.cc
+++ b/tools/snort2lua/helpers/converter.cc
@@ -49,6 +49,7 @@ bool Converter::parse_includes = true;
  bool Converter::empty_args = false;
  bool Converter::convert_rules_mult_files = true;
  bool Converter::convert_conf_mult_files = true;
+bool Converter::bind_wizard = false;
  
  Converter::Converter()
      :   table_api(&top_table_api, table_delegation),
@@ -321,7 +322,7 @@ void Converter::add_bindings()
          }
  
          auto b = result->second;
-        b->print_binding(false); //FIXIT-M is it desired to keep this around? it isn't for nap case
+        b->print_binding(false);  // FIXIT-M is it desired to keep this around? not for nap case
  
          // FIXIT-M as of writing, this assumes pending is only for nap rules
          pb.second->set_use_file(b->get_use_file().first, Binder::IT_INSPECTION);
@@ -353,6 +354,17 @@ int Converter::convert(const std::string& input,
  
      rc = parse_file(input);
  
+    if ( bind_wizard )
+    {
+        // FIXIT-H this should create wizard = { } but need wizard = default_wizard
+        //table_api.open_top_level_table("wizard");
+        //table_api.close_table();
+        data_api.set_variable("wizard", "default_wizard", false);
+
+        auto& wiz = make_binder();
+        wiz.set_use_type("wizard");
+    }
+
      add_bindings();
  
      if (rule_file.empty())
diff --git a/tools/snort2lua/helpers/converter.h b/tools/snort2lua/helpers/converter.h

index f0f1aaa9ca949ed7eab2a095b1591353ce299e66..be489cd46250c1f90ba57d0cdac8b3402bb99885 100644 (file)
--- a/tools/snort2lua/helpers/converter.h
+++ b/tools/snort2lua/helpers/converter.h
@@ -67,6 +67,12 @@ public:
      inline static std::string get_ips_pattern()
      { return ips_pattern; }
  
+    inline static void set_bind_wizard(bool val)
+    { bind_wizard = val; }
+
+    inline static bool get_bind_wizard()
+    { return bind_wizard; }
+
      Binder& make_binder(Binder&);
      Binder& make_binder();
      Binder& make_pending_binder(int ips_policy_id);
@@ -110,6 +116,7 @@ private:
      static bool convert_rules_mult_files;
      static bool convert_conf_mult_files;
      static bool empty_args;
+    static bool bind_wizard;
  
      DataApi data_api;
  
diff --git a/tools/snort2lua/helpers/parse_cmd_line.cc b/tools/snort2lua/helpers/parse_cmd_line.cc

index 8b4a7bf31f4f70943193b54cea0c97ca399a401b..2dd059a6827849c89c265b13ce21fafc8b21820f 100644 (file)
--- a/tools/snort2lua/helpers/parse_cmd_line.cc
+++ b/tools/snort2lua/helpers/parse_cmd_line.cc
@@ -251,6 +251,9 @@ static void parse_rule_file(const char* key, const char* val)
  static void add_remark(const char* /*key*/, const char* val)
  { RuleApi::set_remark(val); }
  
+static void bind_wizard(const char* /*key*/, const char* /*val*/)
+{ Converter::set_bind_wizard(true); }
+
  static void print_all(const char* /*key*/, const char* /*val*/)
  { DataApi::set_default_print(); }
  
@@ -371,6 +374,9 @@ static ConfigFunc basic_opts[] =
      { "V", print_version, "",
        "Print the current Snort2Lua version" },
  
+    { "bind-wizard", bind_wizard, "",
+      "Add default wizard to bindings" },
+
      { "conf-file", parse_config_file, "",
        "Same as '-c'. A Snort <snort_conf> file which will be converted" },
  
diff --git a/tools/snort2lua/preprocessor_states/pps_sip.cc b/tools/snort2lua/preprocessor_states/pps_sip.cc

index 3cd01d0ebc034560f1dc1f02e1e4ee53f4bd75ea..b74df8e8bd5619e2d5fa1f2aa134e1732ffe107f 100644 (file)
--- a/tools/snort2lua/preprocessor_states/pps_sip.cc
+++ b/tools/snort2lua/preprocessor_states/pps_sip.cc
@@ -44,12 +44,9 @@ bool Sip::convert(std::istringstream& data_stream)
      bool ports_set = false;
      auto& bind = cv.make_binder();
  
-    bind.set_when_proto("udp");
      bind.set_use_type("sip");
-
      table_api.open_table("sip");
  
-
      // parse the file configuration
      while (util::get_string(data_stream, keyword, ",;"))
      {
author	Russ Combs (rucombs) <rucombs@cisco.com>
	Fri, 17 Nov 2017 18:30:18 +0000 (13:30 -0500)
committer	Russ Combs (rucombs) <rucombs@cisco.com>
	Fri, 17 Nov 2017 18:30:18 +0000 (13:30 -0500)
src/flow/flow_control.cc		patch \| blob \| blame \| history
src/managers/inspector_manager.cc		patch \| blob \| blame \| history
src/managers/inspector_manager.h		patch \| blob \| blame \| history
src/service_inspectors/sip/sip.cc		patch \| blob \| blame \| history
src/service_inspectors/wizard/wiz_module.h		patch \| blob \| blame \| history
src/stream/tcp/tcp_session.cc		patch \| blob \| blame \| history
tools/snort2lua/data/data_types/dt_var.cc		patch \| blob \| blame \| history
tools/snort2lua/data/data_types/dt_var.h		patch \| blob \| blame \| history
tools/snort2lua/data/dt_data.cc		patch \| blob \| blame \| history
tools/snort2lua/data/dt_data.h		patch \| blob \| blame \| history
tools/snort2lua/helpers/converter.cc		patch \| blob \| blame \| history
tools/snort2lua/helpers/converter.h		patch \| blob \| blame \| history
tools/snort2lua/helpers/parse_cmd_line.cc		patch \| blob \| blame \| history
tools/snort2lua/preprocessor_states/pps_sip.cc		patch \| blob \| blame \| history