aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removed FLOW_AL_PROTO_DETECT_DONE. Replaced it with FLOW_ALPROTO_DETECT_DONE, stored it in Flow->flags

Browse Source
remotes/origin/master-1.1.x
Anoop Saldanha 15 years ago committed by Victor Julien
parent 49e2b580cb
commit ac5584a863
3 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File

5
src/alert-debuglog.c
Unescape Escape View File

@ -31,6 +31,7 @@
#include "flow.h"
#include "conf.h"
#include "stream.h"
#include "app-layer-protos.h"
#include "threads.h"
#include "threadvars.h"
@ -222,7 +223,7 @@ TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto);
(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, p);
SCMutexUnlock(&p->flow->m);
@ -316,7 +317,7 @@ TmEcode AlertDebugLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq
p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE");
fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n",
p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto);
(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
AlertDebugLogFlowVars(aft, p);
AlertDebugLogFlowBits(aft, p);
SCMutexUnlock(&p->flow->m);

16
src/app-layer.c
Unescape Escape View File

@ -149,7 +149,6 @@ int AppLayerHandleTCPData(AlpProtoDetectThreadCtx *dp_ctx, Flow *f,
* only run the proto detection once. */
if (alproto == ALPROTO_UNKNOWN && flags & STREAM_GAP) {
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
f->alflags |= FLOW_AL_PROTO_DETECT_DONE;
SCLogDebug("ALPROTO_UNKNOWN flow %p, due to GAP in stream start", f);
StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
} else if (alproto == ALPROTO_UNKNOWN && flags & STREAM_START) {
@ -170,22 +169,18 @@ int AppLayerHandleTCPData(AlpProtoDetectThreadCtx *dp_ctx, Flow *f,
FlowL7DataPtrInit(f);
f->alproto = alproto;
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
f->alflags |= FLOW_AL_PROTO_DETECT_DONE;
r = AppLayerParse(f, alproto, flags, data, data_len);
} else {
if (flags & STREAM_TOSERVER) {
SCLogDebug("alp_proto_ctx.toserver.max_len %u", alp_proto_ctx.toserver.max_len);
if (data_len >= alp_proto_ctx.toserver.max_len) {
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
f->alflags |= FLOW_AL_PROTO_DETECT_DONE;
SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
StreamTcpSetSessionNoReassemblyFlag(ssn, 0);
}
} else if (flags & STREAM_TOCLIENT) {
if (data_len >= alp_proto_ctx.toclient.max_len) {
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
f->alflags |= FLOW_AL_PROTO_DETECT_DONE;
SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
StreamTcpSetSessionNoReassemblyFlag(ssn, 1);
}
@ -353,7 +348,6 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
FlowL7DataPtrInit(smsg->flow);
smsg->flow->alproto = alproto;
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
smsg->flow->alflags |= FLOW_AL_PROTO_DETECT_DONE;
r = AppLayerParse(smsg->flow, alproto, smsg->flow->alflags,
smsg->data.data, smsg->data.data_len);
@ -362,14 +356,14 @@ int AppLayerHandleMsg(AlpProtoDetectThreadCtx *dp_ctx, StreamMsg *smsg)
if (smsg->data.data_len >= alp_proto_ctx.toserver.max_len) {
/* protocol detection has failed */
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
smsg->flow->alflags |= FLOW_AL_PROTO_DETECT_DONE|FLOW_AL_NO_APPLAYER_INSPECTION;
smsg->flow->alflags |= FLOW_AL_NO_APPLAYER_INSPECTION;
SCLogDebug("ALPROTO_UNKNOWN flow %p", smsg->flow);
}
} else if (smsg->flags & STREAM_TOCLIENT) {
if (smsg->data.data_len >= alp_proto_ctx.toclient.max_len) {
/* protocol detection has failed */
ssn->flags |= STREAMTCP_FLAG_APPPROTO_DETECTION_COMPLETED;
smsg->flow->alflags |= FLOW_AL_PROTO_DETECT_DONE|FLOW_AL_NO_APPLAYER_INSPECTION;
smsg->flow->alflags |= FLOW_AL_NO_APPLAYER_INSPECTION;
SCLogDebug("ALPROTO_UNKNOWN flow %p", smsg->flow);
}
}
@ -492,7 +486,7 @@ int AppLayerHandleUdp(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, Packet *p)
* initializer message, we run proto detection.
* We receive 2 stream init msgs (one for each direction) but we
* only run the proto detection once. */
if (alproto == ALPROTO_UNKNOWN && !(f->alflags & FLOW_AL_PROTO_DETECT_DONE)) {
if (alproto == ALPROTO_UNKNOWN && !(f->flags & FLOW_ALPROTO_DETECT_DONE)) {
SCLogDebug("Detecting AL proto on udp mesg (len %" PRIu32 ")",
p->payload_len);
@ -506,12 +500,12 @@ int AppLayerHandleUdp(AlpProtoDetectThreadCtx *dp_ctx, Flow *f, Packet *p)
/* store the proto and setup the L7 data array */
FlowL7DataPtrInit(f);
f->alproto = alproto;
f->alflags |= FLOW_AL_PROTO_DETECT_DONE;
f->flags |= FLOW_ALPROTO_DETECT_DONE;
r = AppLayerParse(f, alproto, f->alflags,
p->payload, p->payload_len);
} else {
f->alflags |= FLOW_AL_PROTO_DETECT_DONE;
f->flags |= FLOW_ALPROTO_DETECT_DONE;
SCLogDebug("ALPROTO_UNKNOWN flow %p", f);
}
} else {

3
src/flow.h
Unescape Escape View File

@ -73,6 +73,8 @@
#define FLOW_TOSERVER_DROP_LOGGED 0x2000
/** packet to client direction has been logged in drop file (only in IPS mode) */
#define FLOW_TOCLIENT_DROP_LOGGED 0x4000
/** alproto detect done. Right now we need it only for udp */
#define FLOW_ALPROTO_DETECT_DONE 0x8000
/* pkt flow flags */
#define FLOW_PKT_TOSERVER 0x01
@ -213,7 +215,6 @@ typedef struct Flow_
} Flow;
/** Flow Application Level flags */
#define FLOW_AL_PROTO_DETECT_DONE 0x02
#define FLOW_AL_NO_APPLAYER_INSPECTION 0x04 /** \todo move to flow flags later */
#define FLOW_AL_STREAM_TOSERVER 0x20
#define FLOW_AL_STREAM_TOCLIENT 0x40

Write Preview
Loading…
Cancel
Save