From: Michael Altizer (mialtize) Date: Tue, 27 Mar 2018 22:34:23 +0000 (-0400) Subject: Merge pull request #1144 in SNORT/snort3 from metapacket to master X-Git-Tag: 3.0.0-245~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4dcb8d6959f4f21acd14e8d855cbbd30ec536c54;p=thirdparty%2Fsnort3.git Merge pull request #1144 in SNORT/snort3 from metapacket to master Squashed commit of the following: commit e6660bd853546dd1de7a708a9bc84f2bf922765d Author: Victor Roemer (viroemer) Date: Tue Mar 27 16:29:28 2018 -0400 fix commit 2dc5713408cb250ba89e74298e99437063b1509d Author: Victor Roemer (viroemer) Date: Fri Mar 16 14:44:14 2018 -0400 sfip: A version of set() which automatically determines the family commit 2386b17110b3ae536cde1f9481414510a3e7173d Author: Victor Roemer (viroemer) Date: Tue Mar 13 15:59:27 2018 -0400 flow: SO_PUBLIC FlowKey --- diff --git a/daqs/daq_hext.c b/daqs/daq_hext.c index a89c6b71f..ccbaa4e7c 100644 --- a/daqs/daq_hext.c +++ b/daqs/daq_hext.c @@ -133,6 +133,30 @@ static void parse_pci(HextImpl* impl, const char* s) impl->pci.flags &= ~DAQ_USR_FLAG_TO_SERVER; } +static bool is_ipv4(char const* src) +{ + struct in6_addr temp; + if ( inet_pton(AF_INET, src, &temp) == 1 ) + return true; + else if ( inet_pton(AF_INET6, src, &temp) == 1 ) + return false; + + return false; +} + +void IpAddr(uint32_t* addr, char const* ip) +{ + if ( is_ipv4(ip) ) { + addr[0] = 0; + addr[1] = 0; + addr[2] = htonl(0xffff); + inet_pton(AF_INET, ip, &addr[3]); + } + else { + inet_pton(AF_INET6, ip, addr); + } +} + enum Search { I_ZONE, E_ZONE, @@ -179,19 +203,17 @@ static void set_flowstats(Flow_Stats_t* f, enum Search state, const char* s) break; case SRC_HOST: - if (inet_pton(AF_INET, s, (uint32_t*)&f->initiatorIp) == 0) - inet_pton(AF_INET6, s, (uint32_t*)&f->initiatorIp); - break; - - case DST_HOST: - if (inet_pton(AF_INET, s, (uint32_t*)&f->responderIp) == 0) - inet_pton(AF_INET6, s, (uint32_t*)&f->responderIp); + IpAddr((uint32_t*)&f->initiatorIp, s); break; case SRC_PORT: f->initiatorPort = htons(atoi(s)); break; + case DST_HOST: + IpAddr((uint32_t*)&f->responderIp, s); + break; + case DST_PORT: f->responderPort = htons(atoi(s)); break; diff --git a/src/flow/expect_cache.h b/src/flow/expect_cache.h index e41b2f761..2c505dd1e 100644 --- a/src/flow/expect_cache.h +++ b/src/flow/expect_cache.h @@ -111,11 +111,11 @@ public: private: void prune(); - ExpectNode* get_node(FlowKey&, bool&); + ExpectNode* get_node(snort::FlowKey&, bool&); snort::ExpectFlow* get_flow(ExpectNode*, uint32_t, int16_t); bool set_data(ExpectNode*, snort::ExpectFlow*&, snort::FlowData*); - ExpectNode* find_node_by_packet(snort::Packet*, FlowKey&); - bool process_expected(ExpectNode*, FlowKey&, snort::Packet*, snort::Flow*); + ExpectNode* find_node_by_packet(snort::Packet*, snort::FlowKey&); + bool process_expected(ExpectNode*, snort::FlowKey&, snort::Packet*, snort::Flow*); private: class ZHash* hash_table; diff --git a/src/flow/flow.h b/src/flow/flow.h index 4eaef486a..adc69f2dc 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -95,11 +95,11 @@ class BitOp; class FlowHAState; -struct FlowKey; class Session; namespace snort { +struct FlowKey; struct Packet; typedef void (* StreamAppDataFree)(void*); diff --git a/src/flow/flow_cache.h b/src/flow/flow_cache.h index 7b42654a1..492ee666f 100644 --- a/src/flow/flow_cache.h +++ b/src/flow/flow_cache.h @@ -34,8 +34,8 @@ namespace snort { class Flow; -} struct FlowKey; +} class FlowCache { @@ -48,8 +48,8 @@ public: void push(snort::Flow*); - snort::Flow* find(const FlowKey*); - snort::Flow* get(const FlowKey*); + snort::Flow* find(const snort::FlowKey*); + snort::Flow* get(const snort::FlowKey*); int release(snort::Flow*, PruneReason = PruneReason::NONE, bool do_cleanup = true); diff --git a/src/flow/flow_control.h b/src/flow/flow_control.h index bfe6ce513..3966c4ff2 100644 --- a/src/flow/flow_control.h +++ b/src/flow/flow_control.h @@ -37,11 +37,11 @@ namespace snort { class Flow; class FlowData; +struct FlowKey; struct Packet; struct SfIp; } class FlowCache; -struct FlowKey; enum class PruneReason : uint8_t; @@ -59,8 +59,8 @@ public: void process_user(snort::Packet*); void process_file(snort::Packet*); - snort::Flow* find_flow(const FlowKey*); - snort::Flow* new_flow(const FlowKey*); + snort::Flow* find_flow(const snort::FlowKey*); + snort::Flow* new_flow(const snort::FlowKey*); void init_ip(const FlowConfig&, snort::InspectSsnFunc); void init_icmp(const FlowConfig&, snort::InspectSsnFunc); @@ -70,7 +70,7 @@ public: void init_file(const FlowConfig&, snort::InspectSsnFunc); void init_exp(uint32_t max); - void delete_flow(const FlowKey*); + void delete_flow(const snort::FlowKey*); void delete_flow(snort::Flow*, PruneReason); void purge_flows(PktType); bool prune_one(PruneReason, bool do_cleanup); @@ -102,7 +102,7 @@ private: FlowCache* get_cache(PktType); const FlowCache* get_cache(PktType) const; - void set_key(FlowKey*, snort::Packet*); + void set_key(snort::FlowKey*, snort::Packet*); unsigned process(snort::Flow*, snort::Packet*); void preemptive_cleanup(); diff --git a/src/flow/flow_key.h b/src/flow/flow_key.h index b117e5f86..44633b7ec 100644 --- a/src/flow/flow_key.h +++ b/src/flow/flow_key.h @@ -33,10 +33,9 @@ struct HashFnc; namespace snort { struct SfIp; -} PADDING_GUARD_BEGIN -struct FlowKey +struct SO_PUBLIC FlowKey { uint32_t ip_l[4]; /* Low IP */ uint32_t ip_h[4]; /* High IP */ @@ -89,5 +88,7 @@ private: }; PADDING_GUARD_END +} + #endif diff --git a/src/flow/ha.h b/src/flow/ha.h index e1f78093b..60af2f297 100644 --- a/src/flow/ha.h +++ b/src/flow/ha.h @@ -30,8 +30,8 @@ namespace snort { class Flow; -} struct FlowKey; +} // The FlowHAHandle is the dynamically allocated index used uniquely identify // the client. Used both in the API and HA messages. @@ -126,7 +126,7 @@ class FlowHAClient { public: virtual ~FlowHAClient() = default; - virtual bool consume(snort::Flow*&, FlowKey*, HAMessage*) { return false; } + virtual bool consume(snort::Flow*&, snort::FlowKey*, HAMessage*) { return false; } virtual bool produce(snort::Flow*, HAMessage*) { return false; } virtual bool is_update_required(snort::Flow*) { return false; } virtual bool is_delete_required(snort::Flow*) { return false; } diff --git a/src/loggers/log_hext.cc b/src/loggers/log_hext.cc index 627febdfe..77ea327c0 100644 --- a/src/loggers/log_hext.cc +++ b/src/loggers/log_hext.cc @@ -62,16 +62,15 @@ void DaqMetaEventHandler::handle(DataEvent& event, Flow*) const Flow_Stats_t* fs = (const Flow_Stats_t*)ev->get_data(); + SfIp src, dst; char shost[INET6_ADDRSTRLEN]; char dhost[INET6_ADDRSTRLEN]; - const uint32_t *sip = (const uint32_t*)fs->initiatorIp; - int fam = AF_INET; - if ( sip[1] || sip[2] || sip[3] ) - fam = AF_INET6; + src.set(fs->initiatorIp); + dst.set(fs->responderIp); - inet_ntop(fam, fs->initiatorIp, shost, INET6_ADDRSTRLEN); - inet_ntop(fam, fs->responderIp, dhost, INET6_ADDRSTRLEN); + src.ntop(shost, sizeof(shost)); + dst.ntop(dhost, sizeof(dhost)); int vlan_tag = fs->vlan_tag == 0xfff ? 0 : fs->vlan_tag; diff --git a/src/service_inspectors/ftp_telnet/ftpp_si.h b/src/service_inspectors/ftp_telnet/ftpp_si.h index 60125ed0d..b6159644d 100644 --- a/src/service_inspectors/ftp_telnet/ftpp_si.h +++ b/src/service_inspectors/ftp_telnet/ftpp_si.h @@ -200,7 +200,7 @@ enum struct FTP_DATA_SESSION { FTP_TELNET_SESSION ft_ssn; - FlowKey ftp_key; + snort::FlowKey ftp_key; char* filename; int data_chan; int file_xfer_info; diff --git a/src/sfip/sf_ip.cc b/src/sfip/sf_ip.cc index 9143add44..318bc93b5 100644 --- a/src/sfip/sf_ip.cc +++ b/src/sfip/sf_ip.cc @@ -342,6 +342,17 @@ SfIpRet SfIp::set(const void* src, int fam) return SFIP_SUCCESS; } +SfIpRet SfIp::set(const void* src) +{ + assert(src); + if ( ((const uint32_t*)src)[0] == 0 && + ((const uint32_t*)src)[1] == 0 && + ((const uint16_t*)src)[4] == 0 && + ((const uint16_t*)src)[5] == 0xffff ) + return set(&((const uint32_t*)src)[3], AF_INET); + return set(src, AF_INET6); +} + /* Obfuscates this IP with an obfuscation CIDR Makes this: ob | (this & mask) */ void SfIp::obfuscate(SfCidr* ob) diff --git a/src/sfip/sf_ip.h b/src/sfip/sf_ip.h index 714abc380..d7a370adc 100644 --- a/src/sfip/sf_ip.h +++ b/src/sfip/sf_ip.h @@ -51,6 +51,9 @@ struct SO_PUBLIC SfIp SfIpRet set(const char* src, uint16_t* srcBits = nullptr); /* Sets to a raw source IP (4 or 16 bytes, according to family) */ SfIpRet set(const void* src, int fam); + /* Sets to a raw source IP, source must be a 128 bit IPv6 (detects IPv4 mapped IPv6) + * This is specifically for conversion of Flow_Stats_t ipv4 mapped ipv6 addresses */ + SfIpRet set(const void* src); /* Converts string IP format to an array of values. Also checks IP address format. */ SfIpRet pton(const int fam, const char* ip); diff --git a/src/stream/base/stream_ha.h b/src/stream/base/stream_ha.h index 07947f7f5..e995e775e 100644 --- a/src/stream/base/stream_ha.h +++ b/src/stream/base/stream_ha.h @@ -39,7 +39,7 @@ class StreamHAClient : public FlowHAClient { public: StreamHAClient() : FlowHAClient(sizeof(SessionHAContent), true) { } - bool consume(snort::Flow*&, FlowKey*, HAMessage*) override; + bool consume(snort::Flow*&, snort::FlowKey*, HAMessage*) override; bool produce(snort::Flow*, HAMessage*) override; bool is_update_required(snort::Flow*) override; bool is_delete_required(snort::Flow*) override; @@ -53,7 +53,7 @@ public: ProtocolHA(PktType); virtual ~ProtocolHA(); virtual void delete_session(snort::Flow*) { } - virtual snort::Flow* create_session(FlowKey*) { return nullptr; } + virtual snort::Flow* create_session(snort::FlowKey*) { return nullptr; } virtual void deactivate_session(snort::Flow*) { } virtual void process_deletion(snort::Flow*); diff --git a/src/stream/icmp/icmp_ha.h b/src/stream/icmp/icmp_ha.h index 203cfd6dc..bc2d8720f 100644 --- a/src/stream/icmp/icmp_ha.h +++ b/src/stream/icmp/icmp_ha.h @@ -33,7 +33,7 @@ class IcmpHA : public ProtocolHA { public: IcmpHA() : ProtocolHA(PktType::ICMP) { } - snort::Flow* create_session(FlowKey*) override; + snort::Flow* create_session(snort::FlowKey*) override; private: }; diff --git a/src/stream/ip/ip_ha.h b/src/stream/ip/ip_ha.h index f6e7b397f..fd3f8cd3d 100644 --- a/src/stream/ip/ip_ha.h +++ b/src/stream/ip/ip_ha.h @@ -33,7 +33,7 @@ class IpHA : public ProtocolHA { public: IpHA() : ProtocolHA(PktType::IP) { } - snort::Flow* create_session(FlowKey*) override; + snort::Flow* create_session(snort::FlowKey*) override; private: }; diff --git a/src/stream/tcp/tcp_ha.h b/src/stream/tcp/tcp_ha.h index 36b919077..d27f4adf0 100644 --- a/src/stream/tcp/tcp_ha.h +++ b/src/stream/tcp/tcp_ha.h @@ -33,7 +33,7 @@ class TcpHA : public ProtocolHA { public: TcpHA() : ProtocolHA(PktType::TCP) { } - snort::Flow* create_session(FlowKey*) override; + snort::Flow* create_session(snort::FlowKey*) override; void deactivate_session(snort::Flow*) override; private: diff --git a/src/stream/udp/udp_ha.h b/src/stream/udp/udp_ha.h index 819c77adf..72bc3da2d 100644 --- a/src/stream/udp/udp_ha.h +++ b/src/stream/udp/udp_ha.h @@ -33,7 +33,7 @@ class UdpHA : public ProtocolHA { public: UdpHA() : ProtocolHA(PktType::UDP) { } - snort::Flow* create_session(FlowKey*) override; + snort::Flow* create_session(snort::FlowKey*) override; private: };