"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/service_inspectors/http_inspect/http_inspect.cc" between
snort3-3.1.36.0.tar.gz and snort3-3.1.38.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

http_inspect.cc  (snort3-3.1.36.0):http_inspect.cc  (snort3-3.1.38.0)
skipping to change at line 32 skipping to change at line 32
#endif #endif
#include "http_inspect.h" #include "http_inspect.h"
#include <cassert> #include <cassert>
#include <iomanip> #include <iomanip>
#include <sstream> #include <sstream>
#include "detection/detection_engine.h" #include "detection/detection_engine.h"
#include "detection/detection_util.h" #include "detection/detection_util.h"
#include "service_inspectors/http2_inspect/http2_dummy_packet.h"
#include "service_inspectors/http2_inspect/http2_flow_data.h" #include "service_inspectors/http2_inspect/http2_flow_data.h"
#include "log/unified2.h" #include "log/unified2.h"
#include "protocols/packet.h" #include "protocols/packet.h"
#include "stream/stream.h" #include "stream/stream.h"
#include "http_common.h" #include "http_common.h"
#include "http_context_data.h" #include "http_context_data.h"
#include "http_enum.h" #include "http_enum.h"
#include "http_js_norm.h" #include "http_js_norm.h"
#include "http_msg_body.h" #include "http_msg_body.h"
skipping to change at line 491 skipping to change at line 490
*buf = const_cast<uint8_t*>(detect_data.start()); *buf = const_cast<uint8_t*>(detect_data.start());
*len = detect_data.length(); *len = detect_data.length();
*type = EVENT_INFO_JSNORM_DATA; *type = EVENT_INFO_JSNORM_DATA;
return 1; return 1;
} }
void HttpInspect::disable_detection(Packet* p) void HttpInspect::disable_detection(Packet* p)
{ {
HttpFlowData* session_data = http_get_flow_data(p->flow); HttpFlowData* session_data = http_get_flow_data(p->flow);
if (session_data->for_http2) if (!session_data->for_http2)
p->disable_inspect = true;
else
{ {
assert(p->context); assert(p->context);
DetectionEngine::disable_all(p); DetectionEngine::disable_all(p);
} }
} }
HttpFlowData* HttpInspect::http_get_flow_data(const Flow* flow) HttpFlowData* HttpInspect::http_get_flow_data(const Flow* flow)
{ {
Http2FlowData* h2i_flow_data = nullptr; Http2FlowData* h2i_flow_data = nullptr;
if (Http2FlowData::inspector_id != 0) if (Http2FlowData::inspector_id != 0)
skipping to change at line 527 skipping to change at line 524
{ {
Http2FlowData* h2i_flow_data = Http2FlowData* h2i_flow_data =
(Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id); (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
assert(h2i_flow_data); assert(h2i_flow_data);
h2i_flow_data->set_hi_flow_data(flow_data); h2i_flow_data->set_hi_flow_data(flow_data);
} }
} }
void HttpInspect::eval(Packet* p) void HttpInspect::eval(Packet* p)
{ {
Profile profile(HttpModule::get_profile_stats());
const SourceId source_id = p->is_from_client() ? SRC_CLIENT : SRC_SERVER; const SourceId source_id = p->is_from_client() ? SRC_CLIENT : SRC_SERVER;
eval(p, source_id, p->data, p->dsize);
return;
}
void HttpInspect::eval(Packet* p, SourceId source_id, const uint8_t* data, uint1
6_t dsize)
{
Profile profile(HttpModule::get_profile_stats());
HttpFlowData* session_data = http_get_flow_data(p->flow); HttpFlowData* session_data = http_get_flow_data(p->flow);
if (session_data == nullptr) if (session_data == nullptr)
{ {
assert(false); assert(false);
return; return;
} }
// FIXIT-M Workaround for unexpected eval() calls. Currently asserting when stream_user is in // FIXIT-M Workaround for unexpected eval() calls. Currently asserting when stream_user is in
// use due to calls to HttpInspect::eval on the raw stream_user packet // use due to calls to HttpInspect::eval on the raw stream_user packet
if ((session_data->section_type[source_id] == SEC__NOT_COMPUTE) || if ((session_data->section_type[source_id] == SEC__NOT_COMPUTE) ||
(session_data->type_expected[source_id] == SEC_ABORT) || (session_data->type_expected[source_id] == SEC_ABORT) ||
(session_data->octets_reassembled[source_id] != p->dsize)) (session_data->octets_reassembled[source_id] != dsize))
{ {
//assert(session_data->type_expected[source_id] != SEC_ABORT); //assert(session_data->type_expected[source_id] != SEC_ABORT);
//assert(session_data->section_type[source_id] != SEC__NOT_COMPUTE); //assert(session_data->section_type[source_id] != SEC__NOT_COMPUTE);
//assert(session_data->octets_reassembled[source_id] == p->dsize); //assert(session_data->octets_reassembled[source_id] == dsize);
session_data->type_expected[source_id] = SEC_ABORT; session_data->type_expected[source_id] = SEC_ABORT;
return; return;
} }
if (!session_data->for_http2) if (!session_data->for_http2)
HttpModule::increment_peg_counts(PEG_TOTAL_BYTES, p->dsize); HttpModule::increment_peg_counts(PEG_TOTAL_BYTES, dsize);
session_data->octets_reassembled[source_id] = STAT_NOT_PRESENT; session_data->octets_reassembled[source_id] = STAT_NOT_PRESENT;
// Don't make pkt_data for headers available to detection // Don't make pkt_data for headers available to detection
if ((session_data->section_type[source_id] == SEC_HEADER) || if ((session_data->section_type[source_id] == SEC_HEADER) ||
(session_data->section_type[source_id] == SEC_TRAILER)) (session_data->section_type[source_id] == SEC_TRAILER))
{ {
p->set_detect_limit(0); p->set_detect_limit(0);
} }
// Limit alt_dsize of message body sections to request/response depth // Limit alt_dsize of message body sections to request/response depth
// p->dsize is not a typo. The actual value on the reassembled packet is wha t matters for this purpose.
if ((session_data->detect_depth_remaining[source_id] > 0) && if ((session_data->detect_depth_remaining[source_id] > 0) &&
(session_data->detect_depth_remaining[source_id] < p->dsize)) (session_data->detect_depth_remaining[source_id] < p->dsize))
{ {
p->set_detect_limit(session_data->detect_depth_remaining[source_id]); p->set_detect_limit(session_data->detect_depth_remaining[source_id]);
} }
if (!process(p->data, p->dsize, p->flow, source_id, true)) process(data, dsize, p->flow, source_id, true, p);
disable_detection(p);
#ifdef REG_TEST // Detection was done in process()
else if (!session_data->for_http2)
{ disable_detection(p);
if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
{
fprintf(HttpTestManager::get_output_file(), "Sent to detection %hu o
ctets\n\n",
p->dsize);
fflush(HttpTestManager::get_output_file());
}
}
#endif
// If current transaction is complete then we are done with it. This is stri ctly a memory // If current transaction is complete then we are done with it. This is stri ctly a memory
// optimization not necessary for correct operation. // optimization not necessary for correct operation.
if ((source_id == SRC_SERVER) && (session_data->type_expected[SRC_SERVER] == SEC_STATUS) && if ((source_id == SRC_SERVER) && (session_data->type_expected[SRC_SERVER] == SEC_STATUS) &&
session_data->transaction[SRC_SERVER]->final_response()) session_data->transaction[SRC_SERVER]->final_response())
{ {
HttpTransaction::delete_transaction(session_data->transaction[SRC_SERVER ], session_data); HttpTransaction::delete_transaction(session_data->transaction[SRC_SERVER ], session_data);
session_data->transaction[SRC_SERVER] = nullptr; session_data->transaction[SRC_SERVER] = nullptr;
} }
// Whenever we process a packet we set these flags. If someone asks for an e xtra data // Whenever we process a packet we set these flags. If someone asks for an e xtra data
// buffer the JIT code will figure out if we actually have it. // buffer the JIT code will figure out if we actually have it.
SetExtraData(p, xtra_trueip_id); SetExtraData(p, xtra_trueip_id);
SetExtraData(p, xtra_uri_id); SetExtraData(p, xtra_uri_id);
SetExtraData(p, xtra_host_id); SetExtraData(p, xtra_host_id);
SetExtraData(p, xtra_jsnorm_id); SetExtraData(p, xtra_jsnorm_id);
} }
bool HttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const void HttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const
flow, flow, SourceId source_id,
SourceId source_id, bool buf_owner) const bool buf_owner, Packet* p) const
{ {
HttpMsgSection* current_section; HttpMsgSection* current_section;
HttpFlowData* session_data = http_get_flow_data(flow); HttpFlowData* session_data = http_get_flow_data(flow);
if (!session_data->partial_flush[source_id]) if (!session_data->partial_flush[source_id])
HttpModule::increment_peg_counts(PEG_INSPECT); HttpModule::increment_peg_counts(PEG_INSPECT);
else else
HttpModule::increment_peg_counts(PEG_PARTIAL_INSPECT); HttpModule::increment_peg_counts(PEG_PARTIAL_INSPECT);
switch (session_data->section_type[source_id]) switch (session_data->section_type[source_id])
skipping to change at line 653 skipping to change at line 647
case SEC_TRAILER: case SEC_TRAILER:
current_section = new HttpMsgTrailer( current_section = new HttpMsgTrailer(
data, dsize, session_data, source_id, buf_owner, flow, params); data, dsize, session_data, source_id, buf_owner, flow, params);
break; break;
default: default:
assert(false); assert(false);
if (buf_owner) if (buf_owner)
{ {
delete[] data; delete[] data;
} }
return false; return;
} }
current_section->analyze(); current_section->analyze();
current_section->gen_events(); current_section->gen_events();
if (!session_data->partial_flush[source_id]) if (!session_data->partial_flush[source_id])
current_section->update_flow(); current_section->update_flow();
session_data->section_type[source_id] = SEC__NOT_COMPUTE; session_data->section_type[source_id] = SEC__NOT_COMPUTE;
#ifdef REG_TEST #ifdef REG_TEST
if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP)) if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
skipping to change at line 677 skipping to change at line 671
if (HttpTestManager::use_test_input(HttpTestManager::IN_HTTP)) if (HttpTestManager::use_test_input(HttpTestManager::IN_HTTP))
{ {
printf("Finished processing section from test %" PRIi64 "\n", printf("Finished processing section from test %" PRIi64 "\n",
HttpTestManager::get_test_number()); HttpTestManager::get_test_number());
} }
fflush(stdout); fflush(stdout);
} }
#endif #endif
current_section->publish(); current_section->publish();
return current_section->detection_required(); if (current_section->run_detection(p))
{
#ifdef REG_TEST
if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
{
fprintf(HttpTestManager::get_output_file(), "Sent to detection %hu o
ctets\n\n",
dsize);
fflush(HttpTestManager::get_output_file());
}
#endif
}
} }
void HttpInspect::clear(Packet* p) void HttpInspect::clear(Packet* p)
{ {
Profile profile(HttpModule::get_profile_stats()); Profile profile(HttpModule::get_profile_stats());
HttpFlowData* const session_data = http_get_flow_data(p->flow); HttpFlowData* const session_data = http_get_flow_data(p->flow);
if (session_data == nullptr) if (session_data == nullptr)
{ {
 End of changes. 13 change blocks. 
28 lines changed or deleted 33 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)