From: Russ Combs (rucombs) Date: Tue, 17 Apr 2018 15:06:22 +0000 (-0400) Subject: Merge pull request #1189 in SNORT/snort3 from more_perf to master X-Git-Tag: 3.0.0-245~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0d09ae22636e02b4adfdd3252dbb1f8979c614e1;p=thirdparty%2Fsnort3.git Merge pull request #1189 in SNORT/snort3 from more_perf to master Squashed commit of the following: commit ec308cd55b2e2e32ae4db3eb969b5fd38e7bb63f Author: Russ Combs (rucombs) Date: Mon Apr 16 16:49:26 2018 -0400 stream_tcp: switch to splitter max commit 783c405bb721e48352db0a9e00946722c037231a Author: Russ Combs (rucombs) Date: Sat Apr 14 07:46:20 2018 -0400 spell check: fix memeory and indicies typos commit 9aa84591ec853873196ca1bb5dc85fddd043081a Author: Russ Combs (rucombs) Date: Fri Apr 13 21:41:02 2018 -0400 build: fix various warnings: file_decomp_pdf.cc: unreachable code return decompress/file_decomp_pdf.cc: implicit fallthrough stream.cc: warning: potential memory leaks memory_manager.cc: dangling references commit f07b179baae636ec9be6307fe3bbb0295aeba387 Author: Russ Combs (rucombs) Date: Thu Apr 12 09:27:50 2018 -0400 stream: be selective about flow creation for scans commit cdf528691f7aaeebb40a0b686ae46b7ff4651579 Author: Russ Combs (rucombs) Date: Wed Apr 11 21:25:31 2018 -0400 http_inspect: patch around regression failures until a permanent solution is implemented commit 7f57541f3e4d1c1aaf44807c358b858f9ede043c Author: Russ Combs (rucombs) Date: Fri Apr 6 17:17:56 2018 -0400 stream_tcp: tweak seglist cursor handling commit 417992054439d839d3651fc5adf1b08d836cd1d4 Author: Russ Combs (rucombs) Date: Wed Apr 11 07:41:35 2018 -0400 port_scan: include open ports with alerts instead of separate commit cf2e7d2ac36b3cf70ee8c7a55f932029755ddccb Author: Russ Combs Date: Sat Mar 31 12:41:53 2018 -0400 stream: remove usused ignore_any_rules from tcp and udp commit f5843c4d2ad6a439003afde1830c41900bc492bf Author: Russ Combs (rucombs) Date: Thu Apr 5 17:00:27 2018 -0400 stream: respect tcp require_3whs commit c9bb1eb11d3060515bc26e8a393a1c963f47ae9c Author: Russ Combs (rucombs) Date: Thu Apr 5 11:44:15 2018 -0400 stream: refactor flow control for new PktTypes commit c9c5d239de87e9aa45925fde906d842f3ad2c33d Author: Russ Combs (rucombs) Date: Tue Apr 10 11:12:06 2018 -0400 search_engine: revert default detect_raw_tcp to false commit f0556f01cf98bfd8fef7494177ae6b33fde52b38 Author: Russ Combs (rucombs) Date: Thu Apr 5 09:57:27 2018 -0400 framework: remove bogus PktType for ARP and just use proto bits instead commit f84ee2cb693c94e243180b2f3a715cc564d2d329 Author: Russ Combs (rucombs) Date: Thu Apr 5 09:31:53 2018 -0400 framework: align PktType and proto bits commit f1f54c0fd3188460b1cb2e203cfb3c4789ed8e8a Author: Russ Combs (rucombs) Date: Mon Apr 2 06:14:05 2018 -0400 memory: disable with -DNO_MEM_MGR commit 6d070a4e8f17ae96f519cb833e356aaa7c3e6145 Author: Russ Combs (rucombs) Date: Mon Apr 2 06:13:42 2018 -0400 profile: disable with -DNO_PROFILER commit a7ddf1395e9c9e69eb2b5d72077c40cb5e7aac19 Author: Russ Combs Date: Sat Mar 31 13:04:24 2018 -0400 zhash: cleanup cruftiness --- diff --git a/extra/src/inspectors/data_log/data_log.cc b/extra/src/inspectors/data_log/data_log.cc index 0d7a19cda..ba6a2d0a9 100644 --- a/extra/src/inspectors/data_log/data_log.cc +++ b/extra/src/inspectors/data_log/data_log.cc @@ -235,7 +235,7 @@ static const InspectApi dl_api mod_dtor }, IT_PASSIVE, - (uint16_t)PktType::NONE, + PROTO_BIT__NONE, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/extra/src/inspectors/dpx/dpx.cc b/extra/src/inspectors/dpx/dpx.cc index 028cc2fbd..c3a541b4b 100644 --- a/extra/src/inspectors/dpx/dpx.cc +++ b/extra/src/inspectors/dpx/dpx.cc @@ -180,7 +180,7 @@ static const InspectApi dpx_api mod_dtor }, IT_NETWORK, - (uint16_t)PktType::UDP, + PROTO_BIT__UDP, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/extra/src/inspectors/reg_test/reg_test.cc b/extra/src/inspectors/reg_test/reg_test.cc index 14a8d59b7..226c1422a 100644 --- a/extra/src/inspectors/reg_test/reg_test.cc +++ b/extra/src/inspectors/reg_test/reg_test.cc @@ -288,7 +288,7 @@ static const InspectApi rti_api mod_dtor }, IT_PACKET, - (uint16_t)PktType::TCP | (uint16_t)PktType::UDP | (uint16_t)PktType::PDU, + PROTO_BIT__ANY_PDU, nullptr, // buffers s_name, // service reg_test_init, // pinit diff --git a/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc b/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc index 5c5b179d7..4f706ce20 100644 --- a/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc +++ b/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc @@ -76,7 +76,7 @@ bool PktNumOption::operator==(const IpsOption& ips) const IpsOption::EvalStatus PktNumOption::eval(Cursor&, Packet*) { - ProfileContext profile(pkt_num_perf_stats); + Profile profile(pkt_num_perf_stats); if ( config.eval(get_packet_number()) ) return MATCH; diff --git a/src/codecs/ip/cd_tcp.cc b/src/codecs/ip/cd_tcp.cc index be454f427..363384028 100644 --- a/src/codecs/ip/cd_tcp.cc +++ b/src/codecs/ip/cd_tcp.cc @@ -130,7 +130,7 @@ private: const uint8_t* const end, const int expected_len); - void DecodeTCPOptions(const uint8_t*, uint32_t, CodecData&); + void DecodeTCPOptions(const uint8_t*, uint32_t, CodecData&, DecodeData&); void TCPMiscTests(const tcp::TCPHdr* const tcph, const DecodeData& snort, const CodecData& codec); @@ -265,8 +265,10 @@ bool TcpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) uint16_t tcp_opt_len = (uint16_t)(tcph->hlen() - tcp::TCP_MIN_HEADER_LEN); if (tcp_opt_len > 0) - DecodeTCPOptions((const uint8_t*)(raw.data + tcp::TCP_MIN_HEADER_LEN), tcp_opt_len, codec); - + { + const uint8_t* opts = (const uint8_t*)(raw.data + tcp::TCP_MIN_HEADER_LEN); + DecodeTCPOptions(opts, tcp_opt_len, codec, snort); + } int dsize = raw.len - tcph->hlen(); if (dsize < 0) dsize = 0; @@ -344,7 +346,8 @@ bool TcpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) * * Returns: void function */ -void TcpCodec::DecodeTCPOptions(const uint8_t* start, uint32_t o_len, CodecData& codec) +void TcpCodec::DecodeTCPOptions( + const uint8_t* start, uint32_t o_len, CodecData& codec, DecodeData& snort) { const uint8_t* const end_ptr = start + o_len; /* points to byte after last option */ const tcp::TcpOption* opt = reinterpret_cast(start); @@ -396,6 +399,7 @@ void TcpCodec::DecodeTCPOptions(const uint8_t* start, uint32_t o_len, CodecData& /* LOG INVALID WINDOWSCALE alert */ codec_event(codec, DECODE_TCPOPT_WSCALE_INVALID); } + snort.decode_flags |= DECODE_WSCALE; } break; diff --git a/src/codecs/link/cd_arp.cc b/src/codecs/link/cd_arp.cc index 13587ba7f..60eb3d1b1 100644 --- a/src/codecs/link/cd_arp.cc +++ b/src/codecs/link/cd_arp.cc @@ -55,7 +55,6 @@ public: void get_protocol_ids(std::vector& v) override; bool decode(const RawData&, CodecData&, DecodeData&) override; - void format(bool reverse, uint8_t* raw_pkt, DecodeData& snort) override; }; } // anonymous namespace @@ -65,7 +64,7 @@ void ArpCodec::get_protocol_ids(std::vector& v) v.push_back(ProtocolId::ETHERTYPE_REVARP); } -bool ArpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) +bool ArpCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) { if (raw.len < arp::ETHERARP_HDR_LEN) { @@ -75,16 +74,10 @@ bool ArpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) codec.proto_bits |= PROTO_BIT__ARP; codec.lyr_len = arp::ETHERARP_HDR_LEN; - snort.set_pkt_type(PktType::ARP); return true; } -void ArpCodec::format(bool /*reverse*/, uint8_t* /*raw_pkt*/, DecodeData& snort) -{ - snort.set_pkt_type(PktType::ARP); -} - //------------------------------------------------------------------------- // api //------------------------------------------------------------------------- diff --git a/src/decompress/file_decomp_pdf.cc b/src/decompress/file_decomp_pdf.cc index 241d985ac..5ae26b116 100644 --- a/src/decompress/file_decomp_pdf.cc +++ b/src/decompress/file_decomp_pdf.cc @@ -24,6 +24,8 @@ #include "file_decomp_pdf.h" +#include + #include "main/thread.h" #include "utils/util.h" @@ -601,6 +603,7 @@ static inline fd_status_t Handle_State_IND_OBJ(fd_session_t* SessionPtr, uint8_t return( File_Decomp_Error ); } } + // fallthrough case ( P_OBJ_EOL ): { @@ -1134,7 +1137,8 @@ fd_status_t File_Decomp_PDF(fd_session_t* SessionPtr) } // switch() } // while() - return( File_Decomp_OK ); + // can not reach this point + assert(false); } //-------------------------------------------------------------------------- diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 275dde47c..0b4a6f1dc 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -289,7 +289,8 @@ bool DetectionEngine::offload(Packet* p) { ContextSwitcher* sw = Snort::get_switcher(); - if ( p->type() != PktType::PDU or (p->dsize < SnortConfig::get_conf()->offload_limit) or !sw->can_hold() ) + if ( p->type() != PktType::PDU or (p->dsize < SnortConfig::get_conf()->offload_limit) or + !sw->can_hold() ) { fp_local(p); return false; diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc index a4df7afa4..6f8a8ddc4 100644 --- a/src/file_api/file_flows.cc +++ b/src/file_api/file_flows.cc @@ -332,7 +332,7 @@ static const InspectApi file_inspect_api = mod_dtor }, IT_PASSIVE, - (uint16_t)PktType::NONE, + PROTO_BIT__NONE, nullptr, "file", file_init, diff --git a/src/file_api/file_log.cc b/src/file_api/file_log.cc index e65ed3568..d91e1daa4 100644 --- a/src/file_api/file_log.cc +++ b/src/file_api/file_log.cc @@ -312,7 +312,7 @@ static const InspectApi fl_api mod_dtor }, IT_PASSIVE, - (uint16_t)PktType::NONE, + PROTO_BIT__NONE, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/flow/flow.cc b/src/flow/flow.cc index 9526a91e3..dc241b002 100644 --- a/src/flow/flow.cc +++ b/src/flow/flow.cc @@ -328,7 +328,7 @@ void Flow::set_direction(Packet* p) { if (ip_api->get_src()->fast_eq4(client_ip)) { - if ( !(p->proto_bits & (PROTO_BIT__TCP | PROTO_BIT__UDP)) ) + if ( p->type() != PktType::TCP and p->type() != PktType::UDP ) p->packet_flags |= PKT_FROM_CLIENT; else if (p->ptrs.sp == client_port) @@ -339,7 +339,7 @@ void Flow::set_direction(Packet* p) } else if (ip_api->get_dst()->fast_eq4(client_ip)) { - if ( !(p->proto_bits & (PROTO_BIT__TCP | PROTO_BIT__UDP)) ) + if ( p->type() != PktType::TCP and p->type() != PktType::UDP ) p->packet_flags |= PKT_FROM_SERVER; else if (p->ptrs.dp == client_port) @@ -353,7 +353,7 @@ void Flow::set_direction(Packet* p) { if (ip_api->get_src()->fast_eq6(client_ip)) { - if ( !(p->proto_bits & (PROTO_BIT__TCP | PROTO_BIT__UDP)) ) + if ( p->type() != PktType::TCP and p->type() != PktType::UDP ) p->packet_flags |= PKT_FROM_CLIENT; else if (p->ptrs.sp == client_port) @@ -364,7 +364,7 @@ void Flow::set_direction(Packet* p) } else if (ip_api->get_dst()->fast_eq6(client_ip)) { - if ( !(p->proto_bits & (PROTO_BIT__TCP | PROTO_BIT__UDP)) ) + if ( p->type() != PktType::TCP and p->type() != PktType::UDP ) p->packet_flags |= PKT_FROM_SERVER; else if (p->ptrs.dp == client_port) diff --git a/src/flow/flow.h b/src/flow/flow.h index 6370a1301..7da690ea4 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -224,7 +224,7 @@ public: { return (ssn_state.session_flags & SSNFLAG_PROXIED) != 0; } bool is_stream() - { return (to_utype(pkt_type) & to_utype(PktType::STREAM)) != 0; } + { return pkt_type == PktType::TCP or pkt_type == PktType::PDU; } void block() { ssn_state.session_flags |= SSNFLAG_BLOCK; } @@ -311,7 +311,7 @@ public: // FIXIT-M privatize if possible BitOp* bitop; FlowHAState* ha_state; - uint8_t ip_proto; // FIXIT-M do we need both of these? + uint8_t ip_proto; PktType pkt_type; // ^^ // these fields are always set; not zeroed diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 3ae234884..ae3c2170e 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -47,47 +47,18 @@ FlowControl::~FlowControl() { DetectionEngine de; - delete ip_cache; - delete icmp_cache; - delete tcp_cache; - delete udp_cache; - delete user_cache; - delete file_cache; + for ( int i = 0; i < to_utype(PktType::MAX); ++i ) + { + delete proto[i].cache; + snort_free(proto[i].mem); + } delete exp_cache; - - snort_free(ip_mem); - snort_free(icmp_mem); - snort_free(tcp_mem); - snort_free(udp_mem); - snort_free(user_mem); - snort_free(file_mem); } //------------------------------------------------------------------------- // count foo //------------------------------------------------------------------------- -static THREAD_LOCAL PegCount ip_count = 0; -static THREAD_LOCAL PegCount icmp_count = 0; -static THREAD_LOCAL PegCount tcp_count = 0; -static THREAD_LOCAL PegCount udp_count = 0; -static THREAD_LOCAL PegCount user_count = 0; -static THREAD_LOCAL PegCount file_count = 0; - -PegCount FlowControl::get_flows(PktType type) -{ - switch ( type ) - { - case PktType::IP: return ip_count; - case PktType::ICMP: return icmp_count; - case PktType::TCP: return tcp_count; - case PktType::UDP: return udp_count; - case PktType::PDU: return user_count; - case PktType::FILE: return file_count; - default: return 0; - } -} - PegCount FlowControl::get_total_prunes(PktType type) const { auto cache = get_cache(type); @@ -102,69 +73,22 @@ PegCount FlowControl::get_prunes(PktType type, PruneReason reason) const void FlowControl::clear_counts() { - ip_count = icmp_count = 0; - tcp_count = udp_count = 0; - user_count = file_count = 0; - - FlowCache* cache; - - if ( (cache = get_cache(PktType::IP)) ) - cache->reset_stats(); - - if ( (cache = get_cache(PktType::ICMP)) ) - cache->reset_stats(); - - if ( (cache = get_cache(PktType::TCP)) ) - cache->reset_stats(); - - if ( (cache = get_cache(PktType::UDP)) ) - cache->reset_stats(); - - if ( (cache = get_cache(PktType::PDU)) ) - cache->reset_stats(); + for ( int i = 0; i < to_utype(PktType::MAX); ++i ) + { + if ( proto[i].cache ) + proto[i].cache->reset_stats(); - if ( (cache = get_cache(PktType::FILE)) ) - cache->reset_stats(); + proto[i].num_flows = 0; + } } //------------------------------------------------------------------------- // cache foo //------------------------------------------------------------------------- -inline FlowCache* FlowControl::get_cache (PktType type) -{ - switch ( type ) - { - case PktType::IP: return ip_cache; - case PktType::ICMP: return icmp_cache; - case PktType::TCP: return tcp_cache; - case PktType::UDP: return udp_cache; - case PktType::PDU: return user_cache; - case PktType::FILE: return file_cache; - default: return nullptr; - } -} - -// FIXIT-L duplication of non-const method above -inline const FlowCache* FlowControl::get_cache (PktType type) const -{ - switch ( type ) - { - case PktType::IP: return ip_cache; - case PktType::ICMP: return icmp_cache; - case PktType::TCP: return tcp_cache; - case PktType::UDP: return udp_cache; - case PktType::PDU: return user_cache; - case PktType::FILE: return file_cache; - default: return nullptr; - } -} - Flow* FlowControl::find_flow(const FlowKey* key) { - FlowCache* cache = get_cache(key->pkt_type); - - if ( cache ) + if ( auto cache = get_cache(key->pkt_type) ) return cache->find(key); return nullptr; @@ -172,12 +96,10 @@ Flow* FlowControl::find_flow(const FlowKey* key) Flow* FlowControl::new_flow(const FlowKey* key) { - FlowCache* cache = get_cache(key->pkt_type); - - if ( !cache ) - return nullptr; + if ( auto cache = get_cache(key->pkt_type) ) + return cache->get(key); - return cache->get(key); + return nullptr; } // FIXIT-L cache* can be put in flow so that lookups by @@ -189,25 +111,19 @@ void FlowControl::delete_flow(const FlowKey* key) if ( !cache ) return; - Flow* flow = cache->find(key); - - if ( flow ) + if ( auto flow = cache->find(key) ) cache->release(flow, PruneReason::HA); } void FlowControl::delete_flow(Flow* flow, PruneReason reason) { - FlowCache* cache = get_cache(flow->pkt_type); - - if ( cache ) + if ( auto cache = get_cache(flow->pkt_type) ) cache->release(flow, reason); } void FlowControl::purge_flows (PktType type) { - FlowCache* cache = get_cache(type); - - if ( cache ) + if ( auto cache = get_cache(type) ) cache->purge(); } @@ -394,13 +310,95 @@ static void init_roles(Packet* p, Flow* flow) default: break; } + if ( flow->ssn_state.direction == FROM_CLIENT ) + p->packet_flags |= PKT_FROM_CLIENT; + else + p->packet_flags |= PKT_FROM_SERVER; +} + +//------------------------------------------------------------------------- +// proto +//------------------------------------------------------------------------- + +void FlowControl::init_proto( + PktType type, const FlowConfig& fc, InspectSsnFunc get_ssn) +{ + if ( !fc.max_sessions || !get_ssn ) + return; + + auto& con = proto[to_utype(type)]; + + con.cache = new FlowCache(fc); + con.mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); + + for ( unsigned i = 0; i < fc.max_sessions; ++i ) + con.cache->push(con.mem + i); + + con.get_ssn = get_ssn; + types.push_back(type); +} + +// FIXIT-P apply more filtering logic here, eg require_3whs +// delegate to stream inspectors but that requires binding +// can't use session because goal is to avoid instantiation +static bool want_flow(PktType type, Packet* p) +{ + if ( type != PktType::TCP ) + return true; + + if ( p->ptrs.tcph->is_rst() ) + // guessing direction based on ports is misleading + return false; + + if ( !p->ptrs.tcph->is_syn_only() or SnortConfig::get_conf()->track_on_syn() or + (p->ptrs.decode_flags & DECODE_WSCALE) ) + return true; + + p->packet_flags |= PKT_FROM_CLIENT; + return false; +} + +bool FlowControl::process(PktType type, Packet* p) +{ + auto& con = proto[to_utype(type)]; + + if ( !con.cache ) + return false; + + FlowKey key; + set_key(&key, p); + Flow* flow = con.cache->find(&key); + + if ( !flow ) + { + if ( !want_flow(type, p) ) + return true; + + flow = con.cache->get(&key); + + if ( !flow ) + return true; + } + if ( !flow->session ) + { + flow->init(type); + flow->session = con.get_ssn(flow); + } + + con.num_flows += process(flow, p); + + // FIXIT-M refactor to unlink_uni immediately after session + // is processed by inspector manager (all flows) + if ( flow->next && is_bidirectional(flow) ) + con.cache->unlink_uni(flow); + + return true; } unsigned FlowControl::process(Flow* flow, Packet* p) { unsigned news = 0; - assert ( flow ); flow->previous_ssn_state = flow->ssn_state; p->flow = flow; @@ -408,6 +406,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p) last_pkt_type = p->type(); preemptive_cleanup(); + flow->set_direction(p); flow->session->precheck(p); @@ -433,8 +432,6 @@ unsigned FlowControl::process(Flow* flow, Packet* p) ++news; } - flow->set_direction(p); - // This requires the packet direction to be set if ( p->proto_bits & PROTO_BIT__MPLS ) flow->set_mpls_layer_per_dir(p); @@ -485,272 +482,6 @@ unsigned FlowControl::process(Flow* flow, Packet* p) return news; } -//------------------------------------------------------------------------- -// ip -//------------------------------------------------------------------------- - -void FlowControl::init_ip( - const FlowConfig& fc, InspectSsnFunc get_ssn) -{ - if ( !fc.max_sessions || !get_ssn ) - return; - - ip_cache = new FlowCache(fc); - ip_mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); - - for ( unsigned i = 0; i < fc.max_sessions; ++i ) - ip_cache->push(ip_mem + i); - - get_ip = get_ssn; - types.push_back(PktType::IP); -} - -void FlowControl::process_ip(Packet* p) -{ - if ( !ip_cache ) - return; - - FlowKey key; - set_key(&key, p); - Flow* flow = ip_cache->get(&key); - - if ( !flow ) - return; - - if ( !flow->session ) - { - flow->init(PktType::IP); - flow->session = get_ip(flow); - } - - ip_count += process(flow, p); - - if ( flow->next && is_bidirectional(flow) ) - ip_cache->unlink_uni(flow); -} - -//------------------------------------------------------------------------- -// icmp -//------------------------------------------------------------------------- - -void FlowControl::init_icmp( - const FlowConfig& fc, InspectSsnFunc get_ssn) -{ - if ( !fc.max_sessions || !get_ssn ) - return; - - icmp_cache = new FlowCache(fc); - icmp_mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); - - for ( unsigned i = 0; i < fc.max_sessions; ++i ) - icmp_cache->push(icmp_mem + i); - - get_icmp = get_ssn; - types.push_back(PktType::ICMP); -} - -void FlowControl::process_icmp(Packet* p) -{ - if ( !icmp_cache ) - { - process_ip(p); - return; - } - - FlowKey key; - set_key(&key, p); - Flow* flow = icmp_cache->get(&key); - - if ( !flow ) - return; - - if ( !flow->session ) - { - flow->init(PktType::ICMP); - flow->session = get_icmp(flow); - } - - icmp_count += process(flow, p); - - if ( flow->next && is_bidirectional(flow) ) - icmp_cache->unlink_uni(flow); -} - -//------------------------------------------------------------------------- -// tcp -//------------------------------------------------------------------------- - -void FlowControl::init_tcp( - const FlowConfig& fc, InspectSsnFunc get_ssn) -{ - if ( !fc.max_sessions || !get_ssn ) - return; - - tcp_cache = new FlowCache(fc); - tcp_mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); - - for ( unsigned i = 0; i < fc.max_sessions; ++i ) - tcp_cache->push(tcp_mem + i); - - get_tcp = get_ssn; - types.push_back(PktType::TCP); -} - -void FlowControl::process_tcp(Packet* p) -{ - if ( !tcp_cache ) - return; - - FlowKey key; - set_key(&key, p); - Flow* flow = tcp_cache->get(&key); - - if ( !flow ) - return; - - if ( !flow->session ) - { - flow->init(PktType::TCP); - flow->session = get_tcp(flow); - } - - tcp_count += process(flow, p); - - // FIXIT-M refactor to unlink_uni immediately after session - // is processed by inspector manager (all flows) - if ( flow->next && is_bidirectional(flow) ) - tcp_cache->unlink_uni(flow); -} - -//------------------------------------------------------------------------- -// udp -//------------------------------------------------------------------------- - -void FlowControl::init_udp( - const FlowConfig& fc, InspectSsnFunc get_ssn) -{ - if ( !fc.max_sessions || !get_ssn ) - return; - - udp_cache = new FlowCache(fc); - udp_mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); - - for ( unsigned i = 0; i < fc.max_sessions; ++i ) - udp_cache->push(udp_mem + i); - - get_udp = get_ssn; - types.push_back(PktType::UDP); -} - -void FlowControl::process_udp(Packet* p) -{ - if ( !udp_cache ) - return; - - FlowKey key; - set_key(&key, p); - Flow* flow = udp_cache->get(&key); - - if ( !flow ) - return; - - if ( !flow->session ) - { - flow->init(PktType::UDP); - flow->session = get_udp(flow); - } - - udp_count += process(flow, p); - - if ( flow->next && is_bidirectional(flow) ) - udp_cache->unlink_uni(flow); -} - -//------------------------------------------------------------------------- -// user -//------------------------------------------------------------------------- - -void FlowControl::init_user( - const FlowConfig& fc, InspectSsnFunc get_ssn) -{ - if ( !fc.max_sessions || !get_ssn ) - return; - - user_cache = new FlowCache(fc); - user_mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); - - for ( unsigned i = 0; i < fc.max_sessions; ++i ) - user_cache->push(user_mem + i); - - get_user = get_ssn; - types.push_back(PktType::PDU); -} - -void FlowControl::process_user(Packet* p) -{ - if ( !user_cache ) - return; - - FlowKey key; - set_key(&key, p); - Flow* flow = user_cache->get(&key); - - if ( !flow ) - return; - - if ( !flow->session ) - { - flow->init(PktType::PDU); - flow->session = get_user(flow); - } - - user_count += process(flow, p); - - if ( flow->next && is_bidirectional(flow) ) - user_cache->unlink_uni(flow); -} - -//------------------------------------------------------------------------- -// file -//------------------------------------------------------------------------- - -void FlowControl::init_file( - const FlowConfig& fc, InspectSsnFunc get_ssn) -{ - if ( !fc.max_sessions || !get_ssn ) - return; - - file_cache = new FlowCache(fc); - file_mem = (Flow*)snort_calloc(fc.max_sessions, sizeof(Flow)); - - for ( unsigned i = 0; i < fc.max_sessions; ++i ) - file_cache->push(file_mem + i); - - get_file = get_ssn; - types.push_back(PktType::FILE); -} - -void FlowControl::process_file(Packet* p) -{ - if ( !file_cache ) - return; - - FlowKey key; - set_key(&key, p); - Flow* flow = file_cache->get(&key); - - if ( !flow ) - return; - - if ( !flow->session ) - { - flow->init(PktType::FILE); - flow->session = get_file(flow); - } - - file_count += process(flow, p); -} - //------------------------------------------------------------------------- // expected //------------------------------------------------------------------------- diff --git a/src/flow/flow_control.h b/src/flow/flow_control.h index 3966c4ff2..e9a03d4ef 100644 --- a/src/flow/flow_control.h +++ b/src/flow/flow_control.h @@ -52,22 +52,12 @@ public: ~FlowControl(); public: - void process_ip(snort::Packet*); - void process_icmp(snort::Packet*); - void process_tcp(snort::Packet*); - void process_udp(snort::Packet*); - void process_user(snort::Packet*); - void process_file(snort::Packet*); + bool process(PktType, snort::Packet*); snort::Flow* find_flow(const snort::FlowKey*); snort::Flow* new_flow(const snort::FlowKey*); - void init_ip(const FlowConfig&, snort::InspectSsnFunc); - void init_icmp(const FlowConfig&, snort::InspectSsnFunc); - void init_tcp(const FlowConfig&, snort::InspectSsnFunc); - void init_udp(const FlowConfig&, snort::InspectSsnFunc); - void init_user(const FlowConfig&, snort::InspectSsnFunc); - void init_file(const FlowConfig&, snort::InspectSsnFunc); + void init_proto(PktType, const FlowConfig&, snort::InspectSsnFunc); void init_exp(uint32_t max); void delete_flow(const snort::FlowKey*); @@ -92,15 +82,20 @@ public: const snort::SfIp *dstIP, uint16_t dstPort, SnortProtocolId snort_protocol_id, snort::FlowData*); - PegCount get_flows(PktType); + PegCount get_flows(PktType pt) + { return proto[to_utype(pt)].num_flows; } + PegCount get_total_prunes(PktType) const; PegCount get_prunes(PktType, PruneReason) const; void clear_counts(); private: - FlowCache* get_cache(PktType); - const FlowCache* get_cache(PktType) const; + FlowCache* get_cache(PktType pt) + { return proto[to_utype(pt)].cache; } + + const FlowCache* get_cache(PktType pt) const + { return proto[to_utype(pt)].cache; } void set_key(snort::FlowKey*, snort::Packet*); @@ -108,27 +103,13 @@ private: void preemptive_cleanup(); private: - FlowCache* ip_cache = nullptr; - FlowCache* icmp_cache = nullptr; - FlowCache* tcp_cache = nullptr; - FlowCache* udp_cache = nullptr; - FlowCache* user_cache = nullptr; - FlowCache* file_cache = nullptr; - - // preallocated arrays - snort::Flow* ip_mem = nullptr; - snort::Flow* icmp_mem = nullptr; - snort::Flow* tcp_mem = nullptr; - snort::Flow* udp_mem = nullptr; - snort::Flow* user_mem = nullptr; - snort::Flow* file_mem = nullptr; - - snort::InspectSsnFunc get_ip = nullptr; - snort::InspectSsnFunc get_icmp = nullptr; - snort::InspectSsnFunc get_tcp = nullptr; - snort::InspectSsnFunc get_udp = nullptr; - snort::InspectSsnFunc get_user = nullptr; - snort::InspectSsnFunc get_file = nullptr; + struct + { + FlowCache* cache = nullptr; + snort::Flow* mem = nullptr; + snort::InspectSsnFunc get_ssn = nullptr; + PegCount num_flows = 0; + } proto[to_utype(PktType::MAX)]; class ExpectCache* exp_cache = nullptr; PktType last_pkt_type = PktType::NONE; diff --git a/src/flow/session.h b/src/flow/session.h index 5e905ebbb..22b95cf42 100644 --- a/src/flow/session.h +++ b/src/flow/session.h @@ -23,6 +23,7 @@ // Session is an abstract base class for the various protocol subclasses. // the subclasses do the actual work of tracking, reassembly, etc. +#include #include "stream/stream.h" namespace snort @@ -59,7 +60,7 @@ public: virtual void flush_talker(snort::Packet*, bool /*final_flush */ = false) { } virtual void flush_listener(snort::Packet*, bool /*final_flush */ = false) { } - virtual void set_splitter(bool /*c2s*/, snort::StreamSplitter*) { } + virtual void set_splitter(bool /*c2s*/, snort::StreamSplitter*) { assert(false); } virtual snort::StreamSplitter* get_splitter(bool /*c2s*/) { return nullptr; } virtual void set_extra_data(snort::Packet*, uint32_t /*flag*/) { } diff --git a/src/framework/codec.h b/src/framework/codec.h index 7434e760e..4a89ace1f 100644 --- a/src/framework/codec.h +++ b/src/framework/codec.h @@ -126,7 +126,7 @@ struct CodecData /* Reset before each decode of packet begins */ /* Codec specific fields. These fields are only relevant to codecs. */ - uint16_t proto_bits; /* protocols contained within this packet + uint32_t proto_bits; /* protocols contained within this packet -- will be propogated to Snort++ Packet struct*/ uint16_t codec_flags; /* flags used while decoding */ uint8_t ip_layer_cnt; diff --git a/src/framework/decode_data.h b/src/framework/decode_data.h index 0b1da80cf..2b7208257 100644 --- a/src/framework/decode_data.h +++ b/src/framework/decode_data.h @@ -44,21 +44,41 @@ struct ICMPHdr; /* NOTE: if A protocol is added, update DecodeFlags! */ enum class PktType : std::uint8_t { - NONE= 0x00, - IP = 0x01, - TCP = 0x02, - UDP = 0x04, - ICMP = 0x08, - ARP = 0x10, - PDU = 0x20, - FILE = 0x40, - STREAM = 0x22, - ANY_IP = 0x0F, - ANY_SSN = 0x6F, - ANY = 0x7F, -// FREE = 0x80, + NONE, IP, TCP, UDP, ICMP, PDU, FILE, MAX }; +// the first several of these bits must map to PktType +// eg PROTO_BIT__IP == BIT(PktType::IP), etc. +#define PROTO_BIT__NONE 0x00000 +#define PROTO_BIT__IP 0x00001 +#define PROTO_BIT__TCP 0x00002 +#define PROTO_BIT__UDP 0x00004 +#define PROTO_BIT__ICMP 0x00008 +#define PROTO_BIT__PDU 0x00010 +#define PROTO_BIT__FILE 0x00020 +#define PROTO_BIT__ARP 0x00040 +#define PROTO_BIT__TEREDO 0x00080 +#define PROTO_BIT__GTP 0x00100 +#define PROTO_BIT__MPLS 0x00200 +#define PROTO_BIT__VLAN 0x00400 +#define PROTO_BIT__ETH 0x00800 +#define PROTO_BIT__TCP_EMBED_ICMP 0x01000 +#define PROTO_BIT__UDP_EMBED_ICMP 0x02000 +#define PROTO_BIT__ICMP_EMBED_ICMP 0x04000 +#define PROTO_BIT__ICMP_EMBED_OTHER 0x08000 +#define PROTO_BIT__IP6_EXT 0x10000 +#define PROTO_BIT__OTHER 0x20000 +#define PROTO_BIT__ALL 0x3FFFF + +#define PROTO_BIT__ICMP_EMBED \ + (PROTO_BIT__TCP_EMBED_ICMP | PROTO_BIT__UDP_EMBED_ICMP | \ + PROTO_BIT__ICMP_EMBED_ICMP | PROTO_BIT__ICMP_EMBED_OTHER) + +#define PROTO_BIT__ANY_IP (PROTO_BIT__IP | PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP) +#define PROTO_BIT__ANY_PDU (PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__PDU) +#define PROTO_BIT__ANY_SSN (PROTO_BIT__ANY_IP | PROTO_BIT__PDU | PROTO_BIT__FILE) +#define PROTO_BIT__ANY_TYPE (PROTO_BIT__ANY_SSN | PROTO_BIT__ARP) + enum DecodeFlags : std::uint16_t { DECODE_ERR_CKSUM_IP = 0x0001, // error flags @@ -79,32 +99,10 @@ enum DecodeFlags : std::uint16_t DECODE_C2S = 0x0100, // user - client to server DECODE_SOF = 0x0200, // user - start of flow DECODE_EOF = 0x0400, // user - end of flow - DECODE_GTP = 0x0800, // gtp encap -}; + DECODE_GTP = 0x0800, -// FIXIT-L make this an enum!! -#define PROTO_BIT__NONE 0x0000 -#define PROTO_BIT__IP 0x0001 -#define PROTO_BIT__ARP 0x0002 -#define PROTO_BIT__TCP 0x0004 -#define PROTO_BIT__UDP 0x0008 -#define PROTO_BIT__ICMP 0x0010 -#define PROTO_BIT__TEREDO 0x0020 -#define PROTO_BIT__GTP 0x0040 -#define PROTO_BIT__MPLS 0x0080 -#define PROTO_BIT__VLAN 0x0100 -#define PROTO_BIT__ETH 0x0200 -#define PROTO_BIT__TCP_EMBED_ICMP 0x0400 -#define PROTO_BIT__UDP_EMBED_ICMP 0x0800 -#define PROTO_BIT__ICMP_EMBED_ICMP 0x1000 -#define PROTO_BIT__ICMP_EMBED_OTHER 0x2000 -#define PROTO_BIT__ICMP_EMBED \ - (PROTO_BIT__TCP_EMBED_ICMP | PROTO_BIT__UDP_EMBED_ICMP | \ - PROTO_BIT__ICMP_EMBED_ICMP | PROTO_BIT__ICMP_EMBED_OTHER) -#define PROTO_BIT__IP6_EXT 0x4000 -#define PROTO_BIT__FREE 0x0000 /* No proto bits free */ -#define PROTO_BIT__OTHER 0x8000 // FIXIT-L delete this after porting is still unused -#define PROTO_BIT__ALL 0xffff + DECODE_WSCALE = 0x1000, +}; struct DecodeData { diff --git a/src/framework/inspector.cc b/src/framework/inspector.cc index 68f704122..5e5df13f8 100644 --- a/src/framework/inspector.cc +++ b/src/framework/inspector.cc @@ -101,7 +101,7 @@ StreamSplitter* Inspector::get_splitter(bool to_server) bool Inspector::likes(Packet* p) { - if ( !((uint16_t)p->type() & api->proto_bits) ) + if ( !(BIT((uint16_t)p->type()) & api->proto_bits) ) return false; if ( p->is_tcp() && api->type == IT_SERVICE ) diff --git a/src/framework/inspector.h b/src/framework/inspector.h index a18ad9898..130577b5f 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -189,7 +189,7 @@ struct InspectApi { BaseApi base; InspectorType type; - uint16_t proto_bits; + uint32_t proto_bits; const char** buffers; // null terminated list of exported buffers const char* service; // nullptr when type != IT_SERVICE diff --git a/src/hash/zhash.cc b/src/hash/zhash.cc index 00054dc4e..ecd77fe6d 100644 --- a/src/hash/zhash.cc +++ b/src/hash/zhash.cc @@ -197,15 +197,14 @@ void ZHash::move_to_front(ZHashNode* node) } } -ZHashNode* ZHash::find_node_row(const void* key, int* rindex) +ZHashNode* ZHash::find_node_row(const void* key, int& row) { unsigned hashkey = hashfcn->hash_fcn( hashfcn, (const unsigned char*)key, keysize); // Modulus is slow; use a table size that is a power of 2. int index = hashkey & (nrows - 1); - - *rindex = index; + row = index; for ( ZHashNode* node=table[index]; node; node=node->next ) // UNINITUSE { @@ -313,8 +312,8 @@ void* ZHash::pop() void* ZHash::get(const void* key, bool *new_node) { - int index = 0; - ZHashNode* node = find_node_row(key, &index); + int row; + ZHashNode* node = find_node_row(key, row); if ( node ) return node->data; @@ -324,9 +323,9 @@ void* ZHash::get(const void* key, bool *new_node) if ( !node ) return nullptr; - memcpy(node->key,key,keysize); + memcpy(node->key, key, keysize); - node->rindex = index; + node->rindex = row; link_node (node); glink_node(node); @@ -340,8 +339,8 @@ void* ZHash::get(const void* key, bool *new_node) void* ZHash::find(const void* key) { - int rindex = 0; - ZHashNode* node = find_node_row(key, &rindex); + int row; + ZHashNode* node = find_node_row(key, row); if ( node ) return node->data; @@ -410,8 +409,8 @@ bool ZHash::remove() bool ZHash::remove(const void* key) { - int row = 0; - ZHashNode* node = find_node_row(key, &row); + int row; + ZHashNode* node = find_node_row(key, row); return remove(node); } diff --git a/src/hash/zhash.h b/src/hash/zhash.h index 711f353cd..a271a29e9 100644 --- a/src/hash/zhash.h +++ b/src/hash/zhash.h @@ -56,7 +56,7 @@ public: private: ZHashNode* get_free_node(); - ZHashNode* find_node_row(const void*, int*); + ZHashNode* find_node_row(const void*, int&); void glink_node(ZHashNode*); void gunlink_node(ZHashNode*); diff --git a/src/ips_options/ips_flowbits.cc b/src/ips_options/ips_flowbits.cc index 508b32c10..21e40abed 100644 --- a/src/ips_options/ips_flowbits.cc +++ b/src/ips_options/ips_flowbits.cc @@ -405,10 +405,7 @@ static IpsOption::EvalStatus check_flowbits( BitOp* bitop = get_flow_bitop(p); if (!bitop) - { - assert(false); return IpsOption::NO_MATCH; - } switch (type) { diff --git a/src/main/modules.cc b/src/main/modules.cc index 16da1cdc4..b6c9a8af5 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -239,7 +239,7 @@ static const Parameter search_engine_params[] = { "max_queue_events", Parameter::PT_INT, "2:100", "5", // upper bound is MAX_EVENT_MATCH "maximum number of matching fast pattern states to queue per packet" }, - { "detect_raw_tcp", Parameter::PT_BOOL, nullptr, "true", + { "detect_raw_tcp", Parameter::PT_BOOL, nullptr, "false", "detect on TCP payload before reassembly" }, { "search_method", Parameter::PT_DYNAMIC, (void*)&get_search_methods, "ac_bnfa", diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 5b904ed48..31c4f33ae 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -72,6 +72,7 @@ enum RunFlag RUN_FLAG__PIGLET = 0x01000000, #endif RUN_FLAG__MEM_CHECK = 0x02000000, + RUN_FLAG__TRACK_ON_SYN = 0x04000000, }; enum OutputFlag @@ -650,6 +651,9 @@ public: return get_conf()->enable_packet_trace; } + bool track_on_syn() const + { return (run_flags & RUN_FLAG__TRACK_ON_SYN) != 0; } + // Use this to access current thread's conf from other units static void set_conf(SnortConfig*); diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index b0bfab1a7..5c0e8773e 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -573,7 +573,7 @@ InspectSsnFunc InspectorManager::get_session(uint16_t proto) { for ( auto* p : s_handlers ) { - if ( p->api.type == IT_STREAM && p->api.proto_bits == proto && !p->init ) + if ( p->api.type == IT_STREAM and p->api.proto_bits == proto and !p->init ) return p->api.ssn; } return nullptr; @@ -753,18 +753,18 @@ static void instantiate_binder(SnortConfig* sc, FrameworkPolicy* fp) const char* t = api.base.name; m->add(s, t); - tcp = tcp || (api.proto_bits & (unsigned)PktType::TCP); - udp = udp || (api.proto_bits & (unsigned)PktType::UDP); - pdu = pdu || (api.proto_bits & (unsigned)PktType::PDU); + tcp = tcp or (api.proto_bits & PROTO_BIT__TCP); + udp = udp or (api.proto_bits & PROTO_BIT__UDP); + pdu = pdu or (api.proto_bits & PROTO_BIT__PDU); } if ( tcp or pdu ) - m->add((unsigned)PktType::TCP, wiz_id); + m->add(PROTO_BIT__TCP, wiz_id); if ( udp ) - m->add((unsigned)PktType::UDP, wiz_id); + m->add(PROTO_BIT__UDP, wiz_id); if ( tcp or udp or pdu ) - m->add((unsigned)PktType::PDU, wiz_id); + m->add(PROTO_BIT__PDU, wiz_id); const InspectApi* api = get_plugin(bind_id); InspectorManager::instantiate(api, m, sc); @@ -902,7 +902,14 @@ static inline void execute( if ( !p->flow && (ppc.api.type == IT_SERVICE) ) break; - if ( (unsigned)p->type() & ppc.api.proto_bits ) + // FIXIT-L ideally we could eliminate PktType and just use + // proto_bits but things like teredo need to be fixed up. + if ( p->type() == PktType::NONE ) + { + if ( p->proto_bits & ppc.api.proto_bits ) + (*prep)->handler->eval(p); + } + else if ( BIT((unsigned)p->type()) & ppc.api.proto_bits ) (*prep)->handler->eval(p); } } diff --git a/src/memory/memory_manager.cc b/src/memory/memory_manager.cc index e7152ffd8..61193dad2 100644 --- a/src/memory/memory_manager.cc +++ b/src/memory/memory_manager.cc @@ -193,6 +193,7 @@ THREAD_LOCAL bool Interface::in_allocation_call = false; // these don't have to be visible to operate as replacements +#ifndef NO_MEM_MGR void* operator new(size_t n) { auto p = memory::Interface<>::allocate(n); @@ -232,6 +233,7 @@ SO_PUBLIC void operator delete(void* p, size_t) noexcept void operator delete[](void* p, size_t) noexcept; SO_PUBLIC void operator delete[](void* p, size_t) noexcept { ::operator delete[](p); } +#endif // ----------------------------------------------------------------------------- // unit tests @@ -451,6 +453,8 @@ TEST_CASE( "memory manager interface", "[memory]" ) CHECK( CapSpy::update_deallocations_arg == memory::Metadata::calculate_total_size(n) ); } } + AllocatorSpy::pool = nullptr; + AllocatorSpy::deallocate_arg = nullptr; } #endif diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index 7b18b9618..f56832372 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -255,7 +255,7 @@ const InspectApi appid_inspector_api = mod_dtor }, IT_CONTROL, - (uint16_t)PktType::ANY_IP, + PROTO_BIT__ANY_IP, nullptr, // buffers nullptr, // service appid_inspector_pinit, diff --git a/src/network_inspectors/appid/ips_appid_option.cc b/src/network_inspectors/appid/ips_appid_option.cc index 40a965961..dcf9d8b40 100644 --- a/src/network_inspectors/appid/ips_appid_option.cc +++ b/src/network_inspectors/appid/ips_appid_option.cc @@ -155,7 +155,9 @@ IpsOption::EvalStatus AppIdIpsOption::eval(Cursor&, Packet* p) { AppId app_ids[NUM_ID_TYPES]; - assert(p->flow); + if ( !p->flow ) + return NO_MATCH; + Profile profile(appidRuleOptionPerfStats); if ( !opt_data.ids_mapped ) diff --git a/src/network_inspectors/appid/thirdparty_appid_utils.cc b/src/network_inspectors/appid/thirdparty_appid_utils.cc index add725b44..0642f1752 100644 --- a/src/network_inspectors/appid/thirdparty_appid_utils.cc +++ b/src/network_inspectors/appid/thirdparty_appid_utils.cc @@ -322,7 +322,7 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* hsession->update_host((const uint8_t*)attribute_data->spdyRequestHost, strlen(attribute_data->spdyRequestHost)); - // FIXIT-M do we need to free this memeory and set to null + // FIXIT-M do we need to free this memory and set to null // attribute_data->spdyRequestHost = nullptr; hsession->set_field_offset(REQ_HOST_FID, attribute_data->spdyRequestHostOffset); hsession->set_field_end_offset(REQ_HOST_FID, @@ -341,7 +341,7 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* hsession->update_uri((const uint8_t*)attribute_data->spdyRequestPath, strlen(attribute_data->spdyRequestPath)); - // FIXIT-M do we need to free this memeory and set to null + // FIXIT-M do we need to free this memory and set to null //attribute_data->spdyRequestPath = nullptr; hsession->set_field_offset(REQ_URI_FID, attribute_data->spdyRequestPathOffset); hsession->set_field_end_offset(REQ_URI_FID, attribute_data->spdyRequestPathEndOffset); @@ -363,7 +363,7 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* attribute_data->httpRequestHostLen); hsession->set_field_offset(REQ_HOST_FID, attribute_data->httpRequestHostOffset); hsession->set_field_end_offset(REQ_HOST_FID, attribute_data->httpRequestHostEndOffset); - // FIXIT-M do we need to free this memeory and set to null + // FIXIT-M do we need to free this memory and set to null //attribute_data->httpRequestHost = nullptr; if (appidDebug->is_active()) LogMessage("AppIdDbg %s HTTP host (%u-%u) is %s\n", diff --git a/src/network_inspectors/arp_spoof/arp_spoof.cc b/src/network_inspectors/arp_spoof/arp_spoof.cc index 23ae2d686..2386964ab 100644 --- a/src/network_inspectors/arp_spoof/arp_spoof.cc +++ b/src/network_inspectors/arp_spoof/arp_spoof.cc @@ -142,7 +142,8 @@ void ArpSpoof::eval(Packet* p) Profile profile(arpPerfStats); // precondition - what we registered for - assert(p->type() == PktType::ARP); + assert(p->proto_bits & PROTO_BIT__ARP); + const uint8_t* dst_mac_addr; const uint8_t* src_mac_addr; @@ -269,7 +270,7 @@ static const InspectApi as_api = mod_dtor }, IT_NETWORK, - (uint16_t)PktType::ARP, + PROTO_BIT__ARP, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/network_inspectors/binder/bind_module.cc b/src/network_inspectors/binder/bind_module.cc index 4fe349520..368a53edb 100644 --- a/src/network_inspectors/binder/bind_module.cc +++ b/src/network_inspectors/binder/bind_module.cc @@ -208,12 +208,12 @@ bool BinderModule::set(const char* fqn, Value& v, SnortConfig*) else if ( v.is("proto") ) { - const PktType mask[] = + const unsigned mask[] = { - PktType::ANY, PktType::IP, PktType::ICMP, PktType::TCP, PktType::UDP, - PktType::PDU, PktType::FILE + PROTO_BIT__ANY_TYPE, PROTO_BIT__IP, PROTO_BIT__ICMP, + PROTO_BIT__TCP, PROTO_BIT__UDP, PROTO_BIT__PDU, PROTO_BIT__FILE }; - work->when.protos = (unsigned)mask[v.get_long()]; + work->when.protos = mask[v.get_long()]; } else if ( v.is("ports") ) { diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc index 7afe29f8c..e118a39f6 100644 --- a/src/network_inspectors/binder/binder.cc +++ b/src/network_inspectors/binder/binder.cc @@ -68,7 +68,7 @@ Binding::Binding() when.src_ports.set(); when.dst_ports.set(); - when.protos = (unsigned)PktType::ANY; + when.protos = PROTO_BIT__ANY_TYPE; when.vlans.set(); when.ifaces.reset(); @@ -141,7 +141,7 @@ inline bool Binding::check_addr(const Flow* flow) const inline bool Binding::check_proto(const Flow* flow) const { - if ( when.protos & (unsigned)flow->pkt_type ) + if ( when.protos & BIT((unsigned)flow->pkt_type) ) return true; return false; @@ -893,7 +893,7 @@ static const InspectApi bind_api = mod_dtor }, IT_BINDER, - (uint16_t)PktType::ANY, + PROTO_BIT__ANY_TYPE, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/network_inspectors/normalize/normalize.cc b/src/network_inspectors/normalize/normalize.cc index dc76b0e5a..76cdf62fd 100644 --- a/src/network_inspectors/normalize/normalize.cc +++ b/src/network_inspectors/normalize/normalize.cc @@ -293,7 +293,7 @@ static const InspectApi no_api = mod_dtor }, IT_PACKET, - (uint16_t)PktType::ANY_IP, + PROTO_BIT__ANY_IP, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/network_inspectors/packet_capture/packet_capture.cc b/src/network_inspectors/packet_capture/packet_capture.cc index 94b7ffb97..866f873a5 100644 --- a/src/network_inspectors/packet_capture/packet_capture.cc +++ b/src/network_inspectors/packet_capture/packet_capture.cc @@ -196,7 +196,7 @@ static const InspectApi pc_api = mod_dtor }, IT_PROBE, - (uint16_t)PktType::ANY, + PROTO_BIT__ANY_TYPE, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/network_inspectors/perf_monitor/perf_module.h b/src/network_inspectors/perf_monitor/perf_module.h index e849ff18d..7b134368c 100644 --- a/src/network_inspectors/perf_monitor/perf_module.h +++ b/src/network_inspectors/perf_monitor/perf_module.h @@ -58,7 +58,7 @@ enum class PerfOutput struct ModuleConfig { - // state optimized for run time using indicies + // state optimized for run time using indices // can't be determined until all modules have loaded (PerfMonitor::configure) snort::Module* ptr; IndexVec pegs; diff --git a/src/network_inspectors/perf_monitor/perf_monitor.cc b/src/network_inspectors/perf_monitor/perf_monitor.cc index 3bbdc5025..212c65a59 100644 --- a/src/network_inspectors/perf_monitor/perf_monitor.cc +++ b/src/network_inspectors/perf_monitor/perf_monitor.cc @@ -381,7 +381,7 @@ static const InspectApi pm_api = mod_dtor }, IT_PROBE, - (uint16_t)PktType::ANY, + PROTO_BIT__ANY_TYPE, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/network_inspectors/port_scan/port_scan.cc b/src/network_inspectors/port_scan/port_scan.cc index 0ed7f93ec..b3c56ddc6 100644 --- a/src/network_inspectors/port_scan/port_scan.cc +++ b/src/network_inspectors/port_scan/port_scan.cc @@ -82,10 +82,10 @@ static void make_open_port_info(Packet* p, PS_PROTO* proto) char a1[INET6_ADDRSTRLEN]; ip1->ntop(a1, sizeof(a1)); - buf.len = safe_snprintf((char*)buf.data, sizeof(buf.data), + buf.len += safe_snprintf((char*)buf.data+buf.len, sizeof(buf.data)-buf.len, "Scanned IP: %s\n" "Port Count: %d\n" - "Ports:", + "Open Ports:", a1, proto->open_ports_cnt); @@ -97,6 +97,8 @@ static void make_open_port_info(Packet* p, PS_PROTO* proto) buf.len += safe_snprintf((char*)buf.data + buf.len, sizeof(buf.data) - buf.len, "\n"); } +#if 0 +// FIXIT-L add open port for port sweeps static void make_open_port_info(Packet* p, uint16_t port) { DataBuffer& buf = DetectionEngine::get_alt_buffer(p); @@ -108,12 +110,17 @@ static void make_open_port_info(Packet* p, uint16_t port) "Open Port: %hu\n", p->ptrs.ip_api.get_src()->ntop(ip_str), port); } +#endif static void PortscanAlertTcp(Packet* p, PS_PROTO* proto) { assert(proto); - bool portsweep = false; + if ( proto->open_ports_cnt and proto->alerts != PS_ALERT_PORTSWEEP and + proto->alerts != PS_ALERT_PORTSWEEP_FILTERED ) + { + make_open_port_info(p, proto); + } switch (proto->alerts) { case PS_ALERT_ONE_TO_ONE: @@ -126,7 +133,6 @@ static void PortscanAlertTcp(Packet* p, PS_PROTO* proto) case PS_ALERT_PORTSWEEP: DetectionEngine::queue_event(GID_PORT_SCAN, PSNG_TCP_PORTSWEEP); - portsweep = true; break; case PS_ALERT_DISTRIBUTED: @@ -143,7 +149,6 @@ static void PortscanAlertTcp(Packet* p, PS_PROTO* proto) case PS_ALERT_PORTSWEEP_FILTERED: DetectionEngine::queue_event(GID_PORT_SCAN, PSNG_TCP_PORTSWEEP_FILTERED); - portsweep = true; break; case PS_ALERT_DISTRIBUTED_FILTERED: @@ -153,13 +158,6 @@ static void PortscanAlertTcp(Packet* p, PS_PROTO* proto) default: return; } - - // Only log open ports for portsweeps after the alert has been generated. - if (proto->open_ports_cnt and !portsweep) - { - make_open_port_info(p, proto); - DetectionEngine::queue_event(GID_PORT_SCAN, PSNG_OPEN_PORT); - } } static void PortscanAlertUdp(Packet*, PS_PROTO* proto) @@ -270,34 +268,25 @@ static void PortscanAlertIcmp(Packet*, PS_PROTO* proto) static void PortscanAlert(PS_PKT* ps_pkt, PS_PROTO* proto, int proto_type) { Packet* p = ps_pkt->pkt; + make_port_scan_info(p, proto); - if (proto->alerts == PS_ALERT_OPEN_PORT) + switch (proto_type) { - make_open_port_info(p, p->ptrs.sp); - DetectionEngine::queue_event(GID_PORT_SCAN, PSNG_OPEN_PORT); - } - else - { - make_port_scan_info(p, proto); - - switch (proto_type) - { - case PS_PROTO_TCP: - PortscanAlertTcp(p, proto); - break; + case PS_PROTO_TCP: + PortscanAlertTcp(p, proto); + break; - case PS_PROTO_UDP: - PortscanAlertUdp(p, proto); - break; + case PS_PROTO_UDP: + PortscanAlertUdp(p, proto); + break; - case PS_PROTO_ICMP: - PortscanAlertIcmp(p, proto); - break; + case PS_PROTO_ICMP: + PortscanAlertIcmp(p, proto); + break; - case PS_PROTO_IP: - PortscanAlertIp(p, proto); - break; - } + case PS_PROTO_IP: + PortscanAlertIp(p, proto); + break; } } @@ -504,7 +493,7 @@ static const InspectApi sp_api = mod_dtor }, IT_PROBE, - (uint16_t)PktType::ANY_IP, + PROTO_BIT__ANY_IP, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/network_inspectors/port_scan/ps_detect.cc b/src/network_inspectors/port_scan/ps_detect.cc index 0910a6e2a..dfb1a0d6a 100644 --- a/src/network_inspectors/port_scan/ps_detect.cc +++ b/src/network_inspectors/port_scan/ps_detect.cc @@ -538,11 +538,6 @@ static int ps_update_open_ports(PS_PROTO* proto, unsigned short port) { proto->open_ports[iCtr] = port; proto->open_ports_cnt++; - - if (proto->alerts == PS_ALERT_GENERATED) - { - proto->alerts = PS_ALERT_OPEN_PORT; - } } return 0; @@ -649,22 +644,14 @@ void PortScan::ps_tracker_update_tcp(PS_PKT* ps_pkt, PS_TRACKER* scanner, !(p->packet_flags & PKT_STREAM_EST)) { if (scanned) - { ps_update_open_ports(&scanned->proto, p->ptrs.sp); - } - - if (scanner) - { - if (scanner->proto.alerts == PS_ALERT_GENERATED) - scanner->proto.alerts = PS_ALERT_OPEN_PORT; - } } } /* ** Stream didn't create a session on the SYN packet, ** so check specifically for SYN here. */ - else if (p->ptrs.tcph && (p->ptrs.tcph->th_flags == TH_SYN)) + else if ( p->ptrs.tcph and p->ptrs.tcph->is_syn_only() ) { /* No session established, packet only has SYN. SYN only ** packet always from client, so use dp. @@ -686,7 +673,7 @@ void PortScan::ps_tracker_update_tcp(PS_PKT* ps_pkt, PS_TRACKER* scanner, ** so check specifically for SYN & ACK here. Clear based ** on the 'completion' of three-way handshake. */ - else if (p->ptrs.tcph && (p->ptrs.tcph->th_flags == (TH_SYN|TH_ACK))) + else if ( p->ptrs.tcph and p->ptrs.tcph->is_syn_ack() ) { if (scanned) { diff --git a/src/network_inspectors/port_scan/ps_detect.h b/src/network_inspectors/port_scan/ps_detect.h index 5eb514655..e06ff785f 100644 --- a/src/network_inspectors/port_scan/ps_detect.h +++ b/src/network_inspectors/port_scan/ps_detect.h @@ -61,7 +61,6 @@ struct Packet; #define PS_ALERT_ONE_TO_ONE_DECOY_FILTERED 6 #define PS_ALERT_DISTRIBUTED_FILTERED 7 #define PS_ALERT_PORTSWEEP_FILTERED 8 -#define PS_ALERT_OPEN_PORT 9 #define PS_ALERT_GENERATED 255 diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index ce8e75f44..d6a5e508a 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -411,7 +411,7 @@ const InspectApi reputation_api = mod_dtor }, IT_NETWORK, - (uint16_t)PktType::ANY_IP, + PROTO_BIT__ANY_IP, nullptr, // buffers nullptr, // service reputation_init, // pinit diff --git a/src/profiler/profiler_defs.h b/src/profiler/profiler_defs.h index 629b74826..d84db1742 100644 --- a/src/profiler/profiler_defs.h +++ b/src/profiler/profiler_defs.h @@ -82,7 +82,7 @@ private: MemoryContext memory; }; -class SO_PUBLIC ProfileExclude +class ProfileExclude { public: ProfileExclude(ProfileStats& stats) : ProfileExclude(stats.time, stats.memory) { } @@ -95,6 +95,45 @@ private: using get_profile_stats_fn = ProfileStats* (*)(const char*); +class NoMemContext +{ +public: + NoMemContext(ProfileStats& stats) : + time(stats.time) { } + +private: + TimeContext time; +}; + +class NoMemExclude +{ +public: + NoMemExclude(ProfileStats& stats) : NoMemExclude(stats.time, stats.memory) { } + NoMemExclude(TimeProfilerStats& time, MemoryTracker&) : time(time) { } + +private: + TimeExclude time; +}; + +class ProfileDisabled +{ +public: + ProfileDisabled(ProfileStats&) { } + ProfileDisabled(TimeProfilerStats&, MemoryTracker&) { } +}; + +#ifdef NO_PROFILER +using Profile = ProfileDisabled; +using NoProfile = ProfileDisabled; +#else +#ifdef NO_MEM_MGR +using Profile = NoMemContext; +using NoProfile = NoMemExclude; +#else using Profile = ProfileContext; +using NoProfile = ProfileExclude; +#endif +#endif + } #endif diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc index 6160c4b34..219abcbf0 100644 --- a/src/protocols/packet.cc +++ b/src/protocols/packet.cc @@ -150,9 +150,6 @@ const char* Packet::get_type() const case PktType::UDP: return "UDP"; - case PktType::ARP: - return "ARP"; - case PktType::PDU: case PktType::FILE: if ( proto_bits & PROTO_BIT__TCP ) @@ -165,6 +162,9 @@ const char* Packet::get_type() const return "Error"; case PktType::NONE: + if ( proto_bits & PROTO_BIT__ARP ) + return "ARP"; + if ( num_layers > 0 ) return PacketManager::get_proto_name(layers[num_layers-1].prot_id); diff --git a/src/protocols/packet.h b/src/protocols/packet.h index 510dcd235..b57199195 100644 --- a/src/protocols/packet.h +++ b/src/protocols/packet.h @@ -117,8 +117,8 @@ struct SO_PUBLIC Packet uint32_t packet_flags; /* special flags for the packet */ uint32_t xtradata_mask; + uint32_t proto_bits; /* protocols contained within this packet */ - uint16_t proto_bits; /* protocols contained within this packet */ uint16_t alt_dsize; /* size for detection (iff PKT_DETECT_LIMIT) */ uint8_t num_layers; /* index into layers for next encap */ diff --git a/src/protocols/tcp.h b/src/protocols/tcp.h index 2813e1e60..e46972643 100644 --- a/src/protocols/tcp.h +++ b/src/protocols/tcp.h @@ -121,7 +121,6 @@ struct TCPHdr inline bool is_syn() const { return (th_flags & TH_SYN); } - // FIXIT-L should other flags (e.g. RST, FIN) be included in check for syn only? inline bool is_syn_only() const { return (th_flags & (TH_SYN | TH_ACK)) == TH_SYN; } diff --git a/src/service_inspectors/back_orifice/back_orifice.cc b/src/service_inspectors/back_orifice/back_orifice.cc index 41c965a02..7bfbb83a8 100644 --- a/src/service_inspectors/back_orifice/back_orifice.cc +++ b/src/service_inspectors/back_orifice/back_orifice.cc @@ -544,7 +544,7 @@ static const InspectApi bo_api = mod_dtor }, IT_NETWORK, - (uint16_t)PktType::UDP, + PROTO_BIT__UDP, nullptr, // buffers nullptr, // service bo_init, diff --git a/src/service_inspectors/dce_rpc/dce_http_proxy.cc b/src/service_inspectors/dce_rpc/dce_http_proxy.cc index c7a875c5f..ed7f29971 100644 --- a/src/service_inspectors/dce_rpc/dce_http_proxy.cc +++ b/src/service_inspectors/dce_rpc/dce_http_proxy.cc @@ -117,7 +117,7 @@ const InspectApi dce_http_proxy_api = mod_proxy_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "dce_http_proxy", nullptr, // pinit diff --git a/src/service_inspectors/dce_rpc/dce_http_server.cc b/src/service_inspectors/dce_rpc/dce_http_server.cc index cc5565f17..7377565d0 100644 --- a/src/service_inspectors/dce_rpc/dce_http_server.cc +++ b/src/service_inspectors/dce_rpc/dce_http_server.cc @@ -113,7 +113,7 @@ const InspectApi dce_http_server_api = mod_server_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "dce_http_server", nullptr, // pinit diff --git a/src/service_inspectors/dce_rpc/dce_smb.cc b/src/service_inspectors/dce_rpc/dce_smb.cc index e7c861605..bd332c4c3 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.cc +++ b/src/service_inspectors/dce_rpc/dce_smb.cc @@ -458,7 +458,7 @@ const snort::InspectApi dce2_smb_api = mod_dtor }, snort::IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "netbios-ssn", dce2_smb_init, diff --git a/src/service_inspectors/dce_rpc/dce_tcp.cc b/src/service_inspectors/dce_rpc/dce_tcp.cc index a3b3de17c..bdf030237 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp.cc @@ -224,7 +224,7 @@ const InspectApi dce2_tcp_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers DCE_RPC_SERVICE_NAME, dce2_tcp_init, diff --git a/src/service_inspectors/dce_rpc/dce_udp.cc b/src/service_inspectors/dce_rpc/dce_udp.cc index 805ccad88..c1efa946a 100644 --- a/src/service_inspectors/dce_rpc/dce_udp.cc +++ b/src/service_inspectors/dce_rpc/dce_udp.cc @@ -215,7 +215,7 @@ const InspectApi dce2_udp_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::UDP, + PROTO_BIT__UDP, nullptr, // buffers DCE_RPC_SERVICE_NAME, dce2_udp_init, diff --git a/src/service_inspectors/dnp3/dnp3.cc b/src/service_inspectors/dnp3/dnp3.cc index e8f05ef0d..a3fb73d78 100644 --- a/src/service_inspectors/dnp3/dnp3.cc +++ b/src/service_inspectors/dnp3/dnp3.cc @@ -318,7 +318,7 @@ const InspectApi dnp3_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU | (uint16_t)PktType::UDP, + PROTO_BIT__UDP | PROTO_BIT__PDU, nullptr, // buffers "dnp3", dnp3_init, diff --git a/src/service_inspectors/dnp3/dnp3_reassembly.cc b/src/service_inspectors/dnp3/dnp3_reassembly.cc index d62d68da1..160683dae 100644 --- a/src/service_inspectors/dnp3/dnp3_reassembly.cc +++ b/src/service_inspectors/dnp3/dnp3_reassembly.cc @@ -412,7 +412,7 @@ bool dnp3_full_reassembly(dnp3ProtoConf& config, dnp3_session_data_t* session, P if ((ret == true) && (packet->is_udp())) { { - ProfileExclude profile_exclude(dnp3_perf_stats); + NoProfile exclude(dnp3_perf_stats); DetectionEngine::detect(packet); } diff --git a/src/service_inspectors/dns/dns.cc b/src/service_inspectors/dns/dns.cc index 3603ee928..138a4ce6a 100644 --- a/src/service_inspectors/dns/dns.cc +++ b/src/service_inspectors/dns/dns.cc @@ -1040,7 +1040,7 @@ const InspectApi dns_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::TCP | (uint16_t)PktType::UDP | (uint16_t)PktType::PDU, + PROTO_BIT__ANY_PDU, nullptr, // buffers "dns", dns_init, diff --git a/src/service_inspectors/ftp_telnet/ftp.cc b/src/service_inspectors/ftp_telnet/ftp.cc index 1ca6abeef..9a3b7c89e 100644 --- a/src/service_inspectors/ftp_telnet/ftp.cc +++ b/src/service_inspectors/ftp_telnet/ftp.cc @@ -96,7 +96,7 @@ static int SnortFTP( ret = check_ftp(FTPsession, p, iInspectMode); if ( ret == FTPP_SUCCESS ) { - ProfileExclude exclude(ftpPerfStats); + NoProfile exclude(ftpPerfStats); // FIXIT-L ideally do_detection will look at the cmd & param buffers // or the rsp & msg buffers. We should call it from inside check_ftp @@ -419,7 +419,7 @@ static const InspectApi fc_api = mod_dtor }, IT_PASSIVE, - (uint16_t)PktType::NONE, + PROTO_BIT__NONE, nullptr, // buffers "ftp", nullptr, // init, @@ -474,7 +474,7 @@ static const InspectApi fs_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "ftp", fs_init, diff --git a/src/service_inspectors/ftp_telnet/ftp_data.cc b/src/service_inspectors/ftp_telnet/ftp_data.cc index 6480163dc..1b38df0d7 100644 --- a/src/service_inspectors/ftp_telnet/ftp_data.cc +++ b/src/service_inspectors/ftp_telnet/ftp_data.cc @@ -320,7 +320,7 @@ const InspectApi fd_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers fd_svc_name, fd_init, diff --git a/src/service_inspectors/ftp_telnet/telnet.cc b/src/service_inspectors/ftp_telnet/telnet.cc index 281b6d191..2a48a515d 100644 --- a/src/service_inspectors/ftp_telnet/telnet.cc +++ b/src/service_inspectors/ftp_telnet/telnet.cc @@ -84,14 +84,14 @@ static int SnortTelnet(TELNET_PROTO_CONF* telnet_config, TELNET_SESSION* Telnets if ( ret == FTPP_SUCCESS || ret == FTPP_NORMALIZED ) { - ProfileExclude exclude(telnetPerfStats); + NoProfile exclude(telnetPerfStats); do_detection(p); } } else { - ProfileExclude exclude(telnetPerfStats); + NoProfile exclude(telnetPerfStats); do_detection(p); } @@ -315,7 +315,7 @@ const InspectApi tn_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "telnet", tn_init, diff --git a/src/service_inspectors/gtp/gtp_inspect.cc b/src/service_inspectors/gtp/gtp_inspect.cc index d9f9a7027..56c02e98e 100644 --- a/src/service_inspectors/gtp/gtp_inspect.cc +++ b/src/service_inspectors/gtp/gtp_inspect.cc @@ -241,7 +241,7 @@ static const InspectApi gtp_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::UDP, + PROTO_BIT__UDP, nullptr, "gtp", gtp_init, diff --git a/src/service_inspectors/http2_inspect/http2_api.cc b/src/service_inspectors/http2_inspect/http2_api.cc index 72573f5ae..e53f77e40 100644 --- a/src/service_inspectors/http2_inspect/http2_api.cc +++ b/src/service_inspectors/http2_inspect/http2_api.cc @@ -58,7 +58,7 @@ const InspectApi Http2Api::http2_api = Http2Api::http2_mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, classic_buffer_names, "http2", Http2Api::http2_init, diff --git a/src/service_inspectors/http_inspect/http_api.cc b/src/service_inspectors/http_inspect/http_api.cc index 87ea17d61..6d924ae08 100644 --- a/src/service_inspectors/http_inspect/http_api.cc +++ b/src/service_inspectors/http_inspect/http_api.cc @@ -73,7 +73,7 @@ const InspectApi HttpApi::http_api = HttpApi::http_mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, classic_buffer_names, "http", HttpApi::http_init, diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc index 30480a349..1ea14bdaf 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_reassemble.cc @@ -298,6 +298,10 @@ const snort::StreamBuffer HttpStreamSplitter::reassemble(snort::Flow* flow, unsi else { #ifdef REG_TEST + // FIXIT-M: known case: if session clears w/o a flush point, + // stream_tcp will flush to paf max which could be well below what + // has been scanned so far. since no flush point was specified, + // NHI should just deal with what it gets. assert(false); #endif return http_buf; diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index 482a218fe..4e625d99e 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -798,7 +798,7 @@ const InspectApi imap_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "imap", imap_init, diff --git a/src/service_inspectors/modbus/modbus.cc b/src/service_inspectors/modbus/modbus.cc index faa97149d..5efbf55c4 100644 --- a/src/service_inspectors/modbus/modbus.cc +++ b/src/service_inspectors/modbus/modbus.cc @@ -160,7 +160,7 @@ static const InspectApi modbus_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, "modbus", modbus_init, diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index 861a82139..e9b172530 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -737,7 +737,7 @@ const InspectApi pop_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "pop3", pop_init, diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index 1d52596cb..82605f038 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -931,7 +931,7 @@ static const InspectApi rd_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "sunrpc", rd_init, diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc index 0a6c510d6..137428fa8 100644 --- a/src/service_inspectors/sip/sip.cc +++ b/src/service_inspectors/sip/sip.cc @@ -368,7 +368,7 @@ const InspectApi sip_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU | (uint16_t)PktType::UDP, + PROTO_BIT__UDP | PROTO_BIT__PDU, nullptr, // buffers "sip", sip_init, diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index 668c9edd8..04075a0ef 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -1555,7 +1555,7 @@ const InspectApi smtp_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "smtp", smtp_init, diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index 139170d77..7df875080 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -814,7 +814,7 @@ const InspectApi ssh_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "ssh", ssh_init, diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index 0e0567a73..524d2ee6e 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -496,7 +496,7 @@ const InspectApi ssl_api = mod_dtor }, IT_SERVICE, - (uint16_t)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers "ssl", ssl_init, diff --git a/src/service_inspectors/wizard/wizard.cc b/src/service_inspectors/wizard/wizard.cc index eff7e1dd4..b918e084a 100644 --- a/src/service_inspectors/wizard/wizard.cc +++ b/src/service_inspectors/wizard/wizard.cc @@ -356,7 +356,7 @@ static const InspectApi wiz_api = mod_dtor }, IT_WIZARD, - (uint16_t)PktType::TCP | (uint16_t)PktType::UDP | (uint16_t)PktType::PDU, + PROTO_BIT__ANY_PDU, nullptr, // buffers nullptr, // service nullptr, // init diff --git a/src/stream/base/stream_base.cc b/src/stream/base/stream_base.cc index 2eb5ff0f4..d4d182c12 100644 --- a/src/stream/base/stream_base.cc +++ b/src/stream/base/stream_base.cc @@ -20,11 +20,15 @@ #include "config.h" #endif +#include + #include "flow/flow_control.h" #include "flow/prune_stats.h" +#include "main/snort_config.h" #include "managers/inspector_manager.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" +#include "protocols/tcp.h" #include "stream/flush_bucket.h" #include "stream_ha.h" @@ -138,6 +142,7 @@ class StreamBase : public Inspector public: StreamBase(const StreamModuleConfig*); + bool configure(SnortConfig*) override; void show(SnortConfig*) override; void tinit() override; @@ -162,33 +167,33 @@ void StreamBase::tinit() if ( config.ip_cfg.max_sessions ) { - if ( (f = InspectorManager::get_session((uint16_t)PktType::IP)) ) - flow_con->init_ip(config.ip_cfg, f); + if ( (f = InspectorManager::get_session(PROTO_BIT__IP)) ) + flow_con->init_proto(PktType::IP, config.ip_cfg, f); } if ( config.icmp_cfg.max_sessions ) { - if ( (f = InspectorManager::get_session((uint16_t)PktType::ICMP)) ) - flow_con->init_icmp(config.icmp_cfg, f); + if ( (f = InspectorManager::get_session(PROTO_BIT__ICMP)) ) + flow_con->init_proto(PktType::ICMP, config.icmp_cfg, f); } if ( config.tcp_cfg.max_sessions ) { - if ( (f = InspectorManager::get_session((uint16_t)PktType::TCP)) ) - flow_con->init_tcp(config.tcp_cfg, f); + if ( (f = InspectorManager::get_session(PROTO_BIT__TCP)) ) + flow_con->init_proto(PktType::TCP, config.tcp_cfg, f); } if ( config.udp_cfg.max_sessions ) { - if ( (f = InspectorManager::get_session((uint16_t)PktType::UDP)) ) - flow_con->init_udp(config.udp_cfg, f); + if ( (f = InspectorManager::get_session(PROTO_BIT__UDP)) ) + flow_con->init_proto(PktType::UDP, config.udp_cfg, f); } if ( config.user_cfg.max_sessions ) { - if ( (f = InspectorManager::get_session((uint16_t)PktType::PDU)) ) - flow_con->init_user(config.user_cfg, f); + if ( (f = InspectorManager::get_session(PROTO_BIT__PDU)) ) + flow_con->init_proto(PktType::PDU, config.user_cfg, f); } if ( config.file_cfg.max_sessions ) { - if ( (f = InspectorManager::get_session((uint16_t)PktType::FILE)) ) - flow_con->init_file(config.file_cfg, f); + if ( (f = InspectorManager::get_session(PROTO_BIT__FILE)) ) + flow_con->init_proto(PktType::FILE, config.file_cfg, f); } uint32_t max = config.tcp_cfg.max_sessions + config.udp_cfg.max_sessions + config.user_cfg.max_sessions; @@ -205,6 +210,12 @@ void StreamBase::tterm() FlushBucket::clear(); } +bool StreamBase::configure(SnortConfig* sc) +{ + config.track_on_syn = sc->track_on_syn(); + return true; +} + void StreamBase::show(SnortConfig*) { // FIXIT-L SSN print @@ -220,41 +231,46 @@ void StreamBase::eval(Packet* p) switch ( p->type() ) { - case PktType::IP: - if ( p->has_ip() and - ((p->ptrs.decode_flags & DECODE_FRAG) or !config.ip_frags_only) ) - flow_con->process_ip(p); + case PktType::NONE: break; - case PktType::ICMP: - if ( p->ptrs.icmph ) - flow_con->process_icmp(p); + case PktType::IP: + if ( p->has_ip() and ((p->ptrs.decode_flags & DECODE_FRAG) or !config.ip_frags_only) ) + flow_con->process(PktType::IP, p); break; case PktType::TCP: if ( p->ptrs.tcph ) - flow_con->process_tcp(p); + flow_con->process(PktType::TCP, p); break; case PktType::UDP: if ( p->ptrs.decode_flags & DECODE_FRAG ) - flow_con->process_ip(p); + flow_con->process(PktType::IP, p); if ( p->ptrs.udph ) - flow_con->process_udp(p); + flow_con->process(PktType::UDP, p); + break; + + case PktType::ICMP: + if ( p->ptrs.icmph ) + { + if ( !flow_con->process(PktType::ICMP, p) ) + flow_con->process(PktType::IP, p); + } break; case PktType::PDU: - flow_con->process_user(p); + flow_con->process(PktType::PDU, p); break; case PktType::FILE: - flow_con->process_file(p); + flow_con->process(PktType::FILE, p); break; - default: + case PktType::MAX: break; - } + }; } #if 0 @@ -308,7 +324,7 @@ static const InspectApi base_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::ANY_SSN, + PROTO_BIT__ANY_SSN, nullptr, // buffers nullptr, // service nullptr, // init diff --git a/src/stream/base/stream_module.h b/src/stream/base/stream_module.h index 1439a363d..aeb316b48 100644 --- a/src/stream/base/stream_module.h +++ b/src/stream/base/stream_module.h @@ -74,6 +74,7 @@ struct StreamModuleConfig int footprint; bool ip_frags_only; + bool track_on_syn; }; class StreamModule : public snort::Module diff --git a/src/stream/file/stream_file.cc b/src/stream/file/stream_file.cc index 36c17c815..b893de2b3 100644 --- a/src/stream/file/stream_file.cc +++ b/src/stream/file/stream_file.cc @@ -96,7 +96,7 @@ static const InspectApi sfile_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::FILE, + PROTO_BIT__FILE, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/stream/icmp/stream_icmp.cc b/src/stream/icmp/stream_icmp.cc index e501d6a18..4e38967cf 100644 --- a/src/stream/icmp/stream_icmp.cc +++ b/src/stream/icmp/stream_icmp.cc @@ -133,7 +133,7 @@ static const InspectApi icmp_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::ICMP, + PROTO_BIT__ICMP, nullptr, // buffers nullptr, // service nullptr, // init diff --git a/src/stream/ip/stream_ip.cc b/src/stream/ip/stream_ip.cc index d30f6bc36..460b38d15 100644 --- a/src/stream/ip/stream_ip.cc +++ b/src/stream/ip/stream_ip.cc @@ -178,7 +178,7 @@ static const InspectApi ip_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::IP, + PROTO_BIT__IP, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/src/stream/libtcp/tcp_segment_descriptor.cc b/src/stream/libtcp/tcp_segment_descriptor.cc index 39c75fd70..2aa2c9c0e 100644 --- a/src/stream/libtcp/tcp_segment_descriptor.cc +++ b/src/stream/libtcp/tcp_segment_descriptor.cc @@ -110,6 +110,9 @@ bool TcpSegmentDescriptor::has_wscale() DebugMessage(DEBUG_STREAM_STATE, "Checking for wscale...\n"); + if ( !(pkt->ptrs.decode_flags & DECODE_WSCALE) ) + return false; + return ( init_wscale(&wscale) & TF_WSCALE ) != TF_NONE; } diff --git a/src/stream/tcp/stream_tcp.cc b/src/stream/tcp/stream_tcp.cc index ce7bdaf76..f7929a98c 100644 --- a/src/stream/tcp/stream_tcp.cc +++ b/src/stream/tcp/stream_tcp.cc @@ -146,7 +146,7 @@ static const InspectApi tcp_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::TCP, + PROTO_BIT__TCP, nullptr, // buffers nullptr, // service nullptr, // init diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc index f56660c6e..f81a06c53 100644 --- a/src/stream/tcp/tcp_module.cc +++ b/src/stream/tcp/tcp_module.cc @@ -24,6 +24,7 @@ #include "tcp_module.h" +#include "main/snort_config.h" #include "profiler/profiler_defs.h" using namespace snort; @@ -153,9 +154,6 @@ static const Parameter s_params[] = { "flush_factor", Parameter::PT_INT, "0:", "0", "flush upon seeing a drop in segment size after given number of non-decreasing segments" }, - { "ignore_any_rules", Parameter::PT_BOOL, nullptr, "false", - "process TCP content rules w/o ports only if rules with ports are present" }, - { "max_window", Parameter::PT_INT, "0:1073725440", "0", "maximum allowed TCP window" }, @@ -291,9 +289,6 @@ bool StreamTcpModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("flush_factor") ) config->flush_factor = v.get_long(); - else if ( v.is("ignore_any_rules") ) - config->flags |= STREAM_CONFIG_IGNORE_ANY; - else if ( v.is("max_bytes") ) config->max_queued_bytes = v.get_long(); @@ -354,8 +349,10 @@ bool StreamTcpModule::begin(const char* fqn, int, SnortConfig*) return true; } -bool StreamTcpModule::end(const char*, int, SnortConfig*) +bool StreamTcpModule::end(const char*, int, SnortConfig* sc) { + if ( config->hs_timeout >= 0 ) + sc->run_flags |= RUN_FLAG__TRACK_ON_SYN; return true; } diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index fb819fd1f..69b24d1a9 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -106,6 +106,16 @@ bool TcpReassembler::flush_data_ready(TcpReassemblerState& trs) return ( get_pending_segment_count(trs, 2) > 1 ); // FIXIT-L return false? } +bool TcpReassembler::next_no_gap(TcpSegmentNode& tsn) +{ + return tsn.next and (tsn.next->seq == tsn.seq + tsn.payload_size); +} + +void TcpReassembler::update_next(TcpReassemblerState& trs, TcpSegmentNode& tsn) +{ + trs.sos.seglist.next = next_no_gap(tsn) ? tsn.next : nullptr; +} + int TcpReassembler::delete_reassembly_segment(TcpReassemblerState& trs, TcpSegmentNode* tsn) { int ret; @@ -136,7 +146,7 @@ int TcpReassembler::delete_reassembly_segment(TcpReassemblerState& trs, TcpSegme } if (trs.sos.seglist.next == tsn) - trs.sos.seglist.next = nullptr; + update_next(trs, *tsn); tsn->term( ); trs.sos.seg_count--; @@ -467,7 +477,7 @@ int TcpReassembler::flush_data_segments( trs.flush_count++; segs++; - trs.sos.seglist.next = tsn->next; + update_next(trs, *tsn); if ( SEQ_EQ(tsn->seq + bytes_to_copy, to_seq) ) break; @@ -630,7 +640,7 @@ int TcpReassembler::_flush_to_seq( tcpStats.rebuilt_packets++; tcpStats.rebuilt_bytes += flushed_bytes; - ProfileExclude profile_exclude(s5TcpFlushPerfStats); + NoProfile exclude(s5TcpFlushPerfStats); Snort::inspect(pdu); } else @@ -723,7 +733,7 @@ int TcpReassembler::do_zero_byte_flush(TcpReassemblerState& trs, Packet* p, uint trs.flush_count++; show_rebuilt_packet(trs, pdu); - ProfileExclude profile_exclude(s5TcpFlushPerfStats); + NoProfile profile_exclude(s5TcpFlushPerfStats); Snort::inspect(pdu); if ( trs.tracker->splitter ) @@ -743,12 +753,12 @@ uint32_t TcpReassembler::get_q_footprint(TcpReassemblerState& trs) if ( !trs.tracker ) return 0; - trs.sos.seglist.next = trs.sos.seglist.head; footprint = trs.tracker->r_win_base - trs.sos.seglist_base_seq; if ( footprint ) { sequenced = get_q_sequenced(trs); + if ( trs.tracker->fin_seq_status == TcpStreamTracker::FIN_WITH_SEQ_ACKED ) --footprint; } @@ -762,33 +772,42 @@ uint32_t TcpReassembler::get_q_footprint(TcpReassemblerState& trs) uint32_t TcpReassembler::get_q_sequenced(TcpReassemblerState& trs) { - TcpSegmentNode* tsn = trs.tracker ? trs.sos.seglist.head : nullptr; - TcpSegmentNode* base = nullptr; - - if ( !tsn || ( trs.sos.session->flow->two_way_traffic() && - SEQ_LT(trs.tracker->r_win_base, tsn->seq) ) ) - return 0; + TcpSegmentNode* tsn; - while ( tsn->next && ( tsn->next->seq == tsn->seq + tsn->payload_size ) ) + if ( trs.sos.seglist.next ) + tsn = trs.sos.seglist.next; + else { - if ( !tsn->buffered && !base ) - base = tsn; - tsn = tsn->next; - } + trs.sos.seglist.next = trs.sos.seglist.head; + tsn = trs.tracker ? trs.sos.seglist.next : nullptr; // FIXIT-H why check tracker here? - if ( !tsn->buffered && !base ) - base = tsn; + if ( !tsn or (trs.sos.session->flow->two_way_traffic() and + SEQ_LT(trs.tracker->r_win_base, tsn->seq)) ) + { + if ( trs.sos.seglist.next ) + trs.sos.seglist.next = trs.sos.seglist.next->prev; + return 0; + } + } - int32_t len = 0; + uint32_t len = 0; + const uint32_t limit = trs.tracker->splitter->get_max_pdu(); - if ( base ) + while ( len < limit and next_no_gap(*tsn) ) { - trs.sos.seglist.next = base; - trs.sos.seglist_base_seq = base->seq; - len = tsn->seq + tsn->payload_size - base->seq; + if ( tsn->buffered ) + trs.sos.seglist.next = tsn->next; + else + len += tsn->payload_size; + + tsn = tsn->next; } + if ( !tsn->buffered ) + len += tsn->payload_size; + + trs.sos.seglist_base_seq = trs.sos.seglist.next->seq; - return ( len > 0 ) ? len : 0; + return len; } // FIXIT-L flush_stream() calls should be replaced with calls to diff --git a/src/stream/tcp/tcp_reassembler.h b/src/stream/tcp/tcp_reassembler.h index 8a9ffcf54..b59a2105e 100644 --- a/src/stream/tcp/tcp_reassembler.h +++ b/src/stream/tcp/tcp_reassembler.h @@ -90,6 +90,9 @@ protected: void fallback(TcpReassemblerState&); int32_t flush_pdu_ackd(TcpReassemblerState&, uint32_t* flags); int purge_to_seq(TcpReassemblerState&, uint32_t flush_seq); + + bool next_no_gap(TcpSegmentNode&); + void update_next(TcpReassemblerState&, TcpSegmentNode&); }; #endif diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc index 5b5898881..5ed6fa677 100644 --- a/src/stream/tcp/tcp_session.cc +++ b/src/stream/tcp/tcp_session.cc @@ -81,8 +81,7 @@ TcpSession::TcpSession(Flow* flow) TcpSession::~TcpSession() { - if (tcp_init) - clear_session(true, false, false); + clear_session(true, false, false); } bool TcpSession::setup(Packet* p) @@ -139,6 +138,9 @@ void TcpSession::restart(Packet* p) void TcpSession::clear_session(bool free_flow_data, bool flush_segments, bool restart, Packet* p) { + if ( !tcp_init ) + return; + assert(!p or p->flow == flow); DetectionEngine::onload(flow); diff --git a/src/stream/tcp/tcp_stream_config.cc b/src/stream/tcp/tcp_stream_config.cc index 00a8e69b3..7c0cab21f 100644 --- a/src/stream/tcp/tcp_stream_config.cc +++ b/src/stream/tcp/tcp_stream_config.cc @@ -62,9 +62,6 @@ void TcpStreamConfig::show_config(TcpStreamConfig* config) if ( config->flags ) { LogMessage(" Options:\n"); - if (config->flags & STREAM_CONFIG_IGNORE_ANY) - LogMessage(" Ignore Any -> Any Rules: YES\n"); - if (config->flags & STREAM_CONFIG_NO_ASYNC_REASSEMBLY) LogMessage(" Don't queue packets on one-sided sessions: YES\n"); } diff --git a/src/stream/tcp/tcp_stream_config.h b/src/stream/tcp/tcp_stream_config.h index 8f3ddd568..6b753ac1e 100644 --- a/src/stream/tcp/tcp_stream_config.h +++ b/src/stream/tcp/tcp_stream_config.h @@ -26,17 +26,8 @@ #include "stream/tcp/tcp_defs.h" #include "time/packet_time.h" -#define STREAM_CONFIG_STATEFUL_INSPECTION 0x00000001 -#define STREAM_CONFIG_LOG_STREAMS 0x00000004 -#define STREAM_CONFIG_REASS_CLIENT 0x00000008 -#define STREAM_CONFIG_REASS_SERVER 0x00000010 -#define STREAM_CONFIG_ASYNC 0x00000020 -#define STREAM_CONFIG_SHOW_PACKETS 0x00000040 -#define STREAM_CONFIG_MIDSTREAM_DROP_NOALERT 0x00000080 -#define STREAM_CONFIG_IGNORE_ANY 0x00000100 -#define STREAM_CONFIG_STATIC_FLUSHPOINTS 0x00000200 -#define STREAM_CONFIG_IPS 0x00000400 -#define STREAM_CONFIG_NO_ASYNC_REASSEMBLY 0x00000800 +#define STREAM_CONFIG_SHOW_PACKETS 0x00000001 +#define STREAM_CONFIG_NO_ASYNC_REASSEMBLY 0x00000002 #define STREAM_DEFAULT_SSN_TIMEOUT 30 diff --git a/src/stream/udp/stream_udp.cc b/src/stream/udp/stream_udp.cc index 15506550a..1f031b619 100644 --- a/src/stream/udp/stream_udp.cc +++ b/src/stream/udp/stream_udp.cc @@ -37,7 +37,6 @@ using namespace snort; StreamUdpConfig::StreamUdpConfig() { session_timeout = 30; - ignore_any = false; } static void udp_show(StreamUdpConfig* pc) @@ -45,9 +44,6 @@ static void udp_show(StreamUdpConfig* pc) LogMessage("Stream UDP config:\n"); LogMessage(" Timeout: %d seconds\n", pc->session_timeout); - const char* opt = (pc->ignore_any) ? "YES" : "NO"; - LogMessage(" Ignore Any -> Any Rules: %s\n", opt); - #ifdef REG_TEST LogMessage(" UDP Session Size: %zu\n", sizeof(UdpSession)); #endif @@ -149,7 +145,7 @@ static const InspectApi udp_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::UDP, + PROTO_BIT__UDP, nullptr, // buffers nullptr, // service nullptr, // init diff --git a/src/stream/udp/stream_udp.h b/src/stream/udp/stream_udp.h index a21ed9c5c..aa1193461 100644 --- a/src/stream/udp/stream_udp.h +++ b/src/stream/udp/stream_udp.h @@ -29,7 +29,6 @@ class Inspector; struct StreamUdpConfig { uint32_t session_timeout; - bool ignore_any; StreamUdpConfig(); }; diff --git a/src/stream/udp/udp_module.cc b/src/stream/udp/udp_module.cc index 2395a9eb5..687ed6aae 100644 --- a/src/stream/udp/udp_module.cc +++ b/src/stream/udp/udp_module.cc @@ -38,9 +38,6 @@ static const Parameter s_params[] = { "session_timeout", Parameter::PT_INT, "1:86400", "30", "session tracking timeout" }, - { "ignore_any_rules", Parameter::PT_BOOL, nullptr, "false", - "process UDP content rules w/o ports only if rules with ports are present" }, - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -67,9 +64,6 @@ bool StreamUdpModule::set(const char*, Value& v, SnortConfig*) if ( v.is("session_timeout") ) config->session_timeout = v.get_long(); - else if ( v.is("ignore_any_rules") ) - config->ignore_any = v.get_bool(); - else return false; diff --git a/src/stream/user/stream_user.cc b/src/stream/user/stream_user.cc index 5a8a215f7..4fd919dfb 100644 --- a/src/stream/user/stream_user.cc +++ b/src/stream/user/stream_user.cc @@ -131,7 +131,7 @@ static const InspectApi user_api = mod_dtor }, IT_STREAM, - (unsigned)PktType::PDU, + PROTO_BIT__PDU, nullptr, // buffers nullptr, // service nullptr, // pinit diff --git a/tools/snort2lua/config_states/config_no_option.cc b/tools/snort2lua/config_states/config_no_option.cc index 911e84318..20bb1fe7f 100644 --- a/tools/snort2lua/config_states/config_no_option.cc +++ b/tools/snort2lua/config_states/config_no_option.cc @@ -83,6 +83,8 @@ static ConversionState* config_false_no_opt_ctor(Converter& c) return new DeadCode(c); } +#if 0 +// currently unused - for future reference template static ConversionState* config_false_no_opt_ctor(Converter& c) @@ -92,6 +94,7 @@ static ConversionState* config_false_no_opt_ctor(Converter& c) c.get_table_api().close_table(); return new DeadCode(c); } +#endif } // namespace /************************************************* diff --git a/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc b/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc index 88c9445a8..fc8f054e6 100644 --- a/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc +++ b/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc @@ -304,7 +304,7 @@ bool StreamTcp::convert(std::istringstream& data_stream) tmpval = parse_small_segments(arg_stream); else if (keyword == "ignore_any_rules") - tmpval = table_api.add_option("ignore_any_rules", true); + table_api.add_deleted_comment("ignore_any_rules"); else if (keyword == "ports") tmpval = parse_ports(arg_stream); diff --git a/tools/snort2lua/preprocessor_states/pps_stream5_udp.cc b/tools/snort2lua/preprocessor_states/pps_stream5_udp.cc index 365220619..956a4f79e 100644 --- a/tools/snort2lua/preprocessor_states/pps_stream5_udp.cc +++ b/tools/snort2lua/preprocessor_states/pps_stream5_udp.cc @@ -54,7 +54,7 @@ bool StreamUdp::convert(std::istringstream& data_stream) continue; if (keyword == "ignore_any_rules") - tmpval = table_api.add_option("ignore_any_rules", true); + table_api.add_deleted_comment("ignore_any_rules"); else if (keyword == "timeout") {