aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stream: remove FLOW_NO_APPLAYER_INSPECTION flag

Browse Source 
Instead, intruduce StreamTcpDisableAppLayer to disable app layer
tracking and reassembly. StreamTcpAppLayerIsDisabled can be used
to check it.

Replace all uses of FlowSetSessionNoApplayerInspectionFlag and
the FLOW_NO_APPLAYER_INSPECTION.
pull/1479/head
Victor Julien 11 years ago
parent b6798495c5
commit c1558f5ac4
9 changed files with 69 additions and 46 deletions
Show Stats Download Patch File Download Diff File

6
src/alert-debuglog.c
Unescape Escape View File

@ -54,6 +54,8 @@
#include "util-logopenfile.h"
#include "util-time.h"
#include "stream-tcp-reassemble.h"
#define DEFAULT_LOG_FILENAME "alert-debug.log"
#define MODULE_NAME "AlertDebugLog"
@ -213,7 +215,9 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
if (p->flow != NULL) {
int applayer = 0;
FLOWLOCK_RDLOCK(p->flow);
applayer = StreamTcpAppLayerIsDisabled(p->flow);
CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf));
MemBufferWriteString(aft->buffer, "FLOW Start TS: %s\n", timebuf);
MemBufferWriteString(aft->buffer, "FLOW PKTS TODST: %"PRIu32"\n"
@ -231,7 +235,7 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE",
applayer ? "TRUE" : "FALSE",
(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, (Packet *)p); /* < no const */

29
src/app-layer-parser.c
Unescape Escape View File

@ -904,17 +904,20 @@ int AppLayerParserParse(AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alp
if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) {
AppLayerParserSetEOF(pstate);
FlowSetNoPayloadInspectionFlag(f);
FlowSetSessionNoApplayerInspectionFlag(f);
/* Set the no reassembly flag for both the stream in this TcpSession */
if (f->proto == IPPROTO_TCP && pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
/* Used only if it's TCP */
TcpSession *ssn = f->protoctx;
if (ssn != NULL) {
StreamTcpSetSessionNoReassemblyFlag(ssn,
flags & STREAM_TOCLIENT ? 1 : 0);
StreamTcpSetSessionNoReassemblyFlag(ssn,
flags & STREAM_TOSERVER ? 1 : 0);
if (f->proto == IPPROTO_TCP) {
StreamTcpDisableAppLayer(f);
/* Set the no reassembly flag for both the stream in this TcpSession */
if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) {
/* Used only if it's TCP */
TcpSession *ssn = f->protoctx;
if (ssn != NULL) {
StreamTcpSetSessionNoReassemblyFlag(ssn,
flags & STREAM_TOCLIENT ? 1 : 0);
StreamTcpSetSessionNoReassemblyFlag(ssn,
flags & STREAM_TOSERVER ? 1 : 0);
}
}
}
}
@ -945,7 +948,9 @@ int AppLayerParserParse(AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alp
error:
/* Set the no app layer inspection flag for both
* the stream in this Flow */
FlowSetSessionNoApplayerInspectionFlag(f);
if (f->proto == IPPROTO_TCP) {
StreamTcpDisableAppLayer(f);
}
AppLayerParserSetEOF(pstate);
SCReturnInt(-1);
}
@ -1280,7 +1285,7 @@ static int AppLayerParserTest01(void)
}
SCMutexUnlock(&f->m);
if (!(f->flags & FLOW_NO_APPLAYER_INSPECTION)) {
if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) {
printf("flag should have been set, but is not: ");
goto end;
}

4
src/app-layer-smtp.c
Unescape Escape View File

@ -1622,7 +1622,7 @@ int SMTPParserTest01(void)
}
if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION) ||
!(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) ||
!(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) ||
!(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
goto end;
@ -2907,7 +2907,7 @@ int SMTPParserTest05(void)
}
if ((f.flags & FLOW_NOPAYLOAD_INSPECTION) ||
(f.flags & FLOW_NO_APPLAYER_INSPECTION) ||
(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) ||
(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) ||
(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) {
goto end;

31
src/app-layer.c
Unescape Escape View File

@ -88,13 +88,10 @@ static void DNSUpdateCounters(ThreadVars *tv, AppLayerThreadCtx *app_tctx)
/***** L7 layer dispatchers *****/
static void DisableAppLayer(Flow *f, TcpSession *ssn)
static void DisableAppLayer(Flow *f)
{
SCLogInfo("disable app layer for flow %p, ssn %p", f, ssn);
FlowSetSessionNoApplayerInspectionFlag(f);
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
StreamTcpDisableAppLayerReassembly(ssn);
SCLogDebug("disable app layer for flow %p", f);
StreamTcpDisableAppLayer(f);
}
int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
@ -116,8 +113,8 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
uint8_t first_data_dir;
SCLogDebug("data_len %u flags %02X", data_len, flags);
if (f->flags & FLOW_NO_APPLAYER_INSPECTION) {
SCLogDebug("FLOW_AL_NO_APPLAYER_INSPECTION is set");
if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set");
goto end;
}
@ -230,7 +227,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
}
}
if (ret < 0) {
DisableAppLayer(f, ssn);
DisableAppLayer(f);
goto failure;
}
}
@ -257,7 +254,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_WRONG_DIRECTION_FIRST_DATA);
DisableAppLayer(f, ssn);
DisableAppLayer(f);
/* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
goto failure;
@ -306,7 +303,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
SCLogDebug("midstream end pd %p", ssn);
/* midstream and toserver detection failed: give up */
DisableAppLayer(f, ssn);
DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
goto end;
}
@ -333,7 +330,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) &&
(first_data_dir) && !(first_data_dir & flags))
{
DisableAppLayer(f, ssn);
DisableAppLayer(f);
goto failure;
}
@ -375,20 +372,20 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
DisableAppLayer(f, ssn);
DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
} else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
size_ts > 100000 && size_tc == 0)
{
DisableAppLayer(f, ssn);
DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
} else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
size_tc > 100000 && size_ts == 0)
{
DisableAppLayer(f, ssn);
DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
@ -399,7 +396,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
{
DisableAppLayer(f, ssn);
DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
@ -410,7 +407,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
{
DisableAppLayer(f, ssn);
DisableAppLayer(f);
ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER;
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);

4
src/detect.c
Unescape Escape View File

@ -11583,7 +11583,7 @@ static int SigTestDropFlow03(void)
SCLogDebug("This flow/stream triggered a drop rule");
FlowSetNoPacketInspectionFlag(p2->flow);
DecodeSetNoPacketInspectionFlag(p2);
FlowSetSessionNoApplayerInspectionFlag(p2->flow);
StreamTcpDisableAppLayer(p2->flow);
p2->action |= ACTION_DROP;
/* return the segments to the pool */
StreamTcpSessionPktFree(p2);
@ -11766,7 +11766,7 @@ static int SigTestDropFlow04(void)
if (StreamTcpCheckFlowDrops(p2) == 1) {
FlowSetNoPacketInspectionFlag(p2->flow);
DecodeSetNoPacketInspectionFlag(p2);
FlowSetSessionNoApplayerInspectionFlag(p2->flow);
StreamTcpDisableAppLayer(p2->flow);
p2->action |= ACTION_DROP;
/* return the segments to the pool */
StreamTcpSessionPktFree(p2);

13
src/flow.h
Unescape Escape View File

@ -76,7 +76,8 @@ typedef struct AppLayerParserState_ AppLayerParserState;
#define FLOW_TOCLIENT_DROP_LOGGED 0x00004000
/** alproto detect done. Right now we need it only for udp */
#define FLOW_ALPROTO_DETECT_DONE 0x00008000
#define FLOW_NO_APPLAYER_INSPECTION 0x00010000
// vacany 1x
/** Pattern matcher alproto detection done */
#define FLOW_TS_PM_ALPROTO_DETECT_DONE 0x00020000
@ -445,7 +446,6 @@ static inline void FlowLockSetNoPacketInspectionFlag(Flow *);
static inline void FlowSetNoPacketInspectionFlag(Flow *);
static inline void FlowLockSetNoPayloadInspectionFlag(Flow *);
static inline void FlowSetNoPayloadInspectionFlag(Flow *);
static inline void FlowSetSessionNoApplayerInspectionFlag(Flow *);
int FlowGetPacketDirection(const Flow *, const Packet *);
@ -513,15 +513,6 @@ static inline void FlowSetNoPayloadInspectionFlag(Flow *f)
SCReturn;
}
/** \brief set flow flag to disable app layer inspection
*
* \param f *LOCKED* flow
*/
static inline void FlowSetSessionNoApplayerInspectionFlag(Flow *f)
{
f->flags |= FLOW_NO_APPLAYER_INSPECTION;
}
/**
* \brief increase the use count of a flow
*

22
src/stream-tcp-reassemble.c
Unescape Escape View File

@ -279,6 +279,28 @@ void StreamTcpReturnStreamSegments (TcpStream *stream)
stream->seg_list_tail = NULL;
}
/** \param f locked flow */
void StreamTcpDisableAppLayer(Flow *f)
{
if (f->protoctx == NULL)
return;
TcpSession *ssn = (TcpSession *)f->protoctx;
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client);
StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server);
StreamTcpDisableAppLayerReassembly(ssn);
}
/** \param f locked flow */
int StreamTcpAppLayerIsDisabled(Flow *f)
{
if (f->protoctx == NULL || f->proto != IPPROTO_TCP)
return 0;
TcpSession *ssn = (TcpSession *)f->protoctx;
return (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED);
}
typedef struct SegmentSizes_
{
uint16_t pktsize;

4
src/stream-tcp-reassemble.h
Unescape Escape View File

@ -109,5 +109,9 @@ int StreamTcpReassembleDepthReached(Packet *p);
void StreamTcpReassembleIncrMemuse(uint64_t size);
void StreamTcpReassembleDecrMemuse(uint64_t size);
int StreamTcpReassembleCheckMemcap(uint32_t size);
void StreamTcpDisableAppLayer(Flow *f);
int StreamTcpAppLayerIsDisabled(Flow *f);
#endif /* __STREAM_TCP_REASSEMBLE_H__ */

2
src/stream-tcp.c
Unescape Escape View File

@ -4481,7 +4481,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
SCLogDebug("This flow/stream triggered a drop rule");
FlowSetNoPacketInspectionFlag(p->flow);
DecodeSetNoPacketInspectionFlag(p);
FlowSetSessionNoApplayerInspectionFlag(p->flow);
StreamTcpDisableAppLayer(p->flow);
PACKET_DROP(p);
/* return the segments to the pool */
StreamTcpSessionPktFree(p);

Write Preview
Loading…
Cancel
Save