From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Mon, 27 Nov 2017 20:57:11 +0000 (-0500)
Subject: Merge pull request #1075 in SNORT/snort3 from misc_update to master
X-Git-Tag: 3.0.0-241~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0d587ea10a37f7072acde158f3642b259dec2aa;p=thirdparty%2Fsnort3.git

Merge pull request #1075 in SNORT/snort3 from misc_update to master

Squashed commit of the following:

commit f5ec7aa483757573d3f99486a3dbfce9ce39de4a
Author: Russ Combs (rucombs) <rucombs@cisco.com>
Date:   Mon Nov 27 13:40:36 2017 -0500

    stream_ip: fix non-frag counting

commit b8712168a7f0bb744ecd46fcbf4b934b3798e770
Author: Russ Combs (rucombs) <rucombs@cisco.com>
Date:   Mon Nov 27 08:50:41 2017 -0500

    ips options: error if lookup fails due to bad case, typos, etc.

    thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue

commit 30ea59db4a0b0e50985e5740f8ff4f0be9dd06ae
Author: Russ Combs (rucombs) <rucombs@cisco.com>
Date:   Mon Nov 27 08:14:59 2017 -0500

    alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers

commit ad40486ab8ddfa1584df015792624caeb14dbd63
Author: Russ Combs (rucombs) <rucombs@cisco.com>
Date:   Sun Nov 26 08:04:47 2017 -0500

    stream: change tcp idle timeout to 3600 to match 2.X nominal timeout

commit 0436867d413467160d37597f196f8f661d62c885
Author: Russ Combs (rucombs) <rucombs@cisco.com>
Date:   Fri Nov 24 16:18:53 2017 -0500

    port_scan: fix flow checks
    port_scan: add alert_all to make alerting on all events in window optional
---

diff --git a/extra/src/loggers/alert_json/alert_json.cc b/extra/src/loggers/alert_json/alert_json.cc
index 062d06d4e..c319d7d94 100644
--- a/extra/src/loggers/alert_json/alert_json.cc
+++ b/extra/src/loggers/alert_json/alert_json.cc
@@ -481,7 +481,7 @@ static bool ff_tcp_ack(Args& a)
     if (a.pkt->ptrs.tcph )
     {
         print_label(a, "tcp_ack");
-        TextLog_Print(json_log, "0x%lX", (u_long)ntohl(a.pkt->ptrs.tcph->th_ack));
+        TextLog_Print(json_log, "%u", ntohl(a.pkt->ptrs.tcph->th_ack));
         return true;
     }
     return false;
@@ -517,7 +517,7 @@ static bool ff_tcp_seq(Args& a)
     if (a.pkt->ptrs.tcph )
     {
         print_label(a, "tcp_seq");
-        TextLog_Print(json_log, "0x%lX", (u_long)ntohl(a.pkt->ptrs.tcph->th_seq));
+        TextLog_Print(json_log, "%u", ntohl(a.pkt->ptrs.tcph->th_seq));
         return true;
     }
     return false;
@@ -528,7 +528,7 @@ static bool ff_tcp_win(Args& a)
     if (a.pkt->ptrs.tcph )
     {
         print_label(a, "tcp_win");
-        TextLog_Print(json_log, "0x%X", ntohs(a.pkt->ptrs.tcph->th_win));
+        TextLog_Print(json_log, "%u", ntohs(a.pkt->ptrs.tcph->th_win));
         return true;
     }
     return false;
diff --git a/src/managers/ips_manager.cc b/src/managers/ips_manager.cc
index 0bd50e7aa..257cec8f0 100644
--- a/src/managers/ips_manager.cc
+++ b/src/managers/ips_manager.cc
@@ -262,15 +262,22 @@ bool IpsManager::option_end(
     current_module = nullptr;
     current_params = nullptr;
 
-    if ( mod && !mod->end(key, 0, sc) )
+    Option* opt = get_opt(key);
+    assert(opt);
+
+    if ( !mod and opt->api->base.mod_ctor )
     {
-        ParseError("can't finalize %s", key);
+        ParseError("unknown option %s", key);
         current_keyword.clear();
         return false;
     }
 
-    Option* opt = get_opt(key);
-    assert(opt);
+    if ( mod and !mod->end(key, 0, sc) )
+    {
+        ParseError("can't finalize %s", key);
+        current_keyword.clear();
+        return false;
+    }
 
     IpsOption* ips = opt->api->ctor(mod, otn);
     type = opt->api->type;
diff --git a/src/network_inspectors/port_scan/port_scan.cc b/src/network_inspectors/port_scan/port_scan.cc
index c301d28f0..18c1ee563 100644
--- a/src/network_inspectors/port_scan/port_scan.cc
+++ b/src/network_inspectors/port_scan/port_scan.cc
@@ -450,10 +450,7 @@ void PortScan::eval(Packet* p)
         return;
 
     ++spstats.total_packets;
-
-    PS_PKT ps_pkt;
-    memset(&ps_pkt, 0x00, sizeof(PS_PKT));
-    ps_pkt.pkt = p;
+    PS_PKT ps_pkt(p);
 
     ps_detect(&ps_pkt);
 
diff --git a/src/network_inspectors/port_scan/ps_detect.cc b/src/network_inspectors/port_scan/ps_detect.cc
index 9e162a781..aae1d9333 100644
--- a/src/network_inspectors/port_scan/ps_detect.cc
+++ b/src/network_inspectors/port_scan/ps_detect.cc
@@ -41,6 +41,7 @@
 #include "stream/stream.h"
 #include "time/packet_time.h"
 #include "utils/cpp_macros.h"
+#include "utils/stats.h"
 
 #include "ps_inspect.h"
 
@@ -55,6 +56,13 @@ PADDING_GUARD_END
 
 static THREAD_LOCAL XHash* portscan_hash = nullptr;
 
+PS_PKT::PS_PKT(Packet* p)
+{
+    pkt = p;
+    scanner = scanned = nullptr;
+    proto = reverse_pkt = 0;
+}
+
 PortscanConfig::PortscanConfig()
 {
     memset(this, 0, sizeof(*this));
@@ -226,7 +234,7 @@ bool PortScan::ps_filter_ignore(PS_PKT* ps_pkt)
     {
         reverse_pkt = 1;
     }
-    else if (p->ptrs.udph && p->flow)
+    else if (p->ptrs.udph and p->flow )
     {
         if (Stream::get_packet_direction(p) & PKT_FROM_SERVER)
             reverse_pkt = 1;
@@ -575,11 +583,12 @@ void PortScan::ps_tracker_update_tcp(PS_PKT* ps_pkt, PS_TRACKER* scanner,
     **  picked up midstream, then we don't care about the MIDSTREAM flag.
     **  Otherwise, only consider streams not picked up midstream.
     */
-    if ( p->flow )
+    // FIXIT-H using SSNFLAG_COUNTED_INITIALIZE is a hack to get parity with 2.X
+    // this should be completely redone and port_scan should require stream_tcp
+    if ( p->flow and (p->flow->ssn_state.session_flags & SSNFLAG_COUNTED_INITIALIZE) )
+    {
         session_flags = p->flow->get_session_flags();
 
-    if ( session_flags & (SSNFLAG_SEEN_CLIENT|SSNFLAG_SEEN_SERVER) )
-    {
         if ((session_flags & SSNFLAG_SEEN_CLIENT) &&
             !(session_flags & SSNFLAG_SEEN_SERVER) &&
             (config->include_midstream || !(session_flags & SSNFLAG_MIDSTREAM)))
@@ -745,8 +754,8 @@ void PortScan::ps_tracker_update_ip(PS_PKT* ps_pkt, PS_TRACKER* scanner,
     }
 }
 
-void PortScan::ps_tracker_update_udp(PS_PKT* ps_pkt, PS_TRACKER* scanner,
-    PS_TRACKER* scanned)
+void PortScan::ps_tracker_update_udp(
+    PS_PKT* ps_pkt, PS_TRACKER* scanner, PS_TRACKER* scanned)
 {
     Packet* p = (Packet*)ps_pkt->pkt;
     unsigned win = config->udp_window;
@@ -1120,13 +1129,15 @@ bool PortScan::ps_tracker_alert(
 
     if ( scanner )
     {
-        scanner->proto.alerts = 0;
+        if ( config->alert_all )
+            scanner->proto.alerts = 0;
         scanner_proto = &scanner->proto;
     }
 
     if ( scanned )
     {
-        scanned->proto.alerts = 0;
+        if ( config->alert_all )
+            scanned->proto.alerts = 0;
         scanned_proto = &scanned->proto;
     }
 
@@ -1179,15 +1190,13 @@ int PortScan::ps_detect(PS_PKT* ps_pkt)
     PS_TRACKER* scanner = nullptr;
     PS_TRACKER* scanned = nullptr;
     int check_tcp_rst_other_dir = 1;
-    Packet* p;
 
-    if (!ps_pkt || !ps_pkt->pkt)
-        return -1;
+    assert(ps_pkt and ps_pkt->pkt);
 
     if (ps_filter_ignore(ps_pkt))
         return 0;
 
-    p = (Packet*)ps_pkt->pkt;
+    Packet* p = (Packet*)ps_pkt->pkt;
 
     do
     {
@@ -1202,7 +1211,7 @@ int PortScan::ps_detect(PS_PKT* ps_pkt)
 
         /* This is added to address the case of no
          * session and a RST packet going back from the Server. */
-        if ( p->ptrs.tcph && (p->ptrs.tcph->th_flags & TH_RST) && !p->flow )
+        if ( p->ptrs.tcph and (p->ptrs.tcph->th_flags & TH_RST) and !p->flow )
         {
             if (ps_pkt->reverse_pkt == 1)
                 check_tcp_rst_other_dir = 0;
diff --git a/src/network_inspectors/port_scan/ps_detect.h b/src/network_inspectors/port_scan/ps_detect.h
index 4f13069c0..4356634cc 100644
--- a/src/network_inspectors/port_scan/ps_detect.h
+++ b/src/network_inspectors/port_scan/ps_detect.h
@@ -80,6 +80,7 @@ struct PortscanConfig
     int include_midstream;
     int print_tracker;
 
+    bool alert_all;
     bool logfile;
 
     unsigned tcp_window;
@@ -151,6 +152,8 @@ struct PS_PKT
 
     int proto;
     int reverse_pkt;
+
+    PS_PKT(Packet*);
 };
 
 void ps_cleanup();
diff --git a/src/network_inspectors/port_scan/ps_module.cc b/src/network_inspectors/port_scan/ps_module.cc
index cafca8348..2090ac913 100644
--- a/src/network_inspectors/port_scan/ps_module.cc
+++ b/src/network_inspectors/port_scan/ps_module.cc
@@ -74,6 +74,9 @@ static const Parameter ps_params[] =
     { "ignore_scanned", Parameter::PT_STRING, nullptr, nullptr,
       "list of CIDRs with optional ports to ignore if the destination of scan alerts" },
 
+    { "alert_all", Parameter::PT_BOOL, nullptr, "false",
+      "alert on all events over threshold within window if true; else alert on first only" },
+
     { "include_midstream", Parameter::PT_BOOL, nullptr, "false",
       "list of CIDRs with optional ports" },
 
@@ -246,6 +249,9 @@ bool PortScanModule::set(const char* fqn, Value& v, SnortConfig*)
             u = PS_TYPE_ALL;
         config->detect_scan_type = u;
     }
+    else if ( v.is("alert_all") )
+        config->alert_all = v.get_bool();
+
     else if ( v.is("include_midstream") )
         config->include_midstream = v.get_bool();
 
diff --git a/src/stream/base/stream_module.cc b/src/stream/base/stream_module.cc
index dcd526b0a..4d046ff8f 100644
--- a/src/stream/base/stream_module.cc
+++ b/src/stream/base/stream_module.cc
@@ -45,12 +45,12 @@ static const Parameter name[] = \
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } \
 }
 
-CACHE_PARAMS(ip_params,    "16384",  "30", "180", "5");
-CACHE_PARAMS(icmp_params,  "65536",  "30", "180", "5");
-CACHE_PARAMS(tcp_params,  "262144",  "30", "180", "5");
-CACHE_PARAMS(udp_params,  "131072",  "30", "180", "5");
-CACHE_PARAMS(user_params,   "1024",  "30", "180", "5");
-CACHE_PARAMS(file_params,    "128",  "30", "180", "5");
+CACHE_PARAMS(ip_params,    "16384",  "30",  "180", "5");
+CACHE_PARAMS(icmp_params,  "65536",  "30",  "180", "5");
+CACHE_PARAMS(tcp_params,  "262144",  "30", "3600", "5");
+CACHE_PARAMS(udp_params,  "131072",  "30",  "180", "5");
+CACHE_PARAMS(user_params,   "1024",  "30",  "180", "5");
+CACHE_PARAMS(file_params,    "128",  "30",  "180", "5");
 
 #define CACHE_TABLE(cache, proto, params) \
     { cache, Parameter::PT_TABLE, params, nullptr, \
diff --git a/src/stream/ip/ip_session.cc b/src/stream/ip/ip_session.cc
index a31c81d7d..e68a7f590 100644
--- a/src/stream/ip/ip_session.cc
+++ b/src/stream/ip/ip_session.cc
@@ -139,16 +139,18 @@ void IpSession::clear()
     IpHAManager::process_deletion(flow);
 }
 
-bool IpSession::setup(Packet*)
+bool IpSession::setup(Packet* p)
 {
-    DebugMessage(DEBUG_STREAM,
-        "Stream IP session created!\n");
+    DebugMessage(DEBUG_STREAM, "Stream IP session created!\n");
 
-    memset(&tracker, 0, sizeof(tracker));
     SESSION_STATS_ADD(ip_stats);
-    ip_stats.trackers_created++;
-    ip_stats.current_frags++;
+    memset(&tracker, 0, sizeof(tracker));
 
+    if ( p->ptrs.decode_flags & DECODE_FRAG )
+    {
+        ip_stats.trackers_created++;
+        ip_stats.current_frags++;
+    }
 #ifdef ENABLE_EXPECTED_IP
     if ( Stream::expected_flow(flow, p) )
     {
diff --git a/src/stream/tcp/tcp_tracker.cc b/src/stream/tcp/tcp_tracker.cc
index e8559ad8e..b43932bf7 100644
--- a/src/stream/tcp/tcp_tracker.cc
+++ b/src/stream/tcp/tcp_tracker.cc
@@ -426,9 +426,6 @@ bool TcpTracker::update_on_3whs_ack(TcpSegmentDescriptor& tsd)
         update_tracker_ack_recv(tsd);
         flow->set_session_flags(SSNFLAG_ESTABLISHED);
         flow->session_state |= ( STREAM_STATE_ACK | STREAM_STATE_ESTABLISHED );
-
-        /* Indicate this packet completes 3-way handshake */
-        tsd.get_pkt()->packet_flags |= PKT_STREAM_TWH;
         tcp_state = TcpStreamTracker::TCP_ESTABLISHED;
     }
     else