From c1558f5ac49a8be0e0946fe09688e7236154cf52 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 28 Jan 2015 13:07:19 +0100 Subject: [PATCH] stream: remove FLOW_NO_APPLAYER_INSPECTION flag Instead, intruduce StreamTcpDisableAppLayer to disable app layer tracking and reassembly. StreamTcpAppLayerIsDisabled can be used to check it. Replace all uses of FlowSetSessionNoApplayerInspectionFlag and the FLOW_NO_APPLAYER_INSPECTION. --- src/alert-debuglog.c | 6 +++++- src/app-layer-parser.c | 29 +++++++++++++++++------------ src/app-layer-smtp.c | 4 ++-- src/app-layer.c | 31 ++++++++++++++----------------- src/detect.c | 4 ++-- src/flow.h | 13 ++----------- src/stream-tcp-reassemble.c | 22 ++++++++++++++++++++++ src/stream-tcp-reassemble.h | 4 ++++ src/stream-tcp.c | 2 +- 9 files changed, 69 insertions(+), 46 deletions(-) diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c index 0a74020472..27710a9d59 100644 --- a/src/alert-debuglog.c +++ b/src/alert-debuglog.c @@ -54,6 +54,8 @@ #include "util-logopenfile.h" #include "util-time.h" +#include "stream-tcp-reassemble.h" + #define DEFAULT_LOG_FILENAME "alert-debug.log" #define MODULE_NAME "AlertDebugLog" @@ -213,7 +215,9 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE"); if (p->flow != NULL) { + int applayer = 0; FLOWLOCK_RDLOCK(p->flow); + applayer = StreamTcpAppLayerIsDisabled(p->flow); CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf)); MemBufferWriteString(aft->buffer, "FLOW Start TS: %s\n", timebuf); MemBufferWriteString(aft->buffer, "FLOW PKTS TODST: %"PRIu32"\n" @@ -231,7 +235,7 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE", p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE", p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE", - p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE", + applayer ? "TRUE" : "FALSE", (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto); AlertDebugLogFlowVars(aft, p); AlertDebugLogFlowBits(aft, (Packet *)p); /* < no const */ diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index 289a59d7cd..655da90213 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -904,17 +904,20 @@ int AppLayerParserParse(AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alp if (pstate->flags & APP_LAYER_PARSER_NO_INSPECTION) { AppLayerParserSetEOF(pstate); FlowSetNoPayloadInspectionFlag(f); - FlowSetSessionNoApplayerInspectionFlag(f); - /* Set the no reassembly flag for both the stream in this TcpSession */ - if (f->proto == IPPROTO_TCP && pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) { - /* Used only if it's TCP */ - TcpSession *ssn = f->protoctx; - if (ssn != NULL) { - StreamTcpSetSessionNoReassemblyFlag(ssn, - flags & STREAM_TOCLIENT ? 1 : 0); - StreamTcpSetSessionNoReassemblyFlag(ssn, - flags & STREAM_TOSERVER ? 1 : 0); + if (f->proto == IPPROTO_TCP) { + StreamTcpDisableAppLayer(f); + + /* Set the no reassembly flag for both the stream in this TcpSession */ + if (pstate->flags & APP_LAYER_PARSER_NO_REASSEMBLY) { + /* Used only if it's TCP */ + TcpSession *ssn = f->protoctx; + if (ssn != NULL) { + StreamTcpSetSessionNoReassemblyFlag(ssn, + flags & STREAM_TOCLIENT ? 1 : 0); + StreamTcpSetSessionNoReassemblyFlag(ssn, + flags & STREAM_TOSERVER ? 1 : 0); + } } } } @@ -945,7 +948,9 @@ int AppLayerParserParse(AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alp error: /* Set the no app layer inspection flag for both * the stream in this Flow */ - FlowSetSessionNoApplayerInspectionFlag(f); + if (f->proto == IPPROTO_TCP) { + StreamTcpDisableAppLayer(f); + } AppLayerParserSetEOF(pstate); SCReturnInt(-1); } @@ -1280,7 +1285,7 @@ static int AppLayerParserTest01(void) } SCMutexUnlock(&f->m); - if (!(f->flags & FLOW_NO_APPLAYER_INSPECTION)) { + if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) { printf("flag should have been set, but is not: "); goto end; } diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index c0772ec75a..bbfa7ae932 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -1622,7 +1622,7 @@ int SMTPParserTest01(void) } if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION) || - !(f.flags & FLOW_NO_APPLAYER_INSPECTION) || + !(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) || !(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) || !(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) { goto end; @@ -2907,7 +2907,7 @@ int SMTPParserTest05(void) } if ((f.flags & FLOW_NOPAYLOAD_INSPECTION) || - (f.flags & FLOW_NO_APPLAYER_INSPECTION) || + (ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) || (((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) || (((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) { goto end; diff --git a/src/app-layer.c b/src/app-layer.c index b1ccc3d082..f8bdf77385 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -88,13 +88,10 @@ static void DNSUpdateCounters(ThreadVars *tv, AppLayerThreadCtx *app_tctx) /***** L7 layer dispatchers *****/ -static void DisableAppLayer(Flow *f, TcpSession *ssn) +static void DisableAppLayer(Flow *f) { - SCLogInfo("disable app layer for flow %p, ssn %p", f, ssn); - FlowSetSessionNoApplayerInspectionFlag(f); - StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client); - StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server); - StreamTcpDisableAppLayerReassembly(ssn); + SCLogDebug("disable app layer for flow %p", f); + StreamTcpDisableAppLayer(f); } int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, @@ -116,8 +113,8 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, uint8_t first_data_dir; SCLogDebug("data_len %u flags %02X", data_len, flags); - if (f->flags & FLOW_NO_APPLAYER_INSPECTION) { - SCLogDebug("FLOW_AL_NO_APPLAYER_INSPECTION is set"); + if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) { + SCLogDebug("STREAMTCP_FLAG_APP_LAYER_DISABLED is set"); goto end; } @@ -230,7 +227,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, } } if (ret < 0) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); goto failure; } } @@ -257,7 +254,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if (first_data_dir && !(first_data_dir & ssn->data_first_seen_dir)) { AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_WRONG_DIRECTION_FIRST_DATA); - DisableAppLayer(f, ssn); + DisableAppLayer(f); /* Set a value that is neither STREAM_TOSERVER, nor STREAM_TOCLIENT */ ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; goto failure; @@ -306,7 +303,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) { SCLogDebug("midstream end pd %p", ssn); /* midstream and toserver detection failed: give up */ - DisableAppLayer(f, ssn); + DisableAppLayer(f); ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; goto end; } @@ -333,7 +330,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if ((ssn->data_first_seen_dir != APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER) && (first_data_dir) && !(first_data_dir & flags)) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); goto failure; } @@ -375,20 +372,20 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; } else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && size_ts > 100000 && size_tc == 0) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED); } else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && size_tc > 100000 && size_ts == 0) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED); @@ -399,7 +396,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) && FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED); @@ -410,7 +407,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) && FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) { - DisableAppLayer(f, ssn); + DisableAppLayer(f); ssn->data_first_seen_dir = APP_LAYER_DATA_ALREADY_SENT_TO_APP_LAYER; AppLayerDecoderEventsSetEventRaw(&p->app_layer_events, APPLAYER_PROTO_DETECTION_SKIPPED); diff --git a/src/detect.c b/src/detect.c index 8ff4066805..2a2b2828d7 100644 --- a/src/detect.c +++ b/src/detect.c @@ -11583,7 +11583,7 @@ static int SigTestDropFlow03(void) SCLogDebug("This flow/stream triggered a drop rule"); FlowSetNoPacketInspectionFlag(p2->flow); DecodeSetNoPacketInspectionFlag(p2); - FlowSetSessionNoApplayerInspectionFlag(p2->flow); + StreamTcpDisableAppLayer(p2->flow); p2->action |= ACTION_DROP; /* return the segments to the pool */ StreamTcpSessionPktFree(p2); @@ -11766,7 +11766,7 @@ static int SigTestDropFlow04(void) if (StreamTcpCheckFlowDrops(p2) == 1) { FlowSetNoPacketInspectionFlag(p2->flow); DecodeSetNoPacketInspectionFlag(p2); - FlowSetSessionNoApplayerInspectionFlag(p2->flow); + StreamTcpDisableAppLayer(p2->flow); p2->action |= ACTION_DROP; /* return the segments to the pool */ StreamTcpSessionPktFree(p2); diff --git a/src/flow.h b/src/flow.h index 79147112b0..bc1f65ac88 100644 --- a/src/flow.h +++ b/src/flow.h @@ -76,7 +76,8 @@ typedef struct AppLayerParserState_ AppLayerParserState; #define FLOW_TOCLIENT_DROP_LOGGED 0x00004000 /** alproto detect done. Right now we need it only for udp */ #define FLOW_ALPROTO_DETECT_DONE 0x00008000 -#define FLOW_NO_APPLAYER_INSPECTION 0x00010000 + +// vacany 1x /** Pattern matcher alproto detection done */ #define FLOW_TS_PM_ALPROTO_DETECT_DONE 0x00020000 @@ -445,7 +446,6 @@ static inline void FlowLockSetNoPacketInspectionFlag(Flow *); static inline void FlowSetNoPacketInspectionFlag(Flow *); static inline void FlowLockSetNoPayloadInspectionFlag(Flow *); static inline void FlowSetNoPayloadInspectionFlag(Flow *); -static inline void FlowSetSessionNoApplayerInspectionFlag(Flow *); int FlowGetPacketDirection(const Flow *, const Packet *); @@ -513,15 +513,6 @@ static inline void FlowSetNoPayloadInspectionFlag(Flow *f) SCReturn; } -/** \brief set flow flag to disable app layer inspection - * - * \param f *LOCKED* flow - */ -static inline void FlowSetSessionNoApplayerInspectionFlag(Flow *f) -{ - f->flags |= FLOW_NO_APPLAYER_INSPECTION; -} - /** * \brief increase the use count of a flow * diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index 8d9bd133d5..b53be3a4f5 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -279,6 +279,28 @@ void StreamTcpReturnStreamSegments (TcpStream *stream) stream->seg_list_tail = NULL; } +/** \param f locked flow */ +void StreamTcpDisableAppLayer(Flow *f) +{ + if (f->protoctx == NULL) + return; + + TcpSession *ssn = (TcpSession *)f->protoctx; + StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->client); + StreamTcpSetStreamFlagAppProtoDetectionCompleted(&ssn->server); + StreamTcpDisableAppLayerReassembly(ssn); +} + +/** \param f locked flow */ +int StreamTcpAppLayerIsDisabled(Flow *f) +{ + if (f->protoctx == NULL || f->proto != IPPROTO_TCP) + return 0; + + TcpSession *ssn = (TcpSession *)f->protoctx; + return (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED); +} + typedef struct SegmentSizes_ { uint16_t pktsize; diff --git a/src/stream-tcp-reassemble.h b/src/stream-tcp-reassemble.h index 686c2e47d9..c934f4fabd 100644 --- a/src/stream-tcp-reassemble.h +++ b/src/stream-tcp-reassemble.h @@ -109,5 +109,9 @@ int StreamTcpReassembleDepthReached(Packet *p); void StreamTcpReassembleIncrMemuse(uint64_t size); void StreamTcpReassembleDecrMemuse(uint64_t size); int StreamTcpReassembleCheckMemcap(uint32_t size); + +void StreamTcpDisableAppLayer(Flow *f); +int StreamTcpAppLayerIsDisabled(Flow *f); + #endif /* __STREAM_TCP_REASSEMBLE_H__ */ diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 9c51f33512..ec427bd5e3 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -4481,7 +4481,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt, SCLogDebug("This flow/stream triggered a drop rule"); FlowSetNoPacketInspectionFlag(p->flow); DecodeSetNoPacketInspectionFlag(p); - FlowSetSessionNoApplayerInspectionFlag(p->flow); + StreamTcpDisableAppLayer(p->flow); PACKET_DROP(p); /* return the segments to the pool */ StreamTcpSessionPktFree(p);