aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/frames: inspect frames only in correct direction

Browse Source 
Inspect frames in the correct direction after they have been created.
pull/11236/head
Victor Julien 1 year ago committed by Victor Julien
parent 866c128c43
commit a9dd1572d4
2 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File

21
src/flow-worker.c
Unescape Escape View File

@ -524,19 +524,23 @@ static void PacketAppUpdate2FlowFlags(Packet *p)
case UPDATE_DIR_BOTH:
if (PKT_IS_TOSERVER(p)) {
p->flow->flags |= FLOW_TS_APP_UPDATED | FLOW_TC_APP_UPDATE_NEXT;
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED set", p->pcap_cnt);
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED|FLOW_TC_APP_UPDATE_NEXT set",
p->pcap_cnt);
} else {
p->flow->flags |= FLOW_TC_APP_UPDATED | FLOW_TS_APP_UPDATE_NEXT;
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED set", p->pcap_cnt);
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED|FLOW_TS_APP_UPDATE_NEXT set",
p->pcap_cnt);
}
/* fall through */
case UPDATE_DIR_OPPOSING:
if (PKT_IS_TOSERVER(p)) {
p->flow->flags |= FLOW_TC_APP_UPDATED | FLOW_TS_APP_UPDATE_NEXT;
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED set", p->pcap_cnt);
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TC_APP_UPDATED|FLOW_TS_APP_UPDATE_NEXT set",
p->pcap_cnt);
} else {
p->flow->flags |= FLOW_TS_APP_UPDATED | FLOW_TC_APP_UPDATE_NEXT;
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED set", p->pcap_cnt);
SCLogDebug("pcap_cnt %" PRIu64 ", FLOW_TS_APP_UPDATED|FLOW_TC_APP_UPDATE_NEXT set",
p->pcap_cnt);
}
break;
}
@ -583,12 +587,15 @@ static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data)
/* handle TCP and app layer */
if (p->flow) {
/* see if need to consider flags set by prev packets */
if (PKT_IS_TOSERVER(p) && (p->flow->flags & FLOW_TS_APP_UPDATE_NEXT)) {
p->flow->flags |= FLOW_TS_APP_UPDATED;
p->flow->flags &= ~FLOW_TS_APP_UPDATE_NEXT;
SCLogDebug("FLOW_TS_APP_UPDATED");
} else if (PKT_IS_TOCLIENT(p) && (p->flow->flags & FLOW_TC_APP_UPDATE_NEXT)) {
p->flow->flags |= FLOW_TC_APP_UPDATED;
p->flow->flags &= ~FLOW_TC_APP_UPDATE_NEXT;
SCLogDebug("FLOW_TC_APP_UPDATED");
}
if (PacketIsTCP(p)) {
@ -640,7 +647,11 @@ static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data)
StreamTcpSessionCleanup(p->flow->protoctx);
}
} else if (p->proto == IPPROTO_TCP && p->flow->protoctx && p->flags & PKT_STREAM_EST) {
FramesPrune(p->flow, p);
if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) {
FramesPrune(p->flow, p);
} else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) {
FramesPrune(p->flow, p);
}
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_TCPPRUNE);
StreamTcpPruneSession(p->flow, p->flowflags & FLOW_PKT_TOSERVER ?
STREAM_TOSERVER : STREAM_TOCLIENT);

10
src/output-json-frame.c
Unescape Escape View File

@ -409,6 +409,16 @@ static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packe
return false;
if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
if (p->proto == IPPROTO_TCP) {
if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) {
// fallthrough
} else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) {
// fallthrough
} else {
return false;
}
}
FramesContainer *frames_container = AppLayerFramesGetContainer(p->flow);
if (frames_container == NULL)
return false;

Write Preview
Loading…
Cancel
Save