aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '95ed975cca'
${ noResults }
suricata/src/packet.c

190 lines
5.2 KiB
C
Raw Normal View History Unescape Escape

src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
/* Copyright (C) 2007-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "packet.h"
#include "pkt-var.h"
#include "flow.h"
#include "host.h"
#include "util-profiling.h"
packet: move action functions to packet files
3 years ago
#include "util-validate.h"
src: fix remaining cppclean warnings
3 years ago
#include "action-globals.h"
misc: Remove duplicate function declarations Ticket: #7297
10 months ago
#include "app-layer-events.h"
packet: move action functions to packet files
3 years ago
/** \brief issue drop action
*
* Set drop (+reject) flags in both current and root packet.
*
detect: set ACTION_ALERT for rules that should alert Replaces default "alert" logic and removed SIG_FLAG_NOALERT. Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and friends. In signature ordering rules w/o action are sorted as if they have 'alert', which is the same behavior as before, but now implemented explicitly. Ticket: #5466.
2 years ago
* \param action action bit flags. Must be limited to ACTION_DROP_REJECT|ACTION_ALERT
packet: move action functions to packet files
3 years ago
*/
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
{
detect: set ACTION_ALERT for rules that should alert Replaces default "alert" logic and removed SIG_FLAG_NOALERT. Instead, "noalert" unsets ACTION_ALERT. Same for flowbits:noalert and friends. In signature ordering rules w/o action are sorted as if they have 'alert', which is the same behavior as before, but now implemented explicitly. Ticket: #5466.
2 years ago
DEBUG_VALIDATE_BUG_ON((action & ~(ACTION_DROP_REJECT | ACTION_ALERT)) != 0);
packet: move action functions to packet files
3 years ago
if (p->drop_reason == PKT_DROP_REASON_NOT_SET)
p->drop_reason = (uint8_t)r;
if (p->root) {
p->root->action |= action;
if (p->root->drop_reason == PKT_DROP_REASON_NOT_SET) {
p->root->drop_reason = PKT_DROP_REASON_INNER_PACKET;
}
}
p->action |= action;
}
bool PacketCheckAction(const Packet *p, const uint8_t a)
{
if (likely(p->root == NULL)) {
return (p->action & a) != 0;
} else {
/* check against both */
const uint8_t actions = p->action | p->root->action;
return (actions & a) != 0;
}
}
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
/**
* \brief Initialize a packet structure for use.
*/
void PacketInit(Packet *p)
{
packet: turn tunnel lock into spinlock Lock is only held to update/check ints, so spin lock will be more efficient. Place the member of Packet in a new "persistent" area to make it clear this is not touched by the PacketReinit logic. Ticket: #5592.
3 years ago
SCSpinInit(&p->persistent.tunnel_lock, 0);
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
p->alerts.alerts = PacketAlertCreate();
p->livedev = NULL;
}
void PacketReleaseRefs(Packet *p)
{
FlowDeReference(&p->flow);
HostDeReference(&p->host_src);
HostDeReference(&p->host_dst);
}
/**
* \brief Recycle a packet structure for reuse.
*/
void PacketReinit(Packet *p)
{
detect: issue drop to root packet in all cases Update DROP action handling in tunnel packets. DROP/REJECT action is set to outer (root) and inner packet. Check action flags both against outer (root) and inner packet. Remove PACKET_SET_ACTION macro. Replace with RESET for the one reset usecase. The reason to remove is to make the logic easier to understand. Reduce scope of RESET macros. Rename PacketTestAction to PacketCheckAction except in unittests. Keep PacketTestAction as a wrapper around PacketCheckAction. This makes it easier to trace the action handling in the real code. Fix rate_filter setting actions directly. General code cleanups. Bug: #5571.
3 years ago
/* clear the address structure by setting all fields to 0 */
#define CLEAR_ADDR(a) \
do { \
(a)->family = 0; \
(a)->addr_data32[0] = 0; \
(a)->addr_data32[1] = 0; \
(a)->addr_data32[2] = 0; \
(a)->addr_data32[3] = 0; \
} while (0)
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
CLEAR_ADDR(&p->src);
CLEAR_ADDR(&p->dst);
p->sp = 0;
p->dp = 0;
p->proto = 0;
p->recursion_level = 0;
PACKET_FREE_EXTDATA(p);
app-layer: improve/fix updates logic In 23323a961fac ("app-layer: reduce app cleanup and output-tx calls"), flag was set per packet updating the app-layer state. However this was missing a common pattern: in IDS mode most updates are done in the opposite direction of the traffic due to updates getting triggered by ACK's. This meant that file store processing might not happen for a long time, or at all. Also, app layer cleanup might not be called, which includes file pruning. This patch sets per flow set of flags to indicate app layer is (potentially) updated. It sets this per direction, based on how the parsers were invoked. If an ACK triggers an app update, the flow is tagged for the opposite direction and the next packet in that direction triggers output and cleanup. Fixes: 23323a961fac ("app-layer: reduce app cleanup and output-tx calls") Bug: #6120.
2 years ago
p->app_update_direction = 0;
detect: move non-pf rules into special prefilter engines Instead of having a per detection engine list of rule that couldn't be prefiltered, put those into special "prefilter" engines. For packet and frame rules this doesn't change much, it just removes some hard coded logic from the detect engine. For the packet non-prefilter rules in the "non-prefilter" special prefilter engine, add additional filtering for the packet variant. It can prefilter on alproto, dsize and dest port. The frame non-prefilter rules are added to a single engine, that per rule checks the alproto and the type. For app-layer, there is an engine per progress value, per app-layer protocol and per direction. This hooks app-layer non-prefilter rules into the app inspect logic at the correct "progress" hook. e.g. a rule like dns.query; bsize:1; Negated MPM rules will also fall into this category: dns.query; content:!"abc"; Are part of a special "generic list" app engine for dns, at the same progress hook as `dns.query`. This all results in a lot fewer checks: previous: -------------------------------------------------------------------------- Date: 1/29/2025 -- 10:22:25. Sorted by: number of checks. -------------------------------------------------------------------------- Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 1 20 1 0 181919672 11.85 588808 221 60454 308.96 2691.46 308.07 2 50 1 0 223455914 14.56 453104 418 61634 493.17 3902.59 490.02 3 60 1 0 185990683 12.12 453104 418 60950 410.48 1795.40 409.20 4 51 1 0 192436011 12.54 427028 6084 61223 450.64 2749.12 417.42 5 61 1 0 180401533 11.75 427028 6084 61093 422.46 2177.04 397.10 6 70 1 0 153899099 10.03 369836 0 61282 416.13 0.00 416.13 7 71 1 0 123389405 8.04 369836 12833 44921 333.63 2430.23 258.27 8 41 1 0 63889876 4.16 155824 12568 39138 410.01 1981.97 272.10 9 40 1 0 64149724 4.18 155818 210 39792 411.70 4349.57 406.38 10 10 1 0 70848850 4.62 65558 0 39544 1080.70 0.00 1080.70 11 11 1 0 94743878 6.17 65558 32214 60547 1445.19 2616.14 313.92 this commit: -------------------------------------------------------------------------- Date: 1/29/2025 -- 10:15:46. Sorted by: number of checks. -------------------------------------------------------------------------- Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 1 50 1 0 138776766 19.23 95920 418 167584 1446.80 3953.11 1435.83 2 60 1 0 97988084 13.58 95920 418 182817 1021.56 1953.63 1017.48 3 51 1 0 105318318 14.60 69838 6084 65649 1508.04 2873.38 1377.74 4 61 1 0 89571260 12.41 69838 6084 164632 1282.56 2208.41 1194.20 5 11 1 0 91132809 12.63 32779 32214 373569 2780.22 2785.58 2474.45 6 10 1 0 66095303 9.16 32779 0 56704 2016.39 0.00 2016.39 7 70 1 0 48107573 6.67 12928 0 42832 3721.19 0.00 3721.19 8 71 1 0 32308792 4.48 12928 12833 39565 2499.13 2510.05 1025.09 9 41 1 0 25546837 3.54 12886 12470 41479 1982.53 1980.84 2033.05 10 40 1 0 26069992 3.61 12886 210 38495 2023.13 4330.05 1984.91 11 20 1 0 639025 0.09 221 221 14750 2891.52 2891.52 0.00
2 years ago
p->sig_mask = 0;
packetpool: remove PKT_ALLOC flag Use Packet::pool instead. If Packet::pool is non-NULL the packet is owned by a pool. Otherwise it is allocated and should be freed after use.
3 years ago
p->flags = 0;
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
p->flowflags = 0;
p->pkt_src = 0;
p->vlan_id[0] = 0;
p->vlan_id[1] = 0;
p->vlan_idx = 0;
decode/tunnel: improve tunnel handling Give each packet explicit tunnel type `ttype`: none, root, child. Assigning happens when a (tunnel) packet is set up and is thread safe.
2 years ago
p->ttype = PacketTunnelNone;
time: Rework SCTime_t into a struct Issue: 5718 This commit changes SCTime_t to a struct with members setup as bitfields.
3 years ago
SCTIME_INIT(p->ts);
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
p->datalink = 0;
p->drop_reason = 0;
detect: issue drop to root packet in all cases Update DROP action handling in tunnel packets. DROP/REJECT action is set to outer (root) and inner packet. Check action flags both against outer (root) and inner packet. Remove PACKET_SET_ACTION macro. Replace with RESET for the one reset usecase. The reason to remove is to make the logic easier to understand. Reduce scope of RESET macros. Rename PacketTestAction to PacketCheckAction except in unittests. Keep PacketTestAction as a wrapper around PacketCheckAction. This makes it easier to trace the action handling in the real code. Fix rate_filter setting actions directly. General code cleanups. Bug: #5571.
3 years ago
#define PACKET_RESET_ACTION(p) (p)->action = 0
PACKET_RESET_ACTION(p);
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
if (p->pktvar != NULL) {
PktVarFree(p->pktvar);
p->pktvar = NULL;
}
decode/ethernet: move ethh into L2 section L2 section similar to L3 and L4 sections. Ticket: #6938.
1 year ago
PacketClearL2(p);
decode/ipv4: prep for turning ip4h/ip6h into union Store IPv4 decoder vars in a new Packet::l3 section in the packet. Use inline functions instead of the often multi-layer macro's for various IPv4 header getters. Ticket: #6938.
1 year ago
PacketClearL3(p);
decode: start l4 packet area; convert csum handling
1 year ago
PacketClearL4(p);
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
p->payload = NULL;
p->payload_len = 0;
p->BypassPacketsFlow = NULL;
detect: issue drop to root packet in all cases Update DROP action handling in tunnel packets. DROP/REJECT action is set to outer (root) and inner packet. Check action flags both against outer (root) and inner packet. Remove PACKET_SET_ACTION macro. Replace with RESET for the one reset usecase. The reason to remove is to make the logic easier to understand. Reduce scope of RESET macros. Rename PacketTestAction to PacketCheckAction except in unittests. Keep PacketTestAction as a wrapper around PacketCheckAction. This makes it easier to trace the action handling in the real code. Fix rate_filter setting actions directly. General code cleanups. Bug: #5571.
3 years ago
#define RESET_PKT_LEN(p) ((p)->pktlen = 0)
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
RESET_PKT_LEN(p);
p->alerts.cnt = 0;
p->alerts.discarded = 0;
p->alerts.suppressed = 0;
p->alerts.drop.action = 0;
p->pcap_cnt = 0;
p->tunnel_rtv_cnt = 0;
p->tunnel_tpr_cnt = 0;
p->events.cnt = 0;
AppLayerDecoderEventsResetEvents(p->app_layer_events);
p->next = NULL;
p->prev = NULL;
decode/tunnel: move tunnel verdicted logic In preparation of cleaning up thread safety, move "verdicted" logic out of Packet::flags. Unsafe writes to "flags" can potentially have side effects.
2 years ago
p->tunnel_verdicted = false;
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
p->root = NULL;
p->livedev = NULL;
PACKET_PROFILING_RESET(p);
p->tenant_id = 0;
p->nb_decoded_layers = 0;
}
void PacketRecycle(Packet *p)
{
PacketReleaseRefs(p);
PacketReinit(p);
}
/**
* \brief Cleanup a packet so that we can free it. No memset needed..
*/
void PacketDestructor(Packet *p)
{
PacketReleaseRefs(p);
if (p->pktvar != NULL) {
PktVarFree(p->pktvar);
}
PacketAlertFree(p->alerts.alerts);
PACKET_FREE_EXTDATA(p);
packet: turn tunnel lock into spinlock Lock is only held to update/check ints, so spin lock will be more efficient. Place the member of Packet in a new "persistent" area to make it clear this is not touched by the PacketReinit logic. Ticket: #5592.
3 years ago
SCSpinDestroy(&p->persistent.tunnel_lock);
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
AppLayerDecoderEventsFreeEvents(&p->app_layer_events);
PACKET_PROFILING_RESET(p);
}
packet: add set functions for some packet fields - SCPacketSetReleasePacket - SCPacketSetLiveDevice - SCPacketSetDatalink - SCPacketSetTime - SCPacketSetSource Prevents direct access by library users and provides more ABI stability. Ticket: #7240
10 months ago
inline void SCPacketSetReleasePacket(Packet *p, void (*ReleasePacket)(Packet *p))
{
p->ReleasePacket = ReleasePacket;
}
inline void SCPacketSetLiveDevice(Packet *p, LiveDevice *device)
{
p->livedev = device;
}
inline void SCPacketSetDatalink(Packet *p, int datalink)
{
p->datalink = datalink;
}
inline void SCPacketSetTime(Packet *p, SCTime_t ts)
{
p->ts = ts;
}
inline void SCPacketSetSource(Packet *p, enum PktSrcEnum source)
{
p->pkt_src = (uint8_t)source;
}