aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dd2b8bb298'
${ noResults }
suricata/src/stream-tcp-private.h

255 lines
10 KiB
C
Raw Normal View History Unescape Escape

Import of GPLv2 Header 050410
15 years ago
/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
Pool update. Stream reassembly start.
16 years ago
#ifndef __STREAM_TCP_PRIVATE_H__
#define __STREAM_TCP_PRIVATE_H__
async stream handling support
16 years ago
#include "decode.h"
Stream: use per thread ssn pool Use per thread pools to store and retrieve SSN's from. Uses PoolThread API. Remove max-sessions setting. Pools are set to unlimited, but TCP memcap limits the amount of sessions. The prealloc_session settings now applies to each thread, so lowered the default from 32k to 2k.
12 years ago
#include "util-pool.h"
#include "util-pool-thread.h"
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
#include "util-streaming-buffer.h"
Implement SACK in the stream engine.
14 years ago
stream: handle extra different SYN/ACK Until now, when processing the TCP 3 way handshake (3whs), retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this. In some cases, this is wrong. If the client missed the SYN/ACK, the server may send a different one with a different SEQ. This commit deals with this. As it is impossible to predict which one the client will accept, each is added to a list. Then on receiving the final ACK from the 3whs, the list is checked and the state is updated according to the queued SYN/ACK.
12 years ago
#define STREAMTCP_QUEUE_FLAG_TS 0x01
#define STREAMTCP_QUEUE_FLAG_WS 0x02
#define STREAMTCP_QUEUE_FLAG_SACK 0x04
/** currently only SYN/ACK */
typedef struct TcpStateQueue_ {
uint8_t flags;
uint8_t wscale;
uint16_t win;
uint32_t seq;
uint32_t ack;
uint32_t ts;
uint32_t pkt_ts;
struct TcpStateQueue_ *next;
} TcpStateQueue;
Implement SACK in the stream engine.
14 years ago
typedef struct StreamTcpSackRecord_ {
uint32_t le; /**< left edge, host order */
uint32_t re; /**< right edge, host order */
struct StreamTcpSackRecord_ *next;
} StreamTcpSackRecord;
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore.
16 years ago
typedef struct TcpSegment_ {
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
StreamingBufferSegment sbseg;
Improve ACK value validation, timestamp checking code. Overall layout.
15 years ago
uint16_t payload_len; /**< actual size of the payload */
uint16_t pool_size; /**< size of the memory */
Store stream msgs processed by the app layer in the tcp session so they can be inspected by the detection module as well. The detection module returns them to the pool.
15 years ago
uint32_t seq;
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore.
16 years ago
struct TcpSegment_ *next;
struct TcpSegment_ *prev;
ccccinelle: add formatted comment for flag test
12 years ago
/* coccinelle: TcpSegment:flags:SEGMENTTCP_FLAG */
Store stream msgs processed by the app layer in the tcp session so they can be inspected by the detection module as well. The detection module returns them to the pool.
15 years ago
uint8_t flags;
Pool update. Stream reassembly start.
16 years ago
} TcpSegment;
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
#define TCP_SEG_LEN(seg) (seg)->payload_len
#define TCP_SEG_OFFSET(seg) (seg)->sbseg.stream_offset
#define SEG_SEQ_RIGHT_EDGE(seg) ((seg)->seq + TCP_SEG_LEN((seg)))
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore.
16 years ago
typedef struct TcpStream_ {
stream: track TCP flags per stream direction For netflow logging track TCP flags per stream direction. As the struct had no more space left without expanding it, the flags and wscale fields are now compressed.
11 years ago
uint16_t flags:12; /**< Flag specific to the stream e.g. Timestamp */
ccccinelle: add formatted comment for flag test
12 years ago
/* coccinelle: TcpStream:flags:STREAMTCP_STREAM_FLAG_ */
stream: track TCP flags per stream direction For netflow logging track TCP flags per stream direction. As the struct had no more space left without expanding it, the flags and wscale fields are now compressed.
11 years ago
uint16_t wscale:4; /**< wscale setting in this direction, 4 bits as max val is 15 */
stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure.
14 years ago
uint8_t os_policy; /**< target based OS policy used for reassembly and handling packets*/
stream: track TCP flags per stream direction For netflow logging track TCP flags per stream direction. As the struct had no more space left without expanding it, the flags and wscale fields are now compressed.
11 years ago
uint8_t tcp_flags; /**< TCP flags seen */
stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure.
14 years ago
uint32_t isn; /**< initial sequence number */
uint32_t next_seq; /**< next expected sequence number */
uint32_t last_ack; /**< last ack'd sequence number in this stream */
uint32_t next_win; /**< next max seq within window */
uint32_t window; /**< current window setting, after wscale is applied */
uint32_t last_ts; /**< Time stamp (TSVAL) of the last seen packet for this stream*/
uint32_t last_pkt_ts; /**< Time of last seen packet for this stream (needed for PAWS update)
This will be used to validate the last_ts, when connection has been idle for
longer time.(RFC 1323)*/
/* reassembly */
stream: reduce space used for progress tracking Instead of the explicit base_seq_offset, use a macro instead. The macro points to the stream buffer offset. The two were always in sync.
9 years ago
uint32_t base_seq; /**< seq where we are left with reassebly. Matches STREAM_BASE_OFFSET below. */
stream: make app_progress relative to STREAM_BASE_OFFSET
9 years ago
uint32_t app_progress_rel; /**< app-layer progress relative to STREAM_BASE_OFFSET */
stream: make raw_progress relative to STREAM_BASE_OFFSET
9 years ago
uint32_t raw_progress_rel; /**< raw reassembly progress relative to STREAM_BASE_OFFSET */
stream: make app_progress relative to STREAM_BASE_OFFSET
9 years ago
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
StreamingBuffer *sb;
Pool update. Stream reassembly start.
16 years ago
stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure.
14 years ago
TcpSegment *seg_list; /**< list of TCP segments that are not yet (fully) used in reassembly */
TcpSegment *seg_list_tail; /**< Last segment in the reassembled stream seg list*/
timestamp support
16 years ago
stream reassembly: simplify base_seq tracking for protocol detection. Shrinks TcpStream structure.
14 years ago
StreamTcpSackRecord *sack_head; /**< head of list of SACK records */
StreamTcpSackRecord *sack_tail; /**< tail of list of SACK records */
Pool update. Stream reassembly start.
16 years ago
} TcpStream;
stream: reduce space used for progress tracking Instead of the explicit base_seq_offset, use a macro instead. The macro points to the stream buffer offset. The two were always in sync.
9 years ago
#define STREAM_BASE_OFFSET(stream) ((stream)->sb ? (stream)->sb->stream_offset : 0)
stream: make app_progress relative to STREAM_BASE_OFFSET
9 years ago
#define STREAM_APP_PROGRESS(stream) (STREAM_BASE_OFFSET((stream)) + (stream)->app_progress_rel)
stream: make raw_progress relative to STREAM_BASE_OFFSET
9 years ago
#define STREAM_RAW_PROGRESS(stream) (STREAM_BASE_OFFSET((stream)) + (stream)->raw_progress_rel)
stream: reduce space used for progress tracking Instead of the explicit base_seq_offset, use a macro instead. The macro points to the stream buffer offset. The two were always in sync.
9 years ago
Pool update. Stream reassembly start.
16 years ago
/* from /usr/include/netinet/tcp.h */
enum
{
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
TCP_NONE,
TCP_LISTEN,
Pool update. Stream reassembly start.
16 years ago
TCP_SYN_SENT,
TCP_SYN_RECV,
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
TCP_ESTABLISHED,
Pool update. Stream reassembly start.
16 years ago
TCP_FIN_WAIT1,
TCP_FIN_WAIT2,
TCP_TIME_WAIT,
TCP_LAST_ACK,
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
TCP_CLOSE_WAIT,
TCP_CLOSING,
TCP_CLOSED,
Pool update. Stream reassembly start.
16 years ago
};
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
/*
* Per SESSION flags
*/
/** Flag for mid stream session */
#define STREAMTCP_FLAG_MIDSTREAM 0x0001
/** Flag for mid stream established session */
#define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED 0x0002
/** Flag for mid session when syn/ack is received */
#define STREAMTCP_FLAG_MIDSTREAM_SYNACK 0x0004
/** Flag for TCP Timestamp option */
#define STREAMTCP_FLAG_TIMESTAMP 0x0008
/** Server supports wscale (even though it can be 0) */
#define STREAMTCP_FLAG_SERVER_WSCALE 0x0010
stream: add option to disable raw reassembly Raw reassembly is used only by the detection engine. For users only caring about logging it's a significant overhead, both in cpu and memory usage. The option is called 'raw' and lives under the stream.reassembly options. stream: memcap: 32mb checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 64mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 raw: false # <- new option
12 years ago
/** 'Raw' reassembly is disabled for this ssn. */
#define STREAMTCP_FLAG_DISABLE_RAW 0x0020
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
/** Flag to indicate that the session is handling asynchronous stream.*/
#define STREAMTCP_FLAG_ASYNC 0x0040
/** Flag to indicate we're dealing with 4WHS: SYN, SYN, SYN/ACK, ACK
* (http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie) */
#define STREAMTCP_FLAG_4WHS 0x0080
/** Flag to indicate that this session is possible trying to evade the detection
* (http://www.packetstan.com/2010/06/recently-ive-been-on-campaign-to-make.html) */
Replace ssn appproto_detection_completed flag with individual stream ones.
12 years ago
#define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT 0x0100
Implement SACK in the stream engine.
14 years ago
/** Flag to indicate the client (SYN pkt) permits SACK */
Replace ssn appproto_detection_completed flag with individual stream ones.
12 years ago
#define STREAMTCP_FLAG_CLIENT_SACKOK 0x0200
Implement SACK in the stream engine.
14 years ago
/** Flag to indicate both sides of the session permit SACK (SYN + SYN/ACK) */
Replace ssn appproto_detection_completed flag with individual stream ones.
12 years ago
#define STREAMTCP_FLAG_SACKOK 0x0400
Trigger raw stream reassembly on receiving a full HTTP request or response.
14 years ago
/** Flag for triggering RAW reassembly before the size limit is reached or
the stream reaches EOF. */
Replace ssn appproto_detection_completed flag with individual stream ones.
12 years ago
#define STREAMTCP_FLAG_TRIGGER_RAW_REASSEMBLY 0x0800
stream: handle case where Suricata sees 3whs-ACK but server doesn't. Bug #523.
13 years ago
/** 3WHS confirmed by server -- if suri sees 3whs ACK but server doesn't (pkt
* is lost on the way to server), SYN/ACK is retransmitted. If server sends
* normal packet we assume 3whs to be completed. Only used for SYN/ACK resend
* event. */
Replace ssn appproto_detection_completed flag with individual stream ones.
12 years ago
#define STREAMTCP_FLAG_3WHS_CONFIRMED 0x1000
stream: improve 'no app layer' handling When the session/flow was flagged as 'no applayer inspect', which could happen as a result various reasons, packets would still be considered by the app layer reassembly. When ACK'd, they would be removed again. Depending also on the raw reassembly. In very long sessions however, this meganism could fail leading to virtually endlessly growing segment lists. This patch makes sure that segments that come in on a 'no app layer' session are tagged properly or even not added at all. Use a new ssn flag instead of flow flag for no app tracking.
10 years ago
/** App Layer tracking/reassembly is disabled */
#define STREAMTCP_FLAG_APP_LAYER_DISABLED 0x2000
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
/*
* Per STREAM flags
*/
/** stream is in a gap state */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_GAP 0x0001
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
/** Flag to avoid stream reassembly/app layer inspection for the stream */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_NOREASSEMBLY 0x0002
stream: detect keep-alive and keep-alive ACK
12 years ago
/** we received a keep alive */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_KEEPALIVE 0x0004
Another iteration of the reassembly depth enforcement, now considering retransmissions.
15 years ago
/** Stream has reached it's reassembly depth, all further packets are ignored */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED 0x0008
stream: remove STREAMTCP_STREAM_FLAG_CLOSE_INITIATED logic
10 years ago
// vacancy
stream: don't use ssn timestamp flag in stream The STREAMTCP_FLAG_TIMESTAMP flag is a ssn flag, however it was used in the stream flag field. As it has the same value as STREAMTCP_STREAM_FLAG_DEPTH_REACHED it's possible that stream reassembly got confused by the timestamp.
12 years ago
/** Stream supports TIMESTAMP -- used to set ssn STREAMTCP_FLAG_TIMESTAMP
* flag. */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_TIMESTAMP 0x0020
stream: zero ts is a per stream flag Ssn flag STREAMTCP_FLAG_ZERO_TIMESTAMP was used in stream only. Due to it's value it did not conflict with a real stream flag. Renamed it to STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP.
12 years ago
/** Flag to indicate the zero value of timestamp */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP 0x0040
Replace ssn appproto_detection_completed flag with individual stream ones.
12 years ago
/** App proto detection completed */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED 0x0080
app layer: set event if proto detect disabled for a stream, but we see data anyway.
12 years ago
/** App proto detection skipped */
stream: flags cleanup Stream flags are 16bit, but notation is still 8bit. Clean this up to avoid confusion.
11 years ago
#define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED 0x0100
stream: implement raw reassembly stop api Implement StreamTcpSetDisableRawReassemblyFlag() which stops raw reassembly for _NEW_ segments in a stream direction. It is used only by TLS/SSL now, to flag the streams as encrypted. Existing segments will still be reassembled and inspected, while new segments won't be. This allows for pattern based inspection of the TLS handshake. Like is the case with completely disabled 'raw' reassembly, the logic is that the segments are flagged as completed for 'raw' right away. So they are not considered in raw reassembly anymore. As no new segments will be considered, the chunk limit check will return true on the next call.
11 years ago
/** Raw reassembly disabled for new segments */
#define STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED 0x0200
stream: track TCP flags per stream direction For netflow logging track TCP flags per stream direction. As the struct had no more space left without expanding it, the flags and wscale fields are now compressed.
11 years ago
// vacancy 2x
/** NOTE: flags field is 12 bits */
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
/*
* Per SEGMENT flags
*/
output-streaming: StreamIterator StreamIterator implementation for iterating over ACKed segments. Flag each segment as logged when the log function has been called for it. Set a 'OPEN' flag for the first segment in both directions. Set a 'CLOSE' flag when the stream ends. If the last segment was already logged, a empty CLOSE call is performed with NULL data.
11 years ago
/** Log API (streaming) has processed this segment */
#define SEGMENTTCP_FLAG_LOGAPI_PROCESSED 0x04
New function for task3
16 years ago
some minor changes
16 years ago
#define PAWS_24DAYS 2073600 /**< 24 days in seconds */
timestamp support
16 years ago
async stream handling support
16 years ago
#define PKT_IS_IN_RIGHT_DIR(ssn, p) ((ssn)->flags & STREAMTCP_FLAG_MIDSTREAM_SYNACK ? \
PKT_IS_TOSERVER(p) ? (p)->flowflags &= ~FLOW_PKT_TOSERVER \
(p)->flowflags |= FLOW_PKT_TOCLIENT : (p)->flowflags &= ~FLOW_PKT_TOCLIENT \
(p)->flowflags |= FLOW_PKT_TOSERVER : 0)
Pool update. Stream reassembly start.
16 years ago
/* Macro's for comparing Sequence numbers
* Page 810 from TCP/IP Illustrated, Volume 2. */
Fix up initialization and hopefully make the SEQ macro's fix up an 64bit issue we're seeing...
16 years ago
#define SEQ_EQ(a,b) ((int32_t)((a) - (b)) == 0)
#define SEQ_LT(a,b) ((int32_t)((a) - (b)) < 0)
#define SEQ_LEQ(a,b) ((int32_t)((a) - (b)) <= 0)
#define SEQ_GT(a,b) ((int32_t)((a) - (b)) > 0)
#define SEQ_GEQ(a,b) ((int32_t)((a) - (b)) >= 0)
Pool update. Stream reassembly start.
16 years ago
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
#define STREAMTCP_SET_RA_BASE_SEQ(stream, seq) { \
do { \
tcp: streaming implementation Make stream engine use the streaming buffer API for it's data storage. This means that the data is stored in a single reassembled sliding buffer. The subleties of the reassembly, e.g. overlap handling, are taken care of at segment insertion. The TcpSegments now have a StreamingBufferSegment that contains an offset and a length. Using this the segment data can be retrieved per segment. Redo segment insertion. The insertion code is moved to it's own file and is simplified a lot. A major difference with the previous implementation is that the segment list now contains overlapping segments if the traffic is that way. Previously there could be more and smaller segments in the memory list than what was seen on the wire. Due to the matching of in memory segments and on the wire segments, the overlap with different data detection (potential mots attacks) is much more accurate. Raw and App reassembly progress is no longer tracked per segment using flags, but there is now a progress tracker in the TcpStream for each. When pruning we make sure we don't slide beyond in-use segments. When both app-layer and raw inspection are beyond the start of the segment list, the segments might not be freed even though the data in the streaming buffer is already gone. This is caused by the 'in-use' status that the segments can implicitly have. This patch accounts for that when calculating the 'left_edge' of the streaming window. Raw reassembly still sets up 'StreamMsg' objects for content inspection. They are set up based on either the full StreamingBuffer, or based on the StreamingBufferBlocks if there are gaps in the data. Reworked 'stream needs work' logic. When a flow times out the flow engine checks whether a TCP flow still needs work. The StreamNeedsReassembly function is used to test if a stream still has unreassembled segments or uninspected stream chunks. This patch updates the function to consider the app and/or raw progress. It also cleans the function up and adds more meaningful debug messages. Finally it makes it non-inline. Unittests have been overhauled, and partly moved into their own files. Remove lots of dead code.
10 years ago
(stream)->base_seq = (seq) + 1; \
Split applayer and raw stream reassembly Split stream reassembly in 2 parts: a part that sends ack'd data to the app layer parsers as soon as it's available, and another part that queues up data into larger chunks for raw inspection.
15 years ago
} while(0); \
}
Convert StreamTcpSetEvent function into macro. Eases debug.
14 years ago
#define StreamTcpSetEvent(p, e) { \
SCLogDebug("setting event %"PRIu8" on pkt %p (%"PRIu64")", (e), p, (p)->pcap_cnt); \
ENGINE_SET_EVENT((p), (e)); \
}
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore.
16 years ago
typedef struct TcpSession_ {
Stream: use per thread ssn pool Use per thread pools to store and retrieve SSN's from. Uses PoolThread API. Remove max-sessions setting. Pools are set to unlimited, but TCP memcap limits the amount of sessions. The prealloc_session settings now applies to each thread, so lowered the default from 32k to 2k.
12 years ago
PoolThreadReserved res;
64 bit cleanup part2
16 years ago
uint8_t state;
stream: handle extra different SYN/ACK Until now, when processing the TCP 3 way handshake (3whs), retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this. In some cases, this is wrong. If the client missed the SYN/ACK, the server may send a different one with a different SEQ. This commit deals with this. As it is impossible to predict which one the client will accept, each is added to a list. Then on receiving the final ACK from the 3whs, the list is checked and the state is updated according to the queued SYN/ACK.
12 years ago
uint8_t queue_len; /**< length of queue list below */
stream: minor clean up of TcpSession structure
12 years ago
int8_t data_first_seen_dir;
tcp: track TCP packet flags per session For logging out in flow logging.
11 years ago
/** track all the tcp flags we've seen */
uint8_t tcp_packet_flags;
ccccinelle: add formatted comment for flag test
12 years ago
/* coccinelle: TcpSession:flags:STREAMTCP_FLAG */
async stream handling support
16 years ago
uint16_t flags;
stream: per TcpStream reassembly depth
10 years ago
uint32_t reassembly_depth; /**< reassembly depth for the stream */
Pool update. Stream reassembly start.
16 years ago
TcpStream server;
TcpStream client;
App Layer cleanup Removal of per flow 'aldata' array. It contained a ptr for each ALPROTO. Instead now we have 2 ptrs in the flow: alparser and alstate. Various cleanups and dead code removal from the app layer API. Should safe 100+ bytes memory per flow on 64 bit. Updated lots of unittests to reflect these changes.
14 years ago
struct StreamMsg_ *toserver_smsg_head; /**< list of stream msgs (for detection inspection) */
struct StreamMsg_ *toserver_smsg_tail; /**< list of stream msgs (for detection inspection) */
struct StreamMsg_ *toclient_smsg_head; /**< list of stream msgs (for detection inspection) */
struct StreamMsg_ *toclient_smsg_tail; /**< list of stream msgs (for detection inspection) */
stream: handle extra different SYN/ACK Until now, when processing the TCP 3 way handshake (3whs), retransmissions of SYN/ACKs are silently accepted, unless they are different somehow. If the SEQ or ACK values are different they are considered wrong and events are set. The stream events rules will match on this. In some cases, this is wrong. If the client missed the SYN/ACK, the server may send a different one with a different SEQ. This commit deals with this. As it is impossible to predict which one the client will accept, each is added to a list. Then on receiving the final ACK from the 3whs, the list is checked and the state is updated according to the queued SYN/ACK.
12 years ago
TcpStateQueue *queue; /**< list of SYN/ACK candidates */
Pool update. Stream reassembly start.
16 years ago
} TcpSession;
TCP streams: support falling back to 3WHS when we were led to believe we were in 4WHS mode. Add unittests.
16 years ago
Introduce convenience macro to set Stream app proto completion flag.
12 years ago
#define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \
((stream)->flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED)
#define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted(stream) \
((stream)->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED)
Fix for bug #989. In case of recursive call to protocol detection from within protocol detection, and the recursively invoked stream still hasn't been ack'ed yet, protocol detection doesn't take place. In such cases we will end up still calling the app layer with the wrong direction data. Introduce a check to not call app layer with wrong direction data. When sockets are re-used reset all relevant vars correctly. This commit fixes a bug where we were not reseting app proto detection vars. While fixing #989, we discovered some other bugs which have also been fixed, or rather some features which are now updated. One of the feature update being if we recieve wrong direction data first, we don't reset the protocol values for the flow. We let the flow retain the detected values. Unittests have been modified to accomodate the above change.
12 years ago
#define StreamTcpResetStreamFlagAppProtoDetectionCompleted(stream) \
((stream)->flags &= ~STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED);
stream: improve 'no app layer' handling When the session/flow was flagged as 'no applayer inspect', which could happen as a result various reasons, packets would still be considered by the app layer reassembly. When ACK'd, they would be removed again. Depending also on the raw reassembly. In very long sessions however, this meganism could fail leading to virtually endlessly growing segment lists. This patch makes sure that segments that come in on a 'no app layer' session are tagged properly or even not added at all. Use a new ssn flag instead of flow flag for no app tracking.
10 years ago
#define StreamTcpDisableAppLayerReassembly(ssn) do { \
stream: remove FLOW_NO_APPLAYER_INSPECTION use from tests
11 years ago
SCLogDebug("setting STREAMTCP_FLAG_APP_LAYER_DISABLED on ssn %p", ssn); \
stream: improve 'no app layer' handling When the session/flow was flagged as 'no applayer inspect', which could happen as a result various reasons, packets would still be considered by the app layer reassembly. When ACK'd, they would be removed again. Depending also on the raw reassembly. In very long sessions however, this meganism could fail leading to virtually endlessly growing segment lists. This patch makes sure that segments that come in on a 'no app layer' session are tagged properly or even not added at all. Use a new ssn flag instead of flow flag for no app tracking.
10 years ago
((ssn)->flags |= STREAMTCP_FLAG_APP_LAYER_DISABLED); \
} while (0);
TCP streams: support falling back to 3WHS when we were led to believe we were in 4WHS mode. Add unittests.
16 years ago
Introduce convenience macro to set Stream app proto completion flag.
12 years ago
#endif /* __STREAM_TCP_PRIVATE_H__ */