#include "util-logopenfile.h"
#include "util-time.h"
+#include "stream-tcp-reassemble.h"
+
#define DEFAULT_LOG_FILENAME "alert-debug.log"
#define MODULE_NAME "AlertDebugLog"
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
+ int applayer = 0;
FLOWLOCK_RDLOCK(p->flow);
+ applayer = StreamTcpAppLayerIsDisabled(p->flow);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
MemBufferWriteString(aft->buffer, "FLOW Start TS: %s\n", timebuf);
MemBufferWriteString(aft->buffer, "FLOW PKTS TODST: %"PRIu32"\n"
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
- p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE",
+ applayer ? "TRUE" : "FALSE",
(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, (Packet *)p); /* < no const */
if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
AppLayerParserSetEOF(pstate);
FlowSetNoPayloadInspectionFlag(f);
- FlowSetSessionNoApplayerInspectionFlag(f);
- /* Set the no reassembly flag for both the stream in this TcpSession */
- if (f->proto == IPPROTO_TCP && pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
- /* Used only if it's TCP */
- TcpSession *ssn = f->protoctx;
- if (ssn != NULL) {
- StreamTcpSetSessionNoReassemblyFlag(ssn,
- flags & STREAM_TOCLIENT ? 1 : 0);
- StreamTcpSetSessionNoReassemblyFlag(ssn,
- flags & STREAM_TOSERVER ? 1 : 0);
+ if (f->proto == IPPROTO_TCP) {
+ StreamTcpDisableAppLayer(f);
+
+ /* Set the no reassembly flag for both the stream in this TcpSession */
+ if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
+ /* Used only if it's TCP */
+ TcpSession *ssn = f->protoctx;
+ if (ssn != NULL) {
+ StreamTcpSetSessionNoReassemblyFlag(ssn,
+ flags & STREAM_TOCLIENT ? 1 : 0);
+ StreamTcpSetSessionNoReassemblyFlag(ssn,
+ flags & STREAM_TOSERVER ? 1 : 0);
+ }
}
}
}
error:
/* Set the no app layer inspection flag for both
* the stream in this Flow */
- FlowSetSessionNoApplayerInspectionFlag(f);
+ if (f->proto == IPPROTO_TCP) {
+ StreamTcpDisableAppLayer(f);
+ }
AppLayerParserSetEOF(pstate);
SCReturnInt(-1);
}
}
SCMutexUnlock(&f->m);
- if (!(f->flags & FLOW_NO_APPLAYER_INSPECTION)) {
+ if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) {
printf("flag should have been set, but is not: ");
goto end;
}
}
if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION) ||
- !(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
+ !(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) ||
!(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) ||
!(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
goto end;
}
if ((f.flags & FLOW_NOPAYLOAD_INSPECTION) ||
- (f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
+ (ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) ||
(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) ||
(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
goto end;
/***** L7 layer dispatchers *****/
-static void DisableAppLayer(Flow *f, TcpSession *ssn)
+static void DisableAppLayer(Flow *f)
{
- SCLogInfo("disable app layer for flow %p, ssn %p", f, ssn);
- FlowSetSessionNoApplayerInspectionFlag(f);
- StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
- StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
- StreamTcpDisableAppLayerReassembly(ssn);
+ SCLogDebug("disable app layer for flow %p", f);
+ StreamTcpDisableAppLayer(f);
}
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
uint8_t first_data_dir;
SCLogDebug("data_len %u flags %02X", data_len, flags);
- if (f->flags & FLOW_NO_APPLAYER_INSPECTION) {
- SCLogDebug("FLOW_AL_NO_APPLAYER_INSPECTION is set");
+ if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
+ SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
goto end;
}
}
}
if (ret < 0) {
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
goto failure;
}
}
if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_WRONG_DIRECTION_FIRST_DATA);
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
/* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
goto failure;
if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
SCLogDebug("midstream end pd %p", ssn);
/* midstream and toserver detection failed: give up */
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
goto end;
}
if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
(first_data_dir) && !(first_data_dir & flags))
{
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
goto failure;
}
if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
} else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
size_ts > 100000 && size_tc == 0)
{
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
} else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
size_tc > 100000 && size_ts == 0)
{
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
{
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
{
- DisableAppLayer(f, ssn);
+ DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
SCLogDebug("This flow/stream triggered a drop rule");
FlowSetNoPacketInspectionFlag(p2->flow);
DecodeSetNoPacketInspectionFlag(p2);
- FlowSetSessionNoApplayerInspectionFlag(p2->flow);
+ StreamTcpDisableAppLayer(p2->flow);
p2->action |= ACTION_DROP;
/* return the segments to the pool */
StreamTcpSessionPktFree(p2);
if (StreamTcpCheckFlowDrops(p2) == 1) {
FlowSetNoPacketInspectionFlag(p2->flow);
DecodeSetNoPacketInspectionFlag(p2);
- FlowSetSessionNoApplayerInspectionFlag(p2->flow);
+ StreamTcpDisableAppLayer(p2->flow);
p2->action |= ACTION_DROP;
/* return the segments to the pool */
StreamTcpSessionPktFree(p2);
#define FLOW_TOCLIENT_DROP_LOGGED 0x00004000
/** alproto detect done. Right now we need it only for udp */
#define FLOW_ALPROTO_DETECT_DONE 0x00008000
-#define FLOW_NO_APPLAYER_INSPECTION 0x00010000
+
+// vacany 1x
/** Pattern matcher alproto detection done */
#define FLOW_TS_PM_ALPROTO_DETECT_DONE 0x00020000
static inline void FlowSetNoPacketInspectionFlag(Flow *);
static inline void FlowLockSetNoPayloadInspectionFlag(Flow *);
static inline void FlowSetNoPayloadInspectionFlag(Flow *);
-static inline void FlowSetSessionNoApplayerInspectionFlag(Flow *);
int FlowGetPacketDirection(const Flow *, const Packet *);
SCReturn;
}
-/** \brief set flow flag to disable app layer inspection
- *
- * \param f *LOCKED* flow
- */
-static inline void FlowSetSessionNoApplayerInspectionFlag(Flow *f)
-{
- f->flags |= FLOW_NO_APPLAYER_INSPECTION;
-}
-
/**
* \brief increase the use count of a flow
*
stream->seg_list_tail = NULL;
}
+/** \param f locked flow */
+void StreamTcpDisableAppLayer(Flow *f)
+{
+ if (f->protoctx == NULL)
+ return;
+
+ TcpSession *ssn = (TcpSession *)f->protoctx;
+ StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
+ StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
+ StreamTcpDisableAppLayerReassembly(ssn);
+}
+
+/** \param f locked flow */
+int StreamTcpAppLayerIsDisabled(Flow *f)
+{
+ if (f->protoctx == NULL || f->proto != IPPROTO_TCP)
+ return 0;
+
+ TcpSession *ssn = (TcpSession *)f->protoctx;
+ return (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
+}
+
typedef struct SegmentSizes_
{
uint16_t pktsize;
void StreamTcpReassembleIncrMemuse(uint64_t size);
void StreamTcpReassembleDecrMemuse(uint64_t size);
int StreamTcpReassembleCheckMemcap(uint32_t size);
+
+void StreamTcpDisableAppLayer(Flow *f);
+int StreamTcpAppLayerIsDisabled(Flow *f);
+
#endif /* __STREAM_TCP_REASSEMBLE_H__ */
SCLogDebug("This flow/stream triggered a drop rule");
FlowSetNoPacketInspectionFlag(p->flow);
DecodeSetNoPacketInspectionFlag(p);
- FlowSetSessionNoApplayerInspectionFlag(p->flow);
+ StreamTcpDisableAppLayer(p->flow);
PACKET_DROP(p);
/* return the segments to the pool */
StreamTcpSessionPktFree(p);
projects / thirdparty / suricata.git / commitdiff
