From: Michael Altizer (mialtize) Date: Tue, 6 Feb 2018 20:02:14 +0000 (-0500) Subject: Merge pull request #1104 in SNORT/snort3 from flow_depth to master X-Git-Tag: 3.0.0-243~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5b62aeddf1d7884dbfb142e887f02ae8dc2fe806;p=thirdparty%2Fsnort3.git Merge pull request #1104 in SNORT/snort3 from flow_depth to master Squashed commit of the following: commit 82eba08d04656950da60a337658e0c6688eb98c3 Author: Russ Combs (rucombs) Date: Tue Feb 6 10:24:07 2018 -0500 help: upper case proto acronyms etc. commit 77c0190b0ad815a2c8d2ad0a310b8941149b7be5 Author: Russ Combs (rucombs) Date: Tue Feb 6 09:00:06 2018 -0500 build: fix static analysis issues commit 2cf991a279505c6e9827080796c5c9db1f7ca826 Author: Tom Peters Date: Thu Feb 1 17:31:44 2018 -0500 http_inspect: apply request/response depth to packet data commit a9bad28e8feb80bc3b896ceda4e807c67691ad78 Author: Russ Combs (rucombs) Date: Mon Feb 5 09:48:17 2018 -0500 wizard: count user scans and hits separate from tcp commit 0721de15f359cdd29e1e3a7f8901638af0ba3cac Author: Russ Combs (rucombs) Date: Sun Feb 4 13:15:30 2018 -0500 build: fix cppcheck warnings commit 615b82752fbec18837b71e986a67c834eff7b643 Author: Russ Combs (rucombs) Date: Sat Feb 3 22:08:44 2018 -0500 detection: refactor alt_dsize commit 644ccb2c07a562a19e94c6d38125cfa3c5b555f3 Author: Russ Combs (rucombs) Date: Sat Feb 3 14:22:18 2018 -0500 detection: use detection limit (alt_dsize) commit 192fe396cf8360996ce24d47255e6eeabb337f64 Author: Russ Combs (rucombs) Date: Sat Feb 3 08:56:37 2018 -0500 search_engine: rename inspect_stream_inserts to detect_raw_tcp for clarity; default to true for 2.X rule sets commit 50082d488fc84a0764bcd60c7521d1e9d0fe9892 Author: Russ Combs (rucombs) Date: Sat Feb 3 08:54:24 2018 -0500 detection: do not change search_engine.inspect_stream_inserts configuration --- diff --git a/src/actions/act_reject.cc b/src/actions/act_reject.cc index 63742cc1d..051d8ae3c 100644 --- a/src/actions/act_reject.cc +++ b/src/actions/act_reject.cc @@ -127,10 +127,10 @@ void RejectAction::send(Packet* p) static const Parameter s_params[] = { { "reset", Parameter::PT_ENUM, "source|dest|both", nullptr, - "send tcp reset to one or both ends" }, + "send TCP reset to one or both ends" }, { "control", Parameter::PT_ENUM, "network|host|port|all", nullptr, - "send icmp unreachable(s)" }, + "send ICMP unreachable(s)" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/detection/context_switcher.cc b/src/detection/context_switcher.cc index b45f45752..0ec885738 100644 --- a/src/detection/context_switcher.cc +++ b/src/detection/context_switcher.cc @@ -240,7 +240,7 @@ TEST_CASE("ContextSwitcher normal", "[ContextSwitcher]") mgr.set_context_data(1, a); mgr.interrupt(); CHECK(mgr.idle_count() == max-2); - CHECK(mgr.busy_count() == 2); + CHECK((mgr.busy_count() == 2)); unsigned u = mgr.suspend(); CHECK(mgr.idle_count() == max-2); @@ -249,7 +249,7 @@ TEST_CASE("ContextSwitcher normal", "[ContextSwitcher]") mgr.resume(u); CHECK(mgr.idle_count() == max-2); - CHECK(mgr.busy_count() == 2); + CHECK((mgr.busy_count() == 2)); CHECK(mgr.hold_count() == 0); mgr.complete(); @@ -291,7 +291,7 @@ TEST_CASE("ContextSwitcher abort", "[ContextSwitcher]") CHECK(mgr.idle_count() == max-3); mgr.suspend(); - CHECK(mgr.busy_count() == 2); + CHECK((mgr.busy_count() == 2)); CHECK(mgr.hold_count() == 1); mgr.abort(); diff --git a/src/detection/detection_util.h b/src/detection/detection_util.h index 79668e627..33c78c931 100644 --- a/src/detection/detection_util.h +++ b/src/detection/detection_util.h @@ -22,8 +22,7 @@ #define DETECTION_UTIL_H // this is a legacy junk-drawer file that needs to be refactored -// it provides file and alt data pointers, event trace foo, and -// some http stuff. +// it provides file and alt data and event trace foo. #include "main/snort_config.h" @@ -41,13 +40,6 @@ struct DataBuffer unsigned len; }; -#define SetDetectLimit(pktPtr, altLen) \ -{ \ - (pktPtr)->alt_dsize = altLen; \ -} - -#define IsLimitedDetect(pktPtr) ((pktPtr)->packet_flags & PKT_HTTP_DECODE) - // FIXIT-L event trace should be placed in its own files void EventTrace_Init(); void EventTrace_Term(); diff --git a/src/detection/fp_config.h b/src/detection/fp_config.h index 006a9dd74..1fd47eec5 100644 --- a/src/detection/fp_config.h +++ b/src/detection/fp_config.h @@ -145,7 +145,7 @@ public: private: const struct MpseApi* search_api; - bool inspect_stream_insert = false; + bool inspect_stream_insert = true; bool trim; bool split_any_any = false; bool debug_print_fast_pattern = false; diff --git a/src/detection/fp_create.cc b/src/detection/fp_create.cc index 228530457..85dc53e78 100644 --- a/src/detection/fp_create.cc +++ b/src/detection/fp_create.cc @@ -513,7 +513,9 @@ static int fpAddPortGroupRule( return -1; OptFpList* next = nullptr; - bool exclude, only_literal = !MpseManager::is_regex_capable(fp->get_search_api()); + bool only_literal = !MpseManager::is_regex_capable(fp->get_search_api()); + bool exclude; + pmv = get_fp_content(otn, next, srvc, only_literal, exclude); if ( !pmv.empty() ) @@ -1265,11 +1267,7 @@ static void fpCreateServiceMapPortGroups(SnortConfig* sc) fpBuildServicePortGroups(sc, sc->spgmmTable->to_cli[i], sc->sopgTable->to_cli[i], sc->srmmTable->to_cli[i], fp); } - if ( !sc->sopgTable->set_user_mode() ) - { - fp->set_stream_insert(true); - ParseWarning(WARN_RULES, "legacy mode fast pattern searching enabled"); - } + sc->sopgTable->set_user_mode(); } /* diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 6882f931b..d6b002b25 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -914,14 +914,9 @@ static int fp_search( // ports search raw packet only if ( Mpse* so = port_group->mpse[PM_TYPE_PKT] ) { - uint16_t pattern_match_size = p->dsize; - - if ( IsLimitedDetect(p) && (p->alt_dsize < p->dsize) ) - pattern_match_size = p->alt_dsize; - - if ( pattern_match_size ) + if ( uint16_t pattern_match_size = p->get_detect_limit() ) { - trace_logf(detection, TRACE_FP_SEARCH, "%ld fp %s[%d]\n", + trace_logf(detection, TRACE_FP_SEARCH, "%ld fp %s[%u]\n", pc.total_from_daq, pm_type_strings[PM_TYPE_PKT], pattern_match_size); search_data(so, omd, p->data, pattern_match_size, pc.pkt_searches); diff --git a/src/framework/cursor.cc b/src/framework/cursor.cc index 5a96ae0b4..2288afcf5 100644 --- a/src/framework/cursor.cc +++ b/src/framework/cursor.cc @@ -47,13 +47,9 @@ void Cursor::reset(Packet* p) { set("alt_data", buf.data, buf.len); } - else if ( IsLimitedDetect(p) ) - { - set("pkt_data", p->data, p->alt_dsize); - } else { - set("pkt_data", p->data, p->dsize); + set("pkt_data", p->data, p->get_detect_limit()); } } diff --git a/src/hash/lru_cache_shared.h b/src/hash/lru_cache_shared.h index d2cf0a95f..81c4d65bf 100644 --- a/src/hash/lru_cache_shared.h +++ b/src/hash/lru_cache_shared.h @@ -158,7 +158,7 @@ bool LruCacheShared::set_max_size(size_t newsize) list_iter=list.end(); while (current_size > newsize) { - list_iter--; + --list_iter; current_size--; map.erase(list_iter->first); list.erase(list_iter); @@ -199,7 +199,7 @@ void LruCacheShared::insert(const Key& key, const Data& data) { LruListIter list_iter; list_iter = list.end(); - list_iter--; + --list_iter; map.erase(list_iter->first); list.erase(list_iter); stats.prunes++; diff --git a/src/hash/xhash.cc b/src/hash/xhash.cc index 3c12237e2..0aa192107 100644 --- a/src/hash/xhash.cc +++ b/src/hash/xhash.cc @@ -1053,7 +1053,7 @@ int anrfree(void* key, void* data) /* Decide if we can free this node. */ - //bx++; if(bx == 4 )bx=0; /* for testing */ + bx++; if(bx == 4 )bx=0; /* for testing */ /* if we are allowing the node to die, kill it */ if ( !bx ) diff --git a/src/host_tracker/host_tracker_module.cc b/src/host_tracker/host_tracker_module.cc index 090fe2d5a..ad500f2b1 100644 --- a/src/host_tracker/host_tracker_module.cc +++ b/src/host_tracker/host_tracker_module.cc @@ -44,7 +44,7 @@ const Parameter HostTrackerModule::service_params[] = "service identifier" }, { "proto", Parameter::PT_ENUM, "tcp | udp", "tcp", - "ip protocol" }, + "IP protocol" }, { "port", Parameter::PT_PORT, nullptr, nullptr, "port number" }, @@ -54,14 +54,14 @@ const Parameter HostTrackerModule::service_params[] = const Parameter HostTrackerModule::host_tracker_params[] = { - { "ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", + { "IP", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", "hosts address / cidr" }, { "frag_policy", Parameter::PT_ENUM, IP_POLICIES, nullptr, "defragmentation policy" }, { "tcp_policy", Parameter::PT_ENUM, TCP_POLICIES, nullptr, - "tcp reassembly policy" }, + "TCP reassembly policy" }, { "services", Parameter::PT_LIST, HostTrackerModule::service_params, nullptr, "list of service parameters" }, diff --git a/src/ips_options/ips_ack.cc b/src/ips_options/ips_ack.cc index 7fc6389ab..773a09910 100644 --- a/src/ips_options/ips_ack.cc +++ b/src/ips_options/ips_ack.cc @@ -98,7 +98,7 @@ IpsOption::EvalStatus TcpAckOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if tcp ack value is 'value | min<>max | min'" }, + "check if TCP ack value is 'value | min<>max | min'" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_icmp_id.cc b/src/ips_options/ips_icmp_id.cc index 04ee805b5..fac6b465b 100644 --- a/src/ips_options/ips_icmp_id.cc +++ b/src/ips_options/ips_icmp_id.cc @@ -127,7 +127,7 @@ IpsOption::EvalStatus IcmpIdOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if icmp id is in given range" }, + "check if ICMP ID is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_icmp_seq.cc b/src/ips_options/ips_icmp_seq.cc index e4cae5591..e150edeee 100644 --- a/src/ips_options/ips_icmp_seq.cc +++ b/src/ips_options/ips_icmp_seq.cc @@ -128,7 +128,7 @@ IpsOption::EvalStatus IcmpSeqOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if icmp sequence number is in given range" }, + "check if ICMP sequence number is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_icode.cc b/src/ips_options/ips_icode.cc index 2038f155d..4b05f5a06 100644 --- a/src/ips_options/ips_icode.cc +++ b/src/ips_options/ips_icode.cc @@ -99,7 +99,7 @@ IpsOption::EvalStatus IcodeOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if icmp code is in given range is" }, + "check if ICMP code is in given range is" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_id.cc b/src/ips_options/ips_id.cc index 2bd810469..55c241f03 100644 --- a/src/ips_options/ips_id.cc +++ b/src/ips_options/ips_id.cc @@ -97,7 +97,7 @@ IpsOption::EvalStatus IpIdOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if the ip id is in the given range" }, + "check if the IP ID is in the given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_itype.cc b/src/ips_options/ips_itype.cc index d0322838c..bceb7b7a7 100644 --- a/src/ips_options/ips_itype.cc +++ b/src/ips_options/ips_itype.cc @@ -100,7 +100,7 @@ IpsOption::EvalStatus IcmpTypeOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if icmp type is in given range" }, + "check if ICMP type is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_seq.cc b/src/ips_options/ips_seq.cc index b05d4f023..6a0e43b99 100644 --- a/src/ips_options/ips_seq.cc +++ b/src/ips_options/ips_seq.cc @@ -98,7 +98,7 @@ IpsOption::EvalStatus TcpSeqOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if tcp sequence number is in given range" }, + "check if TCP sequence number is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_tos.cc b/src/ips_options/ips_tos.cc index 12c095401..9ac03001d 100644 --- a/src/ips_options/ips_tos.cc +++ b/src/ips_options/ips_tos.cc @@ -101,7 +101,7 @@ IpsOption::EvalStatus IpTosOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if ip tos is in given range" }, + "check if IP TOS is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_ttl.cc b/src/ips_options/ips_ttl.cc index b230a6d71..ca5c875ae 100644 --- a/src/ips_options/ips_ttl.cc +++ b/src/ips_options/ips_ttl.cc @@ -98,7 +98,7 @@ IpsOption::EvalStatus TtlOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if ip ttl is in the given range" }, + "check if IP TTL is in the given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_window.cc b/src/ips_options/ips_window.cc index a140baf50..7481a283e 100644 --- a/src/ips_options/ips_window.cc +++ b/src/ips_options/ips_window.cc @@ -98,7 +98,7 @@ IpsOption::EvalStatus TcpWinOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, - "check if tcp window size is in given range" }, + "check if TCP window size is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/main/modules.cc b/src/main/modules.cc index 685c9f1c0..f2f791186 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -238,8 +238,8 @@ static const Parameter search_engine_params[] = { "max_queue_events", Parameter::PT_INT, "2:100", "5", // upper bound is MAX_EVENT_MATCH "maximum number of matching fast pattern states to queue per packet" }, - { "inspect_stream_inserts", Parameter::PT_BOOL, nullptr, "false", - "inspect reassembled payload - disabling is good for performance, bad for detection" }, + { "detect_raw_tcp", Parameter::PT_BOOL, nullptr, "true", + "detect on TCP payload before reassembly" }, { "search_method", Parameter::PT_DYNAMIC, (void*)&get_search_methods, "ac_bnfa", "set fast pattern algorithm - choose available search engine" }, @@ -337,7 +337,7 @@ bool SearchEngineModule::set(const char*, Value& v, SnortConfig* sc) else if ( v.is("max_queue_events") ) fp->set_max_queue_events(v.get_long()); - else if ( v.is("inspect_stream_inserts") ) + else if ( v.is("detect_raw_tcp") ) fp->set_stream_insert(v.get_bool()); else if ( v.is("search_method") ) @@ -1029,7 +1029,7 @@ static const Parameter network_params[] = "correlate unified2 events with configuration" }, { "min_ttl", Parameter::PT_INT, "1:255", "1", - "alert / normalize packets with lower ttl / hop limit " + "alert / normalize packets with lower TTL / hop limit " "(you must enable rules and / or normalization also)" }, { "new_ttl", Parameter::PT_INT, "1:255", "1", @@ -1760,7 +1760,7 @@ static const Parameter service_params[] = "service identifier" }, { "proto", Parameter::PT_ENUM, "tcp | udp", "tcp", - "ip protocol" }, + "IP protocol" }, { "port", Parameter::PT_PORT, nullptr, nullptr, "port number" }, @@ -1771,13 +1771,13 @@ static const Parameter service_params[] = static const Parameter hosts_params[] = { { "ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", - "hosts address / cidr" }, + "hosts address / CIDR" }, { "frag_policy", Parameter::PT_ENUM, IP_POLICIES, nullptr, "defragmentation policy" }, { "tcp_policy", Parameter::PT_ENUM, TCP_POLICIES, nullptr, - "tcp reassembly policy" }, + "TCP reassembly policy" }, { "services", Parameter::PT_LIST, service_params, nullptr, "list of service parameters" }, diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index fdad51a0e..37e29bacf 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -176,7 +176,7 @@ static const Parameter s_params[] = #ifdef SHELL { "-j", Parameter::PT_PORT, nullptr, nullptr, - " to listen for telnet connections" }, + " to listen for Telnet connections" }, #endif { "-k", Parameter::PT_ENUM, "all|noip|notcp|noudp|noicmp|none", "all", diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index 01386c71d..97c5f6527 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -435,7 +435,7 @@ int AppIdHttpSession::process_http_packet(int direction) { if ( asd->service.get_id() == APP_ID_NONE || asd->service.get_id() == APP_ID_HTTP ) { - AppIdServiceSubtype* local_subtype = nullptr; + //AppIdServiceSubtype* local_subtype = nullptr; char* vendorVersion = nullptr; char* vendor = nullptr; @@ -450,7 +450,8 @@ int AppIdHttpSession::process_http_packet(int direction) snort_free(vendor); snort_free(vendorVersion); } - if (local_subtype) +#if 0 + if (local_subtype) // FIXIT-W always false { AppIdServiceSubtype** tmpSubtype; @@ -460,6 +461,7 @@ int AppIdHttpSession::process_http_packet(int direction) *tmpSubtype = local_subtype; } +#endif } } diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 9ddc2c9eb..7c31c77bc 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -44,12 +44,12 @@ THREAD_LOCAL ProfileStats appidPerfStats; static const Parameter session_log_filter[] = { { "src_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", - "source ip address in CIDR format" }, + "source IP address in CIDR format" }, { "dst_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", - "destination ip address in CIDR format" }, + "destination IP address in CIDR format" }, { "src_port", Parameter::PT_PORT, "1:", nullptr, "source port" }, { "dst_port", Parameter::PT_PORT, "1:", nullptr, "destination port" }, - { "protocol", Parameter::PT_STRING, nullptr, nullptr,"ip protocol" }, + { "protocol", Parameter::PT_STRING, nullptr, nullptr,"IP protocol" }, { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false", "enable logging for all appid sessions" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } diff --git a/src/network_inspectors/appid/appid_utils/sf_mlmp.cc b/src/network_inspectors/appid/appid_utils/sf_mlmp.cc index c06de1d15..af0a619a2 100644 --- a/src/network_inspectors/appid/appid_utils/sf_mlmp.cc +++ b/src/network_inspectors/appid/appid_utils/sf_mlmp.cc @@ -270,19 +270,18 @@ static void destroyTreesRecursively(tMlmpTree* rootNode) static void dumpTreesRecursively(tMlmpTree* rootNode) { - tPatternPrimaryNode* primaryPatternNode; - tPatternNode* ddPatternNode; - char prefix[41]; - uint32_t prefixSize; +#ifdef DEBUG + uint32_t prefixSize = 4 * (rootNode->level) + 2; - prefixSize = 4 * (rootNode->level) + 2; if (prefixSize > 40) prefixSize = 40; + char prefix[41]; memset(prefix, ' ', prefixSize); prefix[prefixSize] = '\0'; +#endif - for (primaryPatternNode = rootNode->patternList; + for (tPatternPrimaryNode* primaryPatternNode = rootNode->patternList; primaryPatternNode; primaryPatternNode = primaryPatternNode->nextPrimaryNode) { @@ -292,7 +291,7 @@ static void dumpTreesRecursively(tMlmpTree* rootNode) primaryPatternNode->patternNode.partTotal, primaryPatternNode->patternNode.userData); - for (ddPatternNode = &primaryPatternNode->patternNode; + for (tPatternNode* ddPatternNode = &primaryPatternNode->patternNode; ddPatternNode; ddPatternNode = ddPatternNode->nextPattern) { diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 4c2cd0ecc..9565e61d1 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -530,7 +530,7 @@ TEST(appid_api, get_user_name) CHECK_TRUE(service == APPID_UT_ID); CHECK_TRUE(!isLoginSuccessful); mock_session->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); - val = appid_api.get_user_name(mock_session, &service, &isLoginSuccessful); + appid_api.get_user_name(mock_session, &service, &isLoginSuccessful); CHECK_TRUE(service == APPID_UT_ID); CHECK_TRUE(isLoginSuccessful); } @@ -704,7 +704,7 @@ TEST(appid_api, produce_ha_state) mock_flow_data= nullptr; SfIp ip; ip.pton(AF_INET, "192.168.1.222"); - val = appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066); + appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066); mock_session = (AppIdSession*)flow->get_flow_data(AppIdSession::inspector_id); CHECK_TRUE(mock_session); CHECK_TRUE(mock_session->tp_app_id == appHA.appId[0]); @@ -723,7 +723,7 @@ TEST(appid_api, produce_ha_state) delete mock_session; mock_session = nullptr; mock_flow_data= nullptr; - val = appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066); + appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066); mock_session = (AppIdSession*)flow->get_flow_data(AppIdSession::inspector_id); CHECK_TRUE(mock_session); uint64_t flags = mock_session->get_session_flags(APPID_SESSION_CLIENT_DETECTED | diff --git a/src/network_inspectors/appid/thirdparty_appid_utils.cc b/src/network_inspectors/appid/thirdparty_appid_utils.cc index f13f42226..9213e4b6b 100644 --- a/src/network_inspectors/appid/thirdparty_appid_utils.cc +++ b/src/network_inspectors/appid/thirdparty_appid_utils.cc @@ -117,7 +117,7 @@ static void getXffFields() { // FIXIT-M need to get xff fields from http config const char** xffFields = nullptr; // = _dpd.getHttpXffFields(&thirdpartyConfig.numXffFields); - if (!xffFields) + //if (!xffFields) FIXIT-W always true { xffFields = defaultXffFields; thirdpartyConfig.numXffFields = sizeof(defaultXffFields) / sizeof(defaultXffFields[0]); diff --git a/src/network_inspectors/port_scan/ps_module.cc b/src/network_inspectors/port_scan/ps_module.cc index 2090ac913..cf9afcc5d 100644 --- a/src/network_inspectors/port_scan/ps_module.cc +++ b/src/network_inspectors/port_scan/ps_module.cc @@ -81,55 +81,55 @@ static const Parameter ps_params[] = "list of CIDRs with optional ports" }, { "tcp_ports", Parameter::PT_TABLE, scan_params, nullptr, - "tcp port scan configuration (one-to-one)" }, + "TCP port scan configuration (one-to-one)" }, { "tcp_decoy", Parameter::PT_TABLE, scan_params, nullptr, - "tcp decoy scan configuration (one-to-one decoy)" }, + "TCP decoy scan configuration (one-to-one decoy)" }, { "tcp_sweep", Parameter::PT_TABLE, scan_params, nullptr, - "tcp sweep scan configuration (one-to-many)" }, + "TCP sweep scan configuration (one-to-many)" }, { "tcp_dist", Parameter::PT_TABLE, scan_params, nullptr, - "tcp distributed scan configuration (many-to-one)" }, + "TCP distributed scan configuration (many-to-one)" }, { "udp_ports", Parameter::PT_TABLE, scan_params, nullptr, - "udp port scan configuration (one-to-one)" }, + "UDP port scan configuration (one-to-one)" }, { "udp_decoy", Parameter::PT_TABLE, scan_params, nullptr, - "udp decoy scan configuration (one-to-one)" }, + "UDP decoy scan configuration (one-to-one)" }, { "udp_sweep", Parameter::PT_TABLE, scan_params, nullptr, - "udp sweep scan configuration (one-to-many)" }, + "UDP sweep scan configuration (one-to-many)" }, { "udp_dist", Parameter::PT_TABLE, scan_params, nullptr, - "udp distributed scan configuration (many-to-one)" }, + "UDP distributed scan configuration (many-to-one)" }, { "ip_proto", Parameter::PT_TABLE, scan_params, nullptr, - "ip protocol scan configuration (one-to-one)" }, + "IP protocol scan configuration (one-to-one)" }, { "ip_decoy", Parameter::PT_TABLE, scan_params, nullptr, - "ip decoy scan configuration (one-to-one decoy)" }, + "IP decoy scan configuration (one-to-one decoy)" }, { "ip_sweep", Parameter::PT_TABLE, scan_params, nullptr, "ip sweep scan configuration (one-to-many)" }, { "ip_dist", Parameter::PT_TABLE, scan_params, nullptr, - "ip distributed scan configuration (many-to-one)" }, + "IP distributed scan configuration (many-to-one)" }, { "icmp_sweep", Parameter::PT_TABLE, scan_params, nullptr, - "icmp sweep scan configuration (one-to-many)" }, + "ICMP sweep scan configuration (one-to-many)" }, { "tcp_window", Parameter::PT_INT, "0:", "0", - "detection interval for all tcp scans" }, + "detection interval for all TCP scans" }, { "udp_window", Parameter::PT_INT, "0:", "0", - "detection interval for all udp scans" }, + "detection interval for all UDP scans" }, { "ip_window", Parameter::PT_INT, "0:", "0", - "detection interval for all ip scans" }, + "detection interval for all IP scans" }, { "icmp_window", Parameter::PT_INT, "0:", "0", - "detection interval for all icmp scans" }, + "detection interval for all ICMP scans" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/network_inspectors/reputation/reputation_module.cc b/src/network_inspectors/reputation/reputation_module.cc index 140c904de..ff0bdb086 100644 --- a/src/network_inspectors/reputation/reputation_module.cc +++ b/src/network_inspectors/reputation/reputation_module.cc @@ -43,13 +43,13 @@ using namespace std; static const Parameter s_params[] = { { "blacklist", Parameter::PT_STRING, nullptr, nullptr, - "blacklist file name with ip lists" }, + "blacklist file name with IP lists" }, { "memcap", Parameter::PT_INT, "1:4095", "500", "maximum total MB of memory allocated" }, { "nested_ip", Parameter::PT_ENUM, "inner|outer|all", "inner", - "ip to use when there is IP encapsulation" }, + "IP to use when there is IP encapsulation" }, { "priority", Parameter::PT_ENUM, "blacklist|whitelist", "whitelist", "defines priority when there is a decision conflict during run-time" }, @@ -61,7 +61,7 @@ static const Parameter s_params[] = "specify the meaning of whitelist" }, { "whitelist", Parameter::PT_STRING, nullptr, nullptr, - "whitelist file name with ip lists" }, + "whitelist file name with IP lists" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/protocols/packet.h b/src/protocols/packet.h index a1eb455e4..abebc7ace 100644 --- a/src/protocols/packet.h +++ b/src/protocols/packet.h @@ -42,7 +42,7 @@ #define PKT_PDU_HEAD 0x00000100 /* start of PDU */ #define PKT_PDU_TAIL 0x00000200 /* end of PDU */ -#define PKT_HTTP_DECODE 0x00000400 /* this packet has normalized http */ +#define PKT_DETECT_LIMIT 0x00000400 /* alt_dsize is valid */ #define PKT_ALLOW_MULTIPLE_DETECT 0x00000800 /* packet has either pipelined mime attachments or pipeline http requests */ @@ -111,7 +111,7 @@ struct SO_PUBLIC Packet uint32_t xtradata_mask; uint16_t proto_bits; /* protocols contained within this packet */ - uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/ + uint16_t alt_dsize; /* size for detection (iff PKT_DETECT_LIMIT) */ uint8_t num_layers; /* index into layers for next encap */ // FIXIT-M Consider moving ip_proto_next below `pkth`. @@ -188,6 +188,15 @@ struct SO_PUBLIC Packet inline PktType type() const { return ptrs.get_pkt_type(); } // defined in codec.h + void set_detect_limit(uint16_t n) + { + alt_dsize = n; + packet_flags |= PKT_DETECT_LIMIT; + } + + uint16_t get_detect_limit() + { return (packet_flags & PKT_DETECT_LIMIT) ? alt_dsize : dsize; } + const char* get_type() const; const char* get_pseudo_type() const; diff --git a/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc b/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc index 3f3ac0471..c57972f37 100644 --- a/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc +++ b/src/service_inspectors/dce_rpc/dce_http_proxy_splitter.cc @@ -239,7 +239,7 @@ TEST_CASE("DceHttpProxySplitter-scan - full_proxy_request", "[http_proxy_splitte { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true); Flow* flow = new Flow(); - uint32_t fp; + uint32_t fp = 0; REQUIRE(splitter->scan(flow, (const uint8_t*)HTTP_PROXY_REQUEST, strlen(HTTP_PROXY_REQUEST), PKT_FROM_CLIENT, &fp) == StreamSplitter::FLUSH); @@ -257,7 +257,7 @@ TEST_CASE("DceHttpProxySplitter-scan - extra_proxy_request", "[http_proxy_splitt const char* extra = "ignore"; char* string = new char[strlen(HTTP_PROXY_REQUEST)+strlen(extra)+1]; Flow* flow = new Flow(); - uint32_t fp; + uint32_t fp = 0; strncpy(string,(const char*)HTTP_PROXY_REQUEST,strlen(HTTP_PROXY_REQUEST)); strncpy(string+strlen(HTTP_PROXY_REQUEST),extra,strlen(extra)); @@ -291,12 +291,12 @@ TEST_CASE("DceHttpProxySplitter-scan - good_1_proxy_response", "[http_proxy_spli { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); Flow* flow = new Flow(); - uint32_t fp; + uint32_t fp = 0; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\n\n", 12, PKT_FROM_SERVER, &fp) == - StreamSplitter::FLUSH); - REQUIRE(fp == 12); + REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\n\n", 12, + PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); + REQUIRE((fp == 12)); REQUIRE(splitter->cutover_inspector() == true); delete flow; delete splitter; @@ -306,12 +306,12 @@ TEST_CASE("DceHttpProxySplitter-scan - good_2_proxy_response", "[http_proxy_spli { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); Flow* flow = new Flow(); - uint32_t fp; + uint32_t fp = 0; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\n", 15, PKT_FROM_SERVER, &fp) == - StreamSplitter::FLUSH); - REQUIRE(fp == 15); + REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\n", 15, + PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); + REQUIRE((fp == 15)); REQUIRE(splitter->cutover_inspector() == true); delete flow; delete splitter; @@ -320,12 +320,12 @@ TEST_CASE("DceHttpProxySplitter-scan - good_3_proxy_response", "[http_proxy_spli { DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false); Flow* flow = new Flow(); - uint32_t fp; + uint32_t fp = 0; REQUIRE(splitter->cutover_inspector() == false); - REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\nyyy", 18, PKT_FROM_SERVER, &fp) == - StreamSplitter::FLUSH); - REQUIRE(fp == 18); + REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\nyyy", 18, + PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH); + REQUIRE((fp == 18)); REQUIRE(splitter->cutover_inspector() == true); delete flow; delete splitter; diff --git a/src/service_inspectors/dnp3/ips_dnp3_func.cc b/src/service_inspectors/dnp3/ips_dnp3_func.cc index 2c94a3ba1..74cd1054e 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_func.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_func.cc @@ -38,7 +38,7 @@ #define s_name "dnp3_func" #define s_help \ - "detection option to check dnp3 function code" + "detection option to check DNP3 function code" static THREAD_LOCAL ProfileStats dnp3_func_perf_stats; @@ -112,7 +112,7 @@ IpsOption::EvalStatus Dnp3FuncOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~", Parameter::PT_STRING, nullptr, nullptr, - "match dnp3 function code or name" }, + "match DNP3 function code or name" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/service_inspectors/dnp3/ips_dnp3_ind.cc b/src/service_inspectors/dnp3/ips_dnp3_ind.cc index 31f005283..9c6c843ee 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_ind.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_ind.cc @@ -38,7 +38,7 @@ #define s_name "dnp3_ind" #define s_help \ - "detection option to check dnp3 indicator flags" + "detection option to check DNP3 indicator flags" static THREAD_LOCAL ProfileStats dnp3_ind_perf_stats; @@ -113,7 +113,7 @@ IpsOption::EvalStatus Dnp3IndOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~", Parameter::PT_STRING, nullptr, nullptr, - "match given dnp3 indicator flags" }, + "match given DNP3 indicator flags" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/service_inspectors/dnp3/ips_dnp3_obj.cc b/src/service_inspectors/dnp3/ips_dnp3_obj.cc index b12dec7af..50d12c760 100644 --- a/src/service_inspectors/dnp3/ips_dnp3_obj.cc +++ b/src/service_inspectors/dnp3/ips_dnp3_obj.cc @@ -37,7 +37,7 @@ #define s_name "dnp3_obj" #define s_help \ - "detection option to check dnp3 object headers" + "detection option to check DNP3 object headers" /* Object decoding constants */ #define DNP3_OBJ_HDR_MIN_LEN 3 /* group, var, qualifier */ @@ -153,9 +153,9 @@ IpsOption::EvalStatus Dnp3ObjOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "group", Parameter::PT_INT, "0:255", "0", - "match given dnp3 object header group" }, + "match given DNP3 object header group" }, { "var", Parameter::PT_INT, "0:255", "0", - "match given dnp3 object header var" }, + "match given DNP3 object header var" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/service_inspectors/ftp_telnet/ftp_module.cc b/src/service_inspectors/ftp_telnet/ftp_module.cc index 1d3bc8cee..03dab70a3 100644 --- a/src/service_inspectors/ftp_telnet/ftp_module.cc +++ b/src/service_inspectors/ftp_telnet/ftp_module.cc @@ -46,7 +46,7 @@ using namespace std; static const Parameter client_bounce_params[] = { { "address", Parameter::PT_ADDR, nullptr, "1.0.0.0/32", - "allowed ip address in CIDR format" }, + "allowed IP address in CIDR format" }, // FIXIT-L port and last_port should be replaced with a port list { "port", Parameter::PT_PORT, "1:", "20", @@ -70,10 +70,10 @@ static const Parameter ftp_client_params[] = "ignore erase character and erase line commands when normalizing" }, { "max_resp_len", Parameter::PT_INT, "-1:", "-1", - "maximum ftp response accepted by client" }, + "maximum FTP response accepted by client" }, { "telnet_cmds", Parameter::PT_BOOL, nullptr, "false", - "detect telnet escape sequences on ftp control channel" }, + "detect Telnet escape sequences on FTP control channel" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -300,13 +300,13 @@ static const Parameter ftp_server_params[] = "default maximum length of commands handled by server; 0 is unlimited" }, { "encrypted_traffic", Parameter::PT_BOOL, nullptr, "false", - "check for encrypted telnet and ftp" }, + "check for encrypted Telnet and FTP" }, { "ftp_cmds", Parameter::PT_STRING, nullptr, nullptr, "specify additional commands supported by server beyond RFC 959" }, { "ignore_data_chan", Parameter::PT_BOOL, nullptr, "false", - "do not inspect ftp data channels" }, + "do not inspect FTP data channels" }, { "ignore_telnet_erase_cmds", Parameter::PT_BOOL, nullptr, "false", "ignore erase character and erase line commands when normalizing" }, @@ -315,7 +315,7 @@ static const Parameter ftp_server_params[] = "print command configurations on start up" }, { "telnet_cmds", Parameter::PT_BOOL, nullptr, "false", - "detect telnet escape sequences of ftp control channel" }, + "detect Telnet escape sequences of FTP control channel" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -340,8 +340,8 @@ static const RuleMap ftp_server_rules[] = static const PegInfo ftp_pegs[] = { { CountType::SUM, "total_packets", "total packets" }, - { CountType::NOW, "concurrent_sessions", "total concurrent ftp sessions" }, - { CountType::MAX, "max_concurrent_sessions", "maximum concurrent ftp sessions" }, + { CountType::NOW, "concurrent_sessions", "total concurrent FTP sessions" }, + { CountType::MAX, "max_concurrent_sessions", "maximum concurrent FTP sessions" }, { CountType::END, nullptr, nullptr } }; diff --git a/src/service_inspectors/ftp_telnet/telnet_module.cc b/src/service_inspectors/ftp_telnet/telnet_module.cc index 453a7baa4..8a58107ba 100644 --- a/src/service_inspectors/ftp_telnet/telnet_module.cc +++ b/src/service_inspectors/ftp_telnet/telnet_module.cc @@ -35,22 +35,22 @@ using namespace std; //------------------------------------------------------------------------- #define TELNET_AYT_OVERFLOW_STR \ - "consecutive telnet AYT commands beyond threshold" + "consecutive Telnet AYT commands beyond threshold" #define TELNET_ENCRYPTED_STR \ - "telnet traffic encrypted" + "Telnet traffic encrypted" #define TELNET_SB_NO_SE_STR \ - "telnet subnegotiation begin command without subnegotiation end" + "Telnet subnegotiation begin command without subnegotiation end" static const Parameter s_params[] = { { "ayt_attack_thresh", Parameter::PT_INT, "-1:", "-1", - "alert on this number of consecutive telnet AYT commands" }, + "alert on this number of consecutive Telnet AYT commands" }, { "check_encrypted", Parameter::PT_BOOL, nullptr, "false", "check for end of encryption" }, { "encrypted_traffic", Parameter::PT_BOOL, nullptr, "false", - "check for encrypted telnet and ftp" }, + "check for encrypted Telnet and FTP" }, { "normalize", Parameter::PT_BOOL, nullptr, "false", "eliminate escape sequences" }, @@ -61,8 +61,8 @@ static const Parameter s_params[] = static const PegInfo telnet_pegs[] = { { CountType::SUM, "total_packets", "total packets" }, - { CountType::NOW, "concurrent_sessions", "total concurrent telnet sessions" }, - { CountType::MAX, "max_concurrent_sessions", "maximum concurrent telnet sessions" }, + { CountType::NOW, "concurrent_sessions", "total concurrent Telnet sessions" }, + { CountType::MAX, "max_concurrent_sessions", "maximum concurrent Telnet sessions" }, { CountType::END, nullptr, nullptr } }; diff --git a/src/service_inspectors/gtp/gtp_module.cc b/src/service_inspectors/gtp/gtp_module.cc index 9c84cfa79..efed8943d 100644 --- a/src/service_inspectors/gtp/gtp_module.cc +++ b/src/service_inspectors/gtp/gtp_module.cc @@ -107,7 +107,7 @@ static const Parameter gtp_info_params[] = static const Parameter gtp_params[] = { { "version", Parameter::PT_INT, "0:2", "2", - "gtp version" }, + "GTP version" }, { "messages", Parameter::PT_LIST, gtp_msg_params, nullptr, "message dictionary" }, diff --git a/src/service_inspectors/gtp/ips_gtp_version.cc b/src/service_inspectors/gtp/ips_gtp_version.cc index c6b9e7440..51577dcfb 100644 --- a/src/service_inspectors/gtp/ips_gtp_version.cc +++ b/src/service_inspectors/gtp/ips_gtp_version.cc @@ -102,7 +102,7 @@ static const Parameter s_params[] = }; #define s_help \ - "rule option to check gtp version" + "rule option to check GTP version" class GtpVersionModule : public Module { diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index fe252baeb..f0128648a 100644 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -24,6 +24,7 @@ #include "http_inspect.h" #include "detection/detection_engine.h" +#include "detection/detection_util.h" #include "log/unified2.h" #include "protocols/packet.h" #include "stream/stream.h" @@ -274,6 +275,13 @@ void HttpInspect::eval(Packet* p) if (session_data->section_type[source_id] == SEC__NOT_COMPUTE) return; + // Limit alt_dsize of message body sections to request/response depth + if ((session_data->detect_depth_remaining[source_id] > 0) && + (session_data->detect_depth_remaining[source_id] < p->dsize)) + { + p->set_detect_limit(session_data->detect_depth_remaining[source_id]); + } + const int remove_workaround = session_data->zero_byte_workaround[source_id] ? 1 : 0; if (!process(p->data, p->dsize - remove_workaround, p->flow, source_id, true)) { diff --git a/src/service_inspectors/modbus/ips_modbus_unit.cc b/src/service_inspectors/modbus/ips_modbus_unit.cc index 724a83e07..15ed164fb 100644 --- a/src/service_inspectors/modbus/ips_modbus_unit.cc +++ b/src/service_inspectors/modbus/ips_modbus_unit.cc @@ -99,13 +99,13 @@ IpsOption::EvalStatus ModbusUnitOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { { "~", Parameter::PT_INT, "0:255", nullptr, - "modbus unit ID" }, + "Modbus unit ID" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; #define s_help \ - "rule option to check modbus unit ID" + "rule option to check Modbus unit ID" class ModbusUnitModule : public Module { diff --git a/src/service_inspectors/sip/sip_module.cc b/src/service_inspectors/sip/sip_module.cc index 27412f40d..6867abed9 100644 --- a/src/service_inspectors/sip/sip_module.cc +++ b/src/service_inspectors/sip/sip_module.cc @@ -90,7 +90,7 @@ static const Parameter s_params[] = "maximum via field size" }, { "methods", Parameter::PT_STRING, nullptr, default_methods, - "list of methods to check in sip messages" }, + "list of methods to check in SIP messages" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -133,8 +133,8 @@ static const PegInfo sip_pegs[] = { { CountType::SUM, "packets", "total packets" }, { CountType::SUM, "sessions", "total sessions" }, - { CountType::NOW, "concurrent_sessions", "total concurrent sip sessions" }, - { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sip sessions" }, + { CountType::NOW, "concurrent_sessions", "total concurrent SIP sessions" }, + { CountType::MAX, "max_concurrent_sessions", "maximum concurrent SIP sessions" }, { CountType::SUM, "events", "events generated" }, { CountType::SUM, "dialogs", "total dialogs" }, { CountType::SUM, "ignored_channels", "total channels ignored" }, diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index f96c40cb1..9311e6b8c 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -1215,7 +1215,6 @@ static void snort_smtp(SMTP_PROTO_CONF* config, Packet* p) /* reset normalization stuff */ smtp_normalizing = false; - SetDetectLimit(p, 0); if (pkt_dir == SMTP_PKT_FROM_SERVER) { diff --git a/src/service_inspectors/smtp/smtp_util.cc b/src/service_inspectors/smtp/smtp_util.cc index d80268821..873fa6d2d 100644 --- a/src/service_inspectors/smtp/smtp_util.cc +++ b/src/service_inspectors/smtp/smtp_util.cc @@ -99,7 +99,6 @@ int SMTP_CopyToAltBuffer(Packet* p, const uint8_t* start, int length) if ((unsigned long)length > alt_size - buf.len) { - //SetDetectLimit(p, 0); smtp_normalizing = false; return -1; } diff --git a/src/service_inspectors/wizard/wizard.cc b/src/service_inspectors/wizard/wizard.cc index 7ceccf756..886876e10 100644 --- a/src/service_inspectors/wizard/wizard.cc +++ b/src/service_inspectors/wizard/wizard.cc @@ -89,6 +89,23 @@ public: bool is_paf() override { return true; } +private: + void count_scan(const Flow* f) + { + if ( f->pkt_type == PktType::TCP ) + ++tstats.tcp_scans; + else + ++tstats.user_scans; + } + + void count_hit(const Flow* f) + { + if ( f->pkt_type == PktType::TCP ) + ++tstats.tcp_hits; + else + ++tstats.user_hits; + } + private: Wizard* wizard; Wand wand; @@ -152,10 +169,10 @@ StreamSplitter::Status MagicSplitter::scan( uint32_t, uint32_t*) { Profile profile(wizPerfStats); - ++tstats.tcp_scans; + count_scan(f); if ( wizard->cast_spell(wand, f, data, len) ) - ++tstats.tcp_hits; + count_hit(f); else if ( wizard->finished(wand) ) return ABORT; diff --git a/src/stream/base/stream_module.cc b/src/stream/base/stream_module.cc index 4d046ff8f..f1909e42c 100644 --- a/src/stream/base/stream_module.cc +++ b/src/stream/base/stream_module.cc @@ -59,7 +59,7 @@ CACHE_PARAMS(file_params, "128", "30", "180", "5"); static const Parameter s_params[] = { { "footprint", Parameter::PT_INT, "0:", "0", - "use zero for production, non-zero for testing at given size (for tcp and user)" }, + "use zero for production, non-zero for testing at given size (for TCP and user)" }, { "ip_frags_only", Parameter::PT_BOOL, nullptr, "false", "don't process non-frag flows" }, diff --git a/src/stream/ip/ip_module.cc b/src/stream/ip/ip_module.cc index a660ac76a..e240ca807 100644 --- a/src/stream/ip/ip_module.cc +++ b/src/stream/ip/ip_module.cc @@ -111,7 +111,7 @@ static const Parameter s_params[] = "alert if fragment length is below this limit before or after trimming" }, { "min_ttl", Parameter::PT_INT, "1:255", "1", - "discard fragments with ttl below the minimum" }, + "discard fragments with TTL below the minimum" }, { "policy", Parameter::PT_ENUM, IP_POLICIES, "linux", "fragment reassembly policy" }, diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc index 8da998aaf..dbbf5f534 100644 --- a/src/stream/tcp/tcp_module.cc +++ b/src/stream/tcp/tcp_module.cc @@ -153,10 +153,10 @@ static const Parameter s_params[] = "flush upon seeing a drop in segment size after given number of non-decreasing segments" }, { "ignore_any_rules", Parameter::PT_BOOL, nullptr, "false", - "process tcp content rules w/o ports only if rules with ports are present" }, + "process TCP content rules w/o ports only if rules with ports are present" }, { "max_window", Parameter::PT_INT, "0:1073725440", "0", - "maximum allowed tcp window" }, + "maximum allowed TCP window" }, { "overlap_limit", Parameter::PT_INT, "0:255", "0", "maximum number of allowed overlapping segments per session" }, diff --git a/src/stream/udp/udp_module.cc b/src/stream/udp/udp_module.cc index 4c5609634..366ba9cf6 100644 --- a/src/stream/udp/udp_module.cc +++ b/src/stream/udp/udp_module.cc @@ -38,7 +38,7 @@ static const Parameter s_params[] = "session tracking timeout" }, { "ignore_any_rules", Parameter::PT_BOOL, nullptr, "false", - "process udp content rules w/o ports only if rules with ports are present" }, + "process UDP content rules w/o ports only if rules with ports are present" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/tools/snort2lua/config_states/config_detection.cc b/tools/snort2lua/config_states/config_detection.cc index f06b46124..4a0e51c4e 100644 --- a/tools/snort2lua/config_states/config_detection.cc +++ b/tools/snort2lua/config_states/config_detection.cc @@ -56,8 +56,8 @@ bool Detection::convert(std::istringstream& data_stream) else if (keyword == "no_stream_inserts") { - table_api.add_diff_option_comment("no_stream_inserts", "inspect_stream_inserts"); - tmpval = table_api.add_option("inspect_stream_inserts", false); + table_api.add_diff_option_comment("no_stream_inserts", "detect_raw_tcp"); + tmpval = table_api.add_option("detect_raw_tcp", false); } else if (keyword == "debug") diff --git a/tools/snort2lua/keyword_states/kws_file.cc b/tools/snort2lua/keyword_states/kws_file.cc index 6e155779e..92e993e72 100644 --- a/tools/snort2lua/keyword_states/kws_file.cc +++ b/tools/snort2lua/keyword_states/kws_file.cc @@ -72,8 +72,6 @@ bool File::convert(std::istringstream& data_stream) while(util::get_string(data_stream, key_value_pair, ";")) { std::istringstream arg_stream(key_value_pair); - std::vector word_list; - util::trim(key_value_pair); size_t pos = key_value_pair.find_first_of(':'); diff --git a/tools/snort2lua/preprocessor_states/pps_perfmonitor.cc b/tools/snort2lua/preprocessor_states/pps_perfmonitor.cc index 754f29612..995d29214 100644 --- a/tools/snort2lua/preprocessor_states/pps_perfmonitor.cc +++ b/tools/snort2lua/preprocessor_states/pps_perfmonitor.cc @@ -42,12 +42,13 @@ private: bool PerfMonitor::convert(std::istringstream& data_stream) { - std::string keyword; - bool retval = true; - table_api.open_table("perf_monitor"); - retval |= table_api.add_option("base", true); - retval |= table_api.add_option("cpu", true); + + bool retval = + table_api.add_option("base", true) and + table_api.add_option("cpu", true); + + std::string keyword; while (data_stream >> keyword) {