From: Russ Combs (rucombs) Date: Thu, 9 Nov 2017 15:14:03 +0000 (-0500) Subject: Merge pull request #1064 in SNORT/snort3 from data_bus to master X-Git-Tag: 3.0.0-241~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ee8035d598bc620f35272ff06f52dbba596bc2f2;p=thirdparty%2Fsnort3.git Merge pull request #1064 in SNORT/snort3 from data_bus to master Squashed commit of the following: commit efce000170d14faf340d37e27259766696c6eb43 Author: Russ Combs (rucombs) Date: Wed Nov 8 18:00:57 2017 -0500 data_bus: also publish to default policy commit 17c3950345166a04012760293ffc601d2feab35c Author: Russ Combs (rucombs) Date: Wed Nov 8 17:10:58 2017 -0500 data_bus: refactor basic access for pub / sub --- diff --git a/extra/src/inspectors/data_log/data_log.cc b/extra/src/inspectors/data_log/data_log.cc index bda1c504b..34daced2b 100644 --- a/extra/src/inspectors/data_log/data_log.cc +++ b/extra/src/inspectors/data_log/data_log.cc @@ -116,7 +116,7 @@ public: bool configure(SnortConfig*) override { - get_data_bus().subscribe(key.c_str(), new LogHandler(key)); + DataBus::subscribe(key.c_str(), new LogHandler(key)); return true; } diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index 5116c8244..146e33f67 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -310,16 +310,16 @@ void FileContext::log_file_event(Flow* flow) { case FILE_VERDICT_LOG: // Log file event through data bus - get_data_bus().publish("file_event", (const uint8_t*)"LOG", 3, flow); + DataBus::publish("file_event", (const uint8_t*)"LOG", 3, flow); break; case FILE_VERDICT_BLOCK: // can't block session inside a session - get_data_bus().publish("file_event", (const uint8_t*)"BLOCK", 5, flow); + DataBus::publish("file_event", (const uint8_t*)"BLOCK", 5, flow); break; case FILE_VERDICT_REJECT: - get_data_bus().publish("file_event", (const uint8_t*)"RESET", 5, flow); + DataBus::publish("file_event", (const uint8_t*)"RESET", 5, flow); break; default: break; diff --git a/src/file_api/file_log.cc b/src/file_api/file_log.cc index 9629680c8..291bf32f7 100644 --- a/src/file_api/file_log.cc +++ b/src/file_api/file_log.cc @@ -205,7 +205,7 @@ public: bool configure(SnortConfig*) override { - get_data_bus().subscribe("file_event", new LogHandler(config)); + DataBus::subscribe("file_event", new LogHandler(config)); return true; } diff --git a/src/framework/data_bus.cc b/src/framework/data_bus.cc index 1ea52b783..171de1181 100644 --- a/src/framework/data_bus.cc +++ b/src/framework/data_bus.cc @@ -24,9 +24,10 @@ #include "data_bus.h" #include "main/policy.h" +#include "main/snort_config.h" #include "protocols/packet.h" -DataBus& get_data_bus() +static DataBus& get_data_bus() { return get_inspection_policy()->dbus; } class BufferEvent : public DataEvent @@ -56,6 +57,10 @@ private: const Packet* packet; }; +//-------------------------------------------------------------------------- +// public methods +//-------------------------------------------------------------------------- + DataBus::DataBus() = default; DataBus::~DataBus() @@ -69,17 +74,21 @@ DataBus::~DataBus() // publication of given event void DataBus::subscribe(const char* key, DataHandler* h) { - DataList& v = map[key]; - v.push_back(h); + get_data_bus()._subscribe(key, h); } // notify subscribers of event void DataBus::publish(const char* key, DataEvent& e, Flow* f) { - DataList& v = map[key]; + InspectionPolicy* pi = get_inspection_policy(); + pi->dbus._publish(key, e, f); - for ( auto* h : v ) - h->handle(e, f); + // also publish to default policy to notify control subscribers such as appid + InspectionPolicy* di = get_default_inspection_policy(SnortConfig::get_conf()); + + // of course, only when current is not default + if ( di != pi ) + di->dbus._publish(key, e, f); } void DataBus::publish(const char* key, const uint8_t* buf, unsigned len, Flow* f) @@ -96,3 +105,22 @@ void DataBus::publish(const char* key, Packet* p, Flow* f) publish(key, e, f); } +//-------------------------------------------------------------------------- +// private methods +//-------------------------------------------------------------------------- + +void DataBus::_subscribe(const char* key, DataHandler* h) +{ + DataList& v = map[key]; + v.push_back(h); +} + +// notify subscribers of event +void DataBus::_publish(const char* key, DataEvent& e, Flow* f) +{ + DataList& v = map[key]; + + for ( auto* h : v ) + h->handle(e, f); +} + diff --git a/src/framework/data_bus.h b/src/framework/data_bus.h index 2d75b90ad..77c7ec429 100644 --- a/src/framework/data_bus.h +++ b/src/framework/data_bus.h @@ -75,21 +75,21 @@ public: DataBus(); ~DataBus(); - void subscribe(const char* key, DataHandler*); - void publish(const char* key, DataEvent&, Flow* = nullptr); + static void subscribe(const char* key, DataHandler*); + static void publish(const char* key, DataEvent&, Flow* = nullptr); // convenience methods - void publish(const char* key, const uint8_t*, unsigned, Flow* = nullptr); - void publish(const char* key, Packet*, Flow* = nullptr); + static void publish(const char* key, const uint8_t*, unsigned, Flow* = nullptr); + static void publish(const char* key, Packet*, Flow* = nullptr); + +private: + void _subscribe(const char* key, DataHandler*); + void _publish(const char* key, DataEvent&, Flow*); private: DataMap map; }; -// FIXIT-L this should be in snort_confg.h or similar but that -// requires refactoring to work as installed header -SO_PUBLIC DataBus& get_data_bus(); - // common data events #define PACKET_EVENT "detection.packet" diff --git a/src/main/policy.cc b/src/main/policy.cc index 3fa271bf8..cd239e17c 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -248,6 +248,9 @@ InspectionPolicy* get_inspection_policy() IpsPolicy* get_ips_policy() { return s_detection_policy; } +InspectionPolicy* get_default_inspection_policy(SnortConfig* sc) +{ return sc->policy_map->inspection_policy[0]; } + void set_network_policy(NetworkPolicy* p) { s_traffic_policy = p; } diff --git a/src/main/policy.h b/src/main/policy.h index c0f8f6b3a..dca145cbe 100644 --- a/src/main/policy.h +++ b/src/main/policy.h @@ -211,25 +211,29 @@ private: // navigator stuff //------------------------------------------------------------------------- +struct SnortConfig; + // FIXIT-L may be inlined at some point; on lockdown for now // FIXIT-L SO_PUBLIC required because SnortConfig::inline_mode(), etc. uses the function SO_PUBLIC NetworkPolicy* get_network_policy(); SO_PUBLIC InspectionPolicy* get_inspection_policy(); SO_PUBLIC IpsPolicy* get_ips_policy(); +SO_PUBLIC InspectionPolicy* get_default_inspection_policy(SnortConfig*); + void set_network_policy(NetworkPolicy*); -void set_network_policy(struct SnortConfig*, unsigned = 0); +void set_network_policy(SnortConfig*, unsigned = 0); void set_inspection_policy(InspectionPolicy*); -void set_inspection_policy(struct SnortConfig*, unsigned = 0); +void set_inspection_policy(SnortConfig*, unsigned = 0); void set_ips_policy(IpsPolicy*); SO_PUBLIC void set_user_ips_policy(unsigned policy_id); -void set_ips_policy(struct SnortConfig*, unsigned = 0); +void set_ips_policy(SnortConfig*, unsigned = 0); -void set_policies(struct SnortConfig*, Shell*); +void set_policies(SnortConfig*, Shell*); void set_default_policy(); -void set_default_policy(struct SnortConfig*); +void set_default_policy(SnortConfig*); bool only_inspection_policy(); bool only_ips_policy(); diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index 67b8e2e6c..9abf4a0b3 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -99,9 +99,10 @@ bool AppIdInspector::configure(SnortConfig*) active_config = new AppIdConfig( ( AppIdModuleConfig* )config); - get_data_bus().subscribe(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler( + DataBus::subscribe(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler( HttpEventHandler::REQUEST_EVENT)); - get_data_bus().subscribe(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler( + + DataBus::subscribe(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler( HttpEventHandler::RESPONSE_EVENT)); my_seh = SipEventHandler::create(); diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.h b/src/network_inspectors/appid/detector_plugins/detector_sip.h index 022fcc0a2..a338eea2d 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.h +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.h @@ -89,10 +89,9 @@ public: void set_client(SipUdpClientDetector* cd) { SipEventHandler::client = cd; } void set_service(SipServiceDetector* sd) { SipEventHandler::service = sd; } + void subscribe() - { - get_data_bus().subscribe(SIP_EVENT_TYPE_SIP_DIALOG_KEY, this); - } + { DataBus::subscribe(SIP_EVENT_TYPE_SIP_DIALOG_KEY, this); } void handle(DataEvent&, Flow*) override; diff --git a/src/service_inspectors/ftp_telnet/ft_main.cc b/src/service_inspectors/ftp_telnet/ft_main.cc index 52ccff4d3..9dd21b16d 100644 --- a/src/service_inspectors/ftp_telnet/ft_main.cc +++ b/src/service_inspectors/ftp_telnet/ft_main.cc @@ -183,7 +183,7 @@ int FTPCheckConfigs(SnortConfig* sc, void* pData) void do_detection(Packet* p) { - get_data_bus().publish(PACKET_EVENT, p); + DataBus::publish(PACKET_EVENT, p); DetectionEngine::disable_all(p); } diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index 31f01620f..885954625 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -45,14 +45,11 @@ HttpMsgHeader::HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, void HttpMsgHeader::publish() { HttpEvent http_event(this); - if(source_id == SRC_CLIENT) - { - get_data_bus().publish(HTTP_REQUEST_HEADER_EVENT_KEY, http_event, flow); - } - else - { - get_data_bus().publish(HTTP_RESPONSE_HEADER_EVENT_KEY, http_event, flow); - } + + const char* key = (source_id == SRC_CLIENT) ? + HTTP_REQUEST_HEADER_EVENT_KEY : HTTP_RESPONSE_HEADER_EVENT_KEY; + + DataBus::publish(key, http_event, flow); } const Field& HttpMsgHeader::get_true_ip() diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index a689abdf2..360cf021e 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -274,7 +274,7 @@ static RpcStatus RpcStatefulInspection(RpcDecodeConfig* rconfig, if (RpcPrepRaw(data, rsdata->frag_len, p) != RPC_STATUS__SUCCESS) return RPC_STATUS__ERROR; - get_data_bus().publish(PACKET_EVENT, p); + DataBus::publish(PACKET_EVENT, p); } if ( (dsize > 0) ) @@ -359,7 +359,7 @@ static RpcStatus RpcStatefulInspection(RpcDecodeConfig* rconfig, if ( (dsize > 0) ) RpcPreprocEvent(rconfig, rsdata, RPC_MULTIPLE_RECORD); - get_data_bus().publish(PACKET_EVENT, p); + DataBus::publish(PACKET_EVENT, p); RpcBufClean(&rsdata->frag); } diff --git a/src/service_inspectors/sip/sip_dialog.cc b/src/service_inspectors/sip/sip_dialog.cc index 816a48d78..c673e2faa 100644 --- a/src/service_inspectors/sip/sip_dialog.cc +++ b/src/service_inspectors/sip/sip_dialog.cc @@ -651,10 +651,11 @@ static int SIP_deleteDialog(SIP_DialogData* currDialog, SIP_DialogList* dList) return true; } -static void sip_publish_data_bus(const Packet* p, const SIPMsg* sip_msg, const SIP_DialogData* dialog) +static void sip_publish_data_bus( + const Packet* p, const SIPMsg* sip_msg, const SIP_DialogData* dialog) { SipEvent event(p, sip_msg, dialog); - get_data_bus().publish(SIP_EVENT_TYPE_SIP_DIALOG_KEY, event, p->flow); + DataBus::publish(SIP_EVENT_TYPE_SIP_DIALOG_KEY, event, p->flow); } /********************************************************************