Commit Graph

310 Commits (623c2e78fdd7ed952e52aca92b240109019aad04)

Author SHA1 Message Date
Victor Julien de4bda14e6 stream: handle flow timeout stream end packets
Handle flow timeout packets in the stream engine. Previously the flow
timeout code would call reassembly code directly.
11 years ago
Victor Julien 48eccf7d91 Assign thread_id to flow on first packet stream engine 11 years ago
Victor Julien 503cc3de69 stream/async: improve handling of syn/ack pickup
If we picked up the ssn with a syn/ack, we don't need to make more
assumptions about sack and wscale after that.
11 years ago
Victor Julien 1656148490 stream/async: fix session setup issues
For these 2 cases:

1. Missing SYN:
-> syn <= missing
<- syn/ack
-> ack
-> data

2. Missing SYN and 3whs ACK:
-> syn <= missing
<- syn/ack
-> ack <= missing
-> data

Fix session pickup. The next_win settings weren't correctly set, so that
packets were rejected.

Bug 1190.
11 years ago
Victor Julien b2e80a0f66 stream: improve tracking with pkt loss in async
If 3whs SYN/ACK and ACK are missing we can still pick up the session if
in async-oneside mode.

-> syn
<- syn/ack <= missing
-> ack     <= missing
-> data

Bug 1190.
11 years ago
Victor Julien 4d66775a56 stream: improve bad window update detection
Ignore more valid ACKs in FIN shutdown phase.

Improve heuristic for window shrinking in case of packet loss.
11 years ago
Victor Julien a54f52278b stream: fix 'bad window update' false positive
ACK packets completing a valid FIN shutdown could be flagged as
'bad window update' if they would shrink the window.

This patch detects this case before doing the bad window update
check.
11 years ago
Victor Julien 5834a1a619 stream: improve handling of 3whs packet loss
If the 3whs ACK and some data after this is lost, we would get stuck
in the 'SYN_RECV' state, where from there each packet might be
considered invalid.

This patch improves the handling of this case.
11 years ago
Victor Julien e7a909f4ae stream: fix ssh/ssl logging on tcp session reuse
TCP session reuse wouldn't unset FLOW_NO_APPLAYER_INSPECTION.
11 years ago
Victor Julien a68e19d998 stream: add counter for failed pseudo setups
Stream pseudo packets are taken from the packet pool, which can be empty.
In this case a pseudo packet will not be created and processed.

This patch adds a counter "tcp.pseudo_failed" to track this.
11 years ago
Victor Julien e4c8084a75 stream: clean up pseudo packet counting
Increment the counter from StreamTcpPseudoPacketCreateStreamEndPacket.
11 years ago
Victor Julien 9a5bf82ba5 tcp session reuse: reset detect state
Reset the detect state on TCP session reuse. We reset the app layer,
so we need to reset the stateful detection as well.
11 years ago
Victor Julien 231b993f1f packet recycle: split macro
Split PACKET_RECYCLE into 2 parts. One part for cleanup to do before a
packet is returned to the pool, the other after it's retrieved from
the pool.
11 years ago
Victor Julien 6b0ff0193d stream: detect and filter out bad window updates
Reported in bug 1238 is an issue where stream reassembly can be
disrupted.

A packet that was in-window, but otherwise unexpected set the
window to a really low value, causing the next *expected* packet
to be considered out of window. This lead to missing data in the
stream reassembly.

The packet was unexpected in various ways:
- it would ack unseen traffic
- it's sequence number would not match the expected next_seq
- set a really low window, while not being a proper window update

Detection however, it greatly hampered by the fact that in case of
packet loss, quite similar packets come in. Alerting in this case
is unwanted. Ignoring/skipping packets in this case as well.

The logic used in this patch is as follows. If:

- the packet is not a window update AND
- packet seq > next_seq AND
- packet acq > next_seq (packet acks unseen data) AND
- packet shrinks window more than it's own data size
THEN set event and skip the packet in the stream engine.

So in case of a segment with no data, any window shrinking is rejected.

Bug #1238.
11 years ago
Ken Steele 8f1d75039a Enforce function coding standard
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
12 years ago
Victor Julien 3bb0ccba98 stream: track TCP flags per stream direction
For netflow logging track TCP flags per stream direction. As the struct
had no more space left without expanding it, the flags and wscale
fields are now compressed.
12 years ago
Victor Julien fddeca8aae tcp: track TCP packet flags per session
For logging out in flow logging.
12 years ago
Victor Julien 3543150f42 stream: implement raw reassembly stop api
Implement StreamTcpSetDisableRawReassemblyFlag() which stops raw
reassembly for _NEW_ segments in a stream direction.

It is used only by TLS/SSL now, to flag the streams as encrypted.
Existing segments will still be reassembled and inspected, while
new segments won't be. This allows for pattern based inspection
of the TLS handshake.

Like is the case with completely disabled 'raw' reassembly, the
logic is that the segments are flagged as completed for 'raw' right
away. So they are not considered in raw reassembly anymore.

As no new segments will be considered, the chunk limit check will
return true on the next call.
12 years ago
Victor Julien d8481cb7cd stream: improve retransmission handling
Improve retransmission handling in the CLOSE_WAIT state.

Bug #1180.
12 years ago
Victor Julien c1dcc7a268 stream: fix midstream syn/ack setup
If midstream is enabled and the first packet is the syn/ack packet from
the 3whs, initialized server.last_ack to the packets seq.

This fixes tracking the session.
12 years ago
Victor Julien 7b0f1e9512 stream: improve retransmission handling
When connection are closing, don't reject retransmissions of data
packets.

Bug #1180.
12 years ago
Victor Julien 96adcf6829 refactor IDS/IPS engine mode logic
Instead of error phrone externs with macro's, use functions with a local
static enum var instead.

- EngineModeIsIPS(): in IPS mode
- EngineModeIsIDS(): in IDS mode

To set the modes:

- EngineModeSetIDS(): IDS mode (default)
- EngineModeSetIPS(): IPS mode

Bug #1177.
12 years ago
Victor Julien fe1c4951f9 stream: silence stream.reassembly.raw message 12 years ago
Victor Julien 4049c2f74c Packet logging API: convert unified2
Convert unified2 alert to new logging API.
12 years ago
Victor Julien 5f307acace Pass ThreadVars ptr to various thread init funcs
To be able to register counters from AppLayerGetCtxThread, the
ThreadVars pointer needs to be available in it and thus in it's
callers:

- AppLayerGetCtxThread
- DecodeThreadVarsAlloc
- StreamTcpReassembleInitThreadCtx
12 years ago
Victor Julien 261881fce2 stream: remove per thread queue for stream msgs
StreamMsgs would be stored in a per thread queue before being
attached to the tcp ssn. This is unnecessary, so this patch
removes this queue and puts the smsgs into the ssn directly.

Large patch as it affects a lot of tests.
12 years ago
Victor Julien b159c1714c stream: remove flow reference from StreamMsg
StreamMsg' flow reference was used mostly to make sure a flow would
not get removed from the hash before inspection. For this it needed
to reference the flow use_cnt reference counter. Nowadays we have
more advanced flow timeout handling. This will make sure that if
there still are pending smsgs' in a flow, these will still be
processed.
12 years ago
Victor Julien 1d08a3ff26 stream: pass TcpSession to StreamTcpReassembleProcessAppLayer
Preparation for removing flow pointer from StreamMsg. Instead of
getting the ssn indirectly through StreamMsg->flow, we pass it
directly as all callers have it already.
12 years ago
Eric Leblond 4d6b48ea9e htp layer: add memory cap counter
This patch adds a memcap counter for HTP memory usage. Counter
is increased each time an allocation is not done due to the memcap.
12 years ago
Eric Leblond d6d8a08a8f htp layer: add memory usage counter
This patch adds a memory counter for HTP memory usage. As
there is no thread variables available in application layer
the counter has been added to the TCP reassembly thread.
12 years ago
Victor Julien 106e1c7d19 profiling: fix compilation
Stream engine can't access app layer proto detection datatypes
anymore, so moved some of the logic into app-layer.c
12 years ago
Anoop Saldanha 429c6388f6 App layer API rewritten. The main files in question are:
app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch].

Things addressed in this commit:
- Brings out a proper separation between protocol detection phase and the
  parser phase.
- The dns app layer now is registered such that we don't use "dnstcp" and
  "dnsudp" in the rules.  A user who previously wrote a rule like this -

  "alert dnstcp....." or
  "alert dnsudp....."

  would now have to use,

  alert dns (ipproto:tcp;) or
  alert udp (app-layer-protocol:dns;) or
  alert ip (ipproto:udp; app-layer-protocol:dns;)

  The same rules extend to other another such protocol, dcerpc.
- The app layer parser api now takes in the ipproto while registering
  callbacks.
- The app inspection/detection engine also takes an ipproto.
- All app layer parser functions now take direction as STREAM_TOSERVER or
  STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the
  functions.
- FlowInitialize() and FlowRecycle() now resets proto to 0.  This is
  needed by unittests, which would try to clean the flow, and that would
  call the api, AppLayerParserCleanupParserState(), which would try to
  clean the app state, but the app layer now needs an ipproto to figure
  out which api to internally call to clean the state, and if the ipproto
  is 0, it would return without trying to clean the state.
- A lot of unittests are now updated where if they are using a flow and
  they need to use the app layer, we would set a flow ipproto.
- The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
Victor Julien 3714925d2b stream: fix potential memory loss on error
Coverity 1139543.

If StreamTcpPseudoPacket would be called with len == 0, the packet
it acquired before checking the len value would be lost.
12 years ago
Ken Steele f9705377ae Remove pkt variable from Packet structure.
The uint8_t *pkt in the Packet structure always points to the memory
immediately following the Packet structure. It is better to simply
calculate that value every time than store the 8 byte pointer.
12 years ago
Victor Julien 8522da8ea5 stream: add option to disable raw reassembly
Raw reassembly is used only by the detection engine. For users only
caring about logging it's a significant overhead, both in cpu and
memory usage.

The option is called 'raw' and lives under the stream.reassembly
options.

stream:
  memcap: 32mb
  checksum-validation: yes      # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 64mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    raw: false # <- new option
12 years ago
Victor Julien 7074ca373b proto detection: add limit for one sided sessions
If a session only has data in one direction, like ftp data sessions,
protocol detection will only run in one direction. This led to a
situation where reassembly would hold all the segments as proto
detection was never flagged as complete.

This patch introduces a limit for protocol detection in this case.
If the limit is reached, detection will give up.
12 years ago
Eric Leblond 8b5be26f49 pcap-file: add checksum-checks configuration variable
This patch adds support for checksum-checks in the pcap-file running
mode. This is the same functionnality as the one already existing for
live interface.

It can be setup in the YAML:
  pcap-file:
    checksum-checks: auto

A message is displayed for small pcap to warn that invalid checksum
rate is big on the pcap file and that checksum-check could
be set to no.
12 years ago
Ken Steele f16b339fc4 Rename checksums to level3_comp_csum and level4_comp_csum.
This will also sharing even more memory in the Packet_ structure.
12 years ago
Ken Steele c6a8d0ab6b Share Packet checksum values for TCP, UDP, IPv6. ICMPv4 and ICMPv6
Keep a separate checksum for IPV4, since a packet can have both an IPV4
checksum and a TCPV4 checksum, or IPV4 and UDPV4 checksum.

This will allow future sharing of more values.

Use PACKET_RESET_CHECKSUMS() in Unit Tests in place of setting the
individual checksum values.
12 years ago
Victor Julien e416b2cdfb stream: fix IPv6 pseudo packet setup
Bug #1022: IPv6 pseudo packet setup using reverse logic of IPv4.
12 years ago
Victor Julien ef17b7b9f4 stream: reduce scope of StreamTcpPseudoPacketSetupHeader 12 years ago
Victor Julien 49087f21e4 Optimizations to reduce branch misses 12 years ago
Victor Julien 698ff4e4aa Counters: remove all unused parts of the API 12 years ago
Eric Leblond 79fcf1378a Use unlikely in malloc failure test.
This patch is a result of applying the following coccinelle
transformation to suricata sources:

  @istested@
  identifier x;
  statement S1;
  identifier func =~ "(SCMalloc|SCStrdup|SCCalloc|SCMallocAligned|SCRealloc)";
  @@

  x = func(...)
  ... when != x
  - if (x == NULL) S1
  + if (unlikely(x == NULL)) S1
12 years ago
Victor Julien 209946b07c Fix broken check in stream.max-synack-queued parsing (coverity 1038103) 12 years ago
Anoop Saldanha 1ea5d27508 Fix for bug #989.
In case of recursive call to protocol detection from within protocol
detection, and the recursively invoked stream still hasn't been ack'ed
yet, protocol detection doesn't take place.  In such cases we will end up
still calling the app layer with the wrong direction data.  Introduce a
check to not call app layer with wrong direction data.

When sockets are re-used reset all relevant vars correctly.

This commit fixes a bug where we were not reseting app proto detection
vars.

While fixing #989, we discovered some other bugs which have also been
fixed, or rather some features which are now updated.  One of the feature
update being if we recieve wrong direction data first, we don't reset the
protocol values for the flow.  We let the flow retain the detected
values.

Unittests have been modified to accomodate the above change.
12 years ago
Anoop Saldanha 558f5705eb Remove the unused flow flags - FLOW_TS_PM_PP_ALPROTO_DETECT_DONE and
FLOW_TC_PM_PP_ALPROTO_DETECT_DONE.
12 years ago
Anoop Saldanha 36220b689b Reset some flow flags when port numbers are re-used and we re-use the
flow as a part of a new session.
12 years ago
Anoop Saldanha 0d7159b525 App layer protocol detection updated and improved. We now use
confirmation from both directions and set events if there's a mismatch
between the 2 directions.

FPs from corrupt flows have disappeared with this.
12 years ago
Victor Julien 8080494e9a counters: consolidate counters after all ThreadInit functions of a thread have run. This prevents duplicate and overwriting memory allocations. 12 years ago