/**
* \brief Search tags for src and dst. Update entries of the tag, remove if necessary
*
* \param de_ctx Detect context
* \param det_ctx Detect thread context
* \param p packet
*
*/
void TagHandlePacket(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Packet *p)
{
/* If there's no tag, get out of here */
unsigned int current_tags = SC_ATOMIC_GET(num_tags);
if (current_tags == 0)
return;
/* First update and get session tags */
if (p->flow != NULL) {
FLOWLOCK_WRLOCK(p->flow);
TagHandlePacketFlow(p->flow, p);
FLOWLOCK_UNLOCK(p->flow);
}
Host *src = HostLookupHostFromHash(&p->src);
if (src) {
if (src->tag != NULL) {
TagHandlePacketHost(src,p);
}
HostRelease(src);
}
Host *dst = HostLookupHostFromHash(&p->dst);
if (dst) {
if (dst->tag != NULL) {
TagHandlePacketHost(dst,p);
}
HostRelease(dst);
}
}
static TmEcode OutputStreamingLog(ThreadVars *tv, Packet *p, void *thread_data, PacketQueue *pq, PacketQueue *postpq)
{
BUG_ON(thread_data == NULL);
BUG_ON(list == NULL);
OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;
OutputStreamingLogger *logger = list;
OutputLoggerThreadStore *store = op_thread_data->store;
StreamerCallbackData streamer_cbdata = { logger, store, tv, p , 0};
BUG_ON(logger == NULL && store != NULL);
BUG_ON(logger != NULL && store == NULL);
BUG_ON(logger == NULL && store == NULL);
uint8_t flags = 0;
Flow * const f = p->flow;
/* no flow, no streaming */
if (f == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= OUTPUT_STREAMING_FLAG_TOCLIENT;
else
flags |= OUTPUT_STREAMING_FLAG_TOSERVER;
FLOWLOCK_WRLOCK(f);
if (op_thread_data->loggers & (1<<STREAMING_TCP_DATA)) {
TcpSession *ssn = f->protoctx;
if (ssn) {
int close = (ssn->state >= TCP_CLOSED);
close |= ((p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0);
SCLogDebug("close ? %s", close ? "yes" : "no");
TcpStream *stream = flags & OUTPUT_STREAMING_FLAG_TOSERVER ? &ssn->client : &ssn->server;
streamer_cbdata.type = STREAMING_TCP_DATA;
StreamIterator(p->flow, stream, close, (void *)&streamer_cbdata, flags);
}
}
if (op_thread_data->loggers & (1<<STREAMING_HTTP_BODIES)) {
if (f->alproto == ALPROTO_HTTP && f->alstate != NULL) {
int close = 0;
TcpSession *ssn = f->protoctx;
if (ssn) {
close = (ssn->state >= TCP_CLOSED);
close |= ((p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0);
}
SCLogDebug("close ? %s", close ? "yes" : "no");
streamer_cbdata.type = STREAMING_HTTP_BODIES;
HttpBodyIterator(f, close, (void *)&streamer_cbdata, flags);
}
}
FLOWLOCK_UNLOCK(f);
return TM_ECODE_OK;
}
static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p) {
JsonTlsLogThread *aft = (JsonTlsLogThread *)thread_data;
MemBuffer *buffer = (MemBuffer *)aft->buffer;
OutputTlsCtx *tls_ctx = aft->tlslog_ctx;
if (unlikely(p->flow == NULL)) {
return 0;
}
/* check if we have TLS state or not */
FLOWLOCK_WRLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_TLS)
goto end;
SSLState *ssl_state = (SSLState *)FlowGetAppState(p->flow);
if (unlikely(ssl_state == NULL)) {
goto end;
}
if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL)
goto end;
json_t *js = CreateJSONHeader((Packet *)p, 0, "tls");//TODO
if (unlikely(js == NULL))
goto end;
json_t *tjs = json_object();
if (tjs == NULL) {
free(js);
goto end;
}
/* reset */
MemBufferReset(buffer);
/* tls.subject */
json_object_set_new(tjs, "subject",
json_string(ssl_state->server_connp.cert0_subject));
/* tls.issuerdn */
json_object_set_new(tjs, "issuerdn",
json_string(ssl_state->server_connp.cert0_issuerdn));
if (tls_ctx->flags & LOG_TLS_EXTENDED) {
LogTlsLogExtendedJSON(tjs, ssl_state);
}
json_object_set_new(js, "tls", tjs);
OutputJSONBuffer(js, tls_ctx->file_ctx, buffer);
json_object_clear(js);
json_decref(js);
/* we only log the state once */
ssl_state->flags |= SSL_AL_FLAG_STATE_LOGGED;
end:
FLOWLOCK_UNLOCK(p->flow);
return 0;
}
/**
* \brief Get a new flow
*
* Get a new flow. We're checking memcap first and will try to make room
* if the memcap is reached.
*
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
* \retval f *LOCKED* flow on succes, NULL on error.
*/
static Flow *FlowGetNew(ThreadVars *tv, DecodeThreadVars *dtv, const Packet *p)
{
Flow *f = NULL;
if (FlowCreateCheck(p) == 0) {
return NULL;
}
/* get a flow from the spare queue */
f = FlowDequeue(&flow_spare_q);
if (f == NULL) {
/* If we reached the max memcap, we get a used flow */
if (!(FLOW_CHECK_MEMCAP(sizeof(Flow) + FlowStorageSize()))) {
/* declare state of emergency */
if (!(SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)) {
SC_ATOMIC_OR(flow_flags, FLOW_EMERGENCY);
FlowTimeoutsEmergency();
/* under high load, waking up the flow mgr each time leads
* to high cpu usage. Flows are not timed out much faster if
* we check a 1000 times a second. */
FlowWakeupFlowManagerThread();
}
f = FlowGetUsedFlow(tv, dtv);
if (f == NULL) {
/* max memcap reached, so increments the counter */
if (tv != NULL && dtv != NULL) {
StatsIncr(tv, dtv->counter_flow_memcap);
}
/* very rare, but we can fail. Just giving up */
return NULL;
}
/* freed a flow, but it's unlocked */
} else {
/* now see if we can alloc a new flow */
f = FlowAlloc();
if (f == NULL) {
if (tv != NULL && dtv != NULL) {
StatsIncr(tv, dtv->counter_flow_memcap);
}
return NULL;
}
/* flow is initialized but *unlocked* */
}
} else {
/* flow has been recycled before it went into the spare queue */
/* flow is initialized (recylced) but *unlocked* */
}
FLOWLOCK_WRLOCK(f);
FlowUpdateCounter(tv, dtv, p->proto);
return f;
}
static TmEcode LogFileLogWrap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipver)
{
SCEnter();
LogFileLogThread *aft = (LogFileLogThread *)data;
uint8_t flags = 0;
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
flags |= STREAM_TOSERVER;
int file_close = (p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0;
int file_trunc = 0;
FLOWLOCK_WRLOCK(p->flow);
file_trunc = StreamTcpReassembleDepthReached(p);
FileContainer *ffc = AppLayerParserGetFiles(IPPROTO_TCP, p->flow->alproto,
p->flow->alstate, flags);
SCLogDebug("ffc %p", ffc);
if (ffc != NULL) {
File *ff;
for (ff = ffc->head; ff != NULL; ff = ff->next) {
if (ff->flags & FILE_LOGGED)
continue;
if (FileForceMagic() && ff->magic == NULL) {
FilemagicGlobalLookup(ff);
}
SCLogDebug("ff %p", ff);
if (file_trunc && ff->state < FILE_STATE_CLOSED)
ff->state = FILE_STATE_TRUNCATED;
if (ff->state == FILE_STATE_CLOSED ||
ff->state == FILE_STATE_TRUNCATED || ff->state == FILE_STATE_ERROR ||
(file_close == 1 && ff->state < FILE_STATE_CLOSED))
{
LogFileWriteJsonRecord(aft, p, ff, ipver);
ff->flags |= FILE_LOGGED;
aft->file_cnt++;
}
}
FilePrune(ffc);
}
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK);
}
void FlowAlertSidSet(Flow *f, uint32_t sid) {
FLOWLOCK_WRLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb == NULL) {
FlowAlertSidAdd(f, sid);
}
FLOWLOCK_UNLOCK(f);
}
void FlowBitUnset(Flow *f, uint16_t idx) {
FLOWLOCK_WRLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb != NULL) {
FlowBitRemove(f, idx);
}
FLOWLOCK_UNLOCK(f);
}
void FlowAlertSidUnset(Flow *f, uint32_t sid) {
FLOWLOCK_WRLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb != NULL) {
FlowAlertSidRemove(f, sid);
}
FLOWLOCK_UNLOCK(f);
}
void FlowBitSet(Flow *f, uint16_t idx) {
FLOWLOCK_WRLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb == NULL) {
FlowBitAdd(f, idx);
}
FLOWLOCK_UNLOCK(f);
}
void FlowBitToggle(Flow *f, uint16_t idx) {
FLOWLOCK_WRLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb != NULL) {
FlowBitRemove(f, idx);
} else {
FlowBitAdd(f, idx);
}
FLOWLOCK_UNLOCK(f);
}
void FlowAlertSidToggle(Flow *f, uint32_t sid) {
FLOWLOCK_WRLOCK(f);
FlowAlertSid *fb = FlowAlertSidGet(f, sid);
if (fb != NULL) {
FlowAlertSidRemove(f, sid);
} else {
FlowAlertSidAdd(f, sid);
}
FLOWLOCK_UNLOCK(f);
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process.
*/
static int AppLayerParserTest01(void)
{
AppLayerParserBackupParserTable();
int result = 0;
Flow *f = NULL;
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&ssn, 0, sizeof(ssn));
/* Register the Test protocol state and parser functions */
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TEST,
TestProtocolStateAlloc, TestProtocolStateFree);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->protoctx = &ssn;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_TCP;
StreamTcpInitConfig(TRUE);
FLOWLOCK_WRLOCK(f);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
STREAM_TOSERVER | STREAM_EOF, testbuf,
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: ", r);
FLOWLOCK_UNLOCK(f);
goto end;
}
FLOWLOCK_UNLOCK(f);
if (!(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED)) {
printf("flag should have been set, but is not: ");
goto end;
}
result = 1;
end:
AppLayerParserRestoreParserTable();
StreamTcpFreeConfig(TRUE);
UTHFreeFlow(f);
return result;
}
/**
* \brief post-match function for filestore
*
* \param t thread local vars
* \param det_ctx pattern matcher thread local data
* \param p packet
*
* The match function for filestore records store candidates in the det_ctx.
* When we are sure all parts of the signature matched, we run this function
* to finalize the filestore.
*/
int DetectFilestorePostMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s)
{
uint8_t flags = 0;
SCEnter();
if (det_ctx->filestore_cnt == 0) {
SCReturnInt(0);
}
if (s->filestore_sm == NULL || p->flow == NULL) {
#ifndef DEBUG
SCReturnInt(0);
#else
BUG_ON(1);
#endif
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
flags |= STREAM_TOSERVER;
if (det_ctx->flow_locked == 0)
FLOWLOCK_WRLOCK(p->flow);
FileContainer *ffc = AppLayerParserGetFiles(p->flow->proto, p->flow->alproto,
p->flow->alstate, flags);
/* filestore for single files only */
if (s->filestore_sm->ctx == NULL) {
uint16_t u;
for (u = 0; u < det_ctx->filestore_cnt; u++) {
FileStoreFileById(ffc, det_ctx->filestore[u].file_id);
}
} else {
DetectFilestoreData *filestore = (DetectFilestoreData *)s->filestore_sm->ctx;
uint16_t u;
for (u = 0; u < det_ctx->filestore_cnt; u++) {
FilestorePostMatchWithOptions(p, p->flow, filestore, ffc,
det_ctx->filestore[u].file_id, det_ctx->filestore[u].tx_id);
}
}
if (det_ctx->flow_locked == 0)
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(0);
}
/**
* \brief This function is used to add a tag to a session (type session)
* or update it if it's already installed. The number of times to
* allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way
* repetitive matches to the same rule are limited of setting tags,
* to avoid DOS attacks
*
* \param p pointer to the current packet
* \param tde pointer to the new DetectTagDataEntry
*
* \retval 0 if the tde was added succesfuly
* \retval 1 if an entry of this sid/gid already exist and was updated
*/
int TagFlowAdd(Packet *p, DetectTagDataEntry *tde) {
uint8_t updated = 0;
uint16_t num_tags = 0;
DetectTagDataEntry *iter = NULL;
if (p->flow == NULL)
return 1;
FLOWLOCK_WRLOCK(p->flow);
if (p->flow->tag_list != NULL) {
iter = p->flow->tag_list;
/* First iterate installed entries searching a duplicated sid/gid */
for (; iter != NULL; iter = iter->next) {
num_tags++;
if (iter->sid == tde->sid && iter->gid == tde->gid) {
iter->cnt_match++;
/* If so, update data, unless the maximum MATCH limit is
* reached. This prevents possible DOS attacks */
if (iter->cnt_match < DETECT_TAG_MATCH_LIMIT) {
/* Reset time and counters */
iter->first_ts = iter->last_ts = tde->first_ts;
iter->packets = 0;
iter->bytes = 0;
}
updated = 1;
break;
}
}
}
/* If there was no entry of this rule, prepend the new tde */
if (updated == 0 && num_tags < DETECT_TAG_MAX_TAGS) {
DetectTagDataEntry *new_tde = DetectTagDataCopy(tde);
if (new_tde != NULL) {
new_tde->next = p->flow->tag_list;
p->flow->tag_list = new_tde;
(void) SC_ATOMIC_ADD(num_tags, 1);
}
} else if (num_tags == DETECT_TAG_MAX_TAGS) {
SCLogDebug("Max tags for sessions reached (%"PRIu16")", num_tags);
}
FLOWLOCK_UNLOCK(p->flow);
return updated;
}
/**
* \internal
* \brief Forces reassembly for flows that need it.
*
* When this function is called we're running in virtually dead engine,
* so locking the flows is not strictly required. The reasons it is still
* done are:
* - code consistency
* - silence complaining profilers
* - allow us to aggressively check using debug valdation assertions
* - be robust in case of future changes
* - locking overhead if neglectable when no other thread fights us
*
* \param q The queue to process flows from.
*/
static inline void FlowForceReassemblyForHash(void)
{
Flow *f;
TcpSession *ssn;
int client_ok = 0;
int server_ok = 0;
uint32_t idx = 0;
for (idx = 0; idx < flow_config.hash_size; idx++) {
FlowBucket *fb = &flow_hash[idx];
PacketPoolWaitForN(9);
FBLOCK_LOCK(fb);
/* get the topmost flow from the QUEUE */
f = fb->head;
/* we need to loop through all the flows in the queue */
while (f != NULL) {
PacketPoolWaitForN(3);
FLOWLOCK_WRLOCK(f);
/* Get the tcp session for the flow */
ssn = (TcpSession *)f->protoctx;
/* \todo Also skip flows that shouldn't be inspected */
if (ssn == NULL) {
FLOWLOCK_UNLOCK(f);
f = f->hnext;
continue;
}
if (FlowForceReassemblyNeedReassembly(f, &server_ok, &client_ok) == 1) {
FlowForceReassemblyForFlow(f, server_ok, client_ok);
}
FLOWLOCK_UNLOCK(f);
/* next flow in the queue */
f = f->hnext;
}
FBLOCK_UNLOCK(fb);
}
return;
}
static int DetectTlsStoreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, Signature *s, SigMatch *m)
{
SCEnter();
SSLState *ssl_state = (SSLState *)state;
if (ssl_state == NULL) {
SCLogDebug("no tls state, no match");
SCReturnInt(1);
}
FLOWLOCK_WRLOCK(f);
if (s->flags & SIG_FLAG_TLSSTORE) {
ssl_state->server_connp.cert_log_flag |= SSL_TLS_LOG_PEM;
}
FLOWLOCK_UNLOCK(f);
SCReturnInt(1);
}
/**
* \test Test the deallocation of app layer parser memory on occurance of
* error in the parsing process for UDP.
*/
static int AppLayerParserTest02(void)
{
AppLayerParserBackupParserTable();
int result = 1;
Flow *f = NULL;
uint8_t testbuf[] = { 0x11 };
uint32_t testlen = sizeof(testbuf);
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
/* Register the Test protocol state and parser functions */
AppLayerParserRegisterParser(IPPROTO_UDP, ALPROTO_TEST, STREAM_TOSERVER,
TestProtocolParser);
AppLayerParserRegisterStateFuncs(IPPROTO_UDP, ALPROTO_TEST,
TestProtocolStateAlloc, TestProtocolStateFree);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "4.3.2.1", 20, 40);
if (f == NULL)
goto end;
f->alproto = ALPROTO_TEST;
f->proto = IPPROTO_UDP;
f->protomap = FlowGetProtoMapping(f->proto);
StreamTcpInitConfig(TRUE);
FLOWLOCK_WRLOCK(f);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_TEST,
STREAM_TOSERVER | STREAM_EOF, testbuf,
testlen);
if (r != -1) {
printf("returned %" PRId32 ", expected -1: \n", r);
result = 0;
FLOWLOCK_UNLOCK(f);
goto end;
}
FLOWLOCK_UNLOCK(f);
end:
AppLayerParserRestoreParserTable();
StreamTcpFreeConfig(TRUE);
UTHFreeFlow(f);
return result;
}
/** \test Check the signature working to alert when http_stat_msg is used with
* negated content . */
static int DetectHttpStatMsgSigTest03(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
uint8_t httpbuf2[] = "HTTP/1.0 200 OK\r\n\r\n";
uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\"HTTP status message\"; content:\"ok\"; "
"nocase; http_stat_msg; sid:1;)");
if (s == NULL) {
goto end;
}
s->next = SigInit(de_ctx,"alert http any any -> any any (msg:\"HTTP "
"Status message nocase\"; content:!\"Not\"; "
"http_stat_msg; sid:2;)");
if (s->next == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOCLIENT, httpbuf2, httplen2);
if (r != 0) {
printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (! PacketAlertCheck(p, 1)) {
printf("sid 1 didn't matched but should have: ");
goto end;
}
if (! PacketAlertCheck(p, 2)) {
printf("sid 2 didn't matched but should have: ");
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) {
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
}
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
DetectEngineCtxFree(de_ctx);
}
StreamTcpFreeConfig(TRUE);
UTHFreePackets(&p, 1);
return result;
}
static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data, PacketQueue *preq, PacketQueue *unused)
{
FlowWorkerThreadData *fw = data;
void *detect_thread = SC_ATOMIC_GET(fw->detect_thread);
SCLogDebug("packet %"PRIu64, p->pcap_cnt);
/* update time */
if (!(PKT_IS_PSEUDOPKT(p))) {
TimeSetByThread(tv->id, &p->ts);
}
/* handle Flow */
if (p->flags & PKT_WANTS_FLOW) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_FLOW);
FlowHandlePacket(tv, fw->dtv, p);
if (likely(p->flow != NULL)) {
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
if (FlowUpdate(p) == TM_ECODE_DONE) {
FLOWLOCK_UNLOCK(p->flow);
return TM_ECODE_OK;
}
}
/* Flow is now LOCKED */
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_FLOW);
/* if PKT_WANTS_FLOW is not set, but PKT_HAS_FLOW is, then this is a
* pseudo packet created by the flow manager. */
} else if (p->flags & PKT_HAS_FLOW) {
FLOWLOCK_WRLOCK(p->flow);
}
SCLogDebug("packet %"PRIu64" has flow? %s", p->pcap_cnt, p->flow ? "yes" : "no");
/* handle TCP and app layer */
if (p->flow && PKT_IS_TCP(p)) {
SCLogDebug("packet %"PRIu64" is TCP. Direction %s", p->pcap_cnt, PKT_IS_TOSERVER(p) ? "TOSERVER" : "TOCLIENT");
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
/* if detect is disabled, we need to apply file flags to the flow
* here on the first packet. */
if (detect_thread == NULL &&
((PKT_IS_TOSERVER(p) && (p->flowflags & FLOW_PKT_TOSERVER_FIRST)) ||
(PKT_IS_TOCLIENT(p) && (p->flowflags & FLOW_PKT_TOCLIENT_FIRST))))
{
DisableDetectFlowFileFlags(p->flow);
}
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_STREAM);
StreamTcp(tv, p, fw->stream_thread, &fw->pq, NULL);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_STREAM);
if (FlowChangeProto(p->flow)) {
StreamTcpDetectLogFlush(tv, fw->stream_thread, p->flow, p, &fw->pq);
}
/* Packets here can safely access p->flow as it's locked */
SCLogDebug("packet %"PRIu64": extra packets %u", p->pcap_cnt, fw->pq.len);
Packet *x;
while ((x = PacketDequeue(&fw->pq))) {
SCLogDebug("packet %"PRIu64" extra packet %p", p->pcap_cnt, x);
// TODO do we need to call StreamTcp on these pseudo packets or not?
//StreamTcp(tv, x, fw->stream_thread, &fw->pq, NULL);
if (detect_thread != NULL) {
FLOWWORKER_PROFILING_START(x, PROFILE_FLOWWORKER_DETECT);
Detect(tv, x, detect_thread, NULL, NULL);
FLOWWORKER_PROFILING_END(x, PROFILE_FLOWWORKER_DETECT);
}
// Outputs
OutputLoggerLog(tv, x, fw->output_thread);
/* put these packets in the preq queue so that they are
* by the other thread modules before packet 'p'. */
PacketEnqueue(preq, x);
}
/* handle the app layer part of the UDP packet payload */
} else if (p->flow && p->proto == IPPROTO_UDP) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_APPLAYERUDP);
AppLayerHandleUdp(tv, fw->stream_thread->ra_ctx->app_tctx, p, p->flow);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_APPLAYERUDP);
}
/* handle Detect */
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
SCLogDebug("packet %"PRIu64" calling Detect", p->pcap_cnt);
if (detect_thread != NULL) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_DETECT);
Detect(tv, p, detect_thread, NULL, NULL);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_DETECT);
}
// Outputs.
OutputLoggerLog(tv, p, fw->output_thread);
/* Release tcp segments. Done here after alerting can use them. */
if (p->flow != NULL && p->proto == IPPROTO_TCP) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_TCPPRUNE);
StreamTcpPruneSession(p->flow, p->flowflags & FLOW_PKT_TOSERVER ?
STREAM_TOSERVER : STREAM_TOCLIENT);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_TCPPRUNE);
}
if (p->flow) {
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
FLOWLOCK_UNLOCK(p->flow);
}
return TM_ECODE_OK;
}
/**
* \test Test a valid dce_iface entry for a bind and bind_ack
*/
static int DetectSslStateTest07(void)
{
uint8_t chello_buf[] = {
0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
0x21
};
uint32_t chello_buf_len = sizeof(chello_buf);
uint8_t shello_buf[] = {
0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
0x00, 0x00, 0x00
};
uint32_t shello_buf_len = sizeof(shello_buf);
uint8_t client_change_cipher_spec_buf[] = {
0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
0x4c, 0xfc, 0x75, 0x56
};
uint32_t client_change_cipher_spec_buf_len =
sizeof(client_change_cipher_spec_buf);
uint8_t server_change_cipher_spec_buf[] = {
0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
0x4d, 0x9f, 0x6b
};
uint32_t server_change_cipher_spec_buf_len =
sizeof(server_change_cipher_spec_buf);
uint8_t toserver_app_data_buf[] = {
0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
0x8a, 0xa2, 0x9e, 0xcd, 0xfa
};
uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf);
Signature *s = NULL;
ThreadVars th_v;
Packet *p = NULL;
Flow f;
TcpSession ssn;
DetectEngineThreadCtx *det_ctx = NULL;
DetectEngineCtx *de_ctx = NULL;
SSLState *ssl_state = NULL;
int r = 0;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&p, 0, sizeof(p));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; ssl_state:client_hello; "
"sid:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:server_hello; "
"sid:2;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:client_keyx; "
"sid:3;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:server_keyx; "
"sid:4;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:!client_hello; "
"sid:5;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER | STREAM_START, chello_buf,
chello_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
ssl_state = f.alstate;
FAIL_IF(ssl_state == NULL);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FAIL_IF(PacketAlertCheck(p, 5));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
shello_buf, shello_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
/* do detect */
p->alerts.cnt = 0;
p->flowflags = (FLOW_PKT_TOCLIENT | FLOW_PKT_ESTABLISHED);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(!PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FAIL_IF(!PacketAlertCheck(p, 5));
PASS;
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
client_change_cipher_spec_buf,
client_change_cipher_spec_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(!PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_change_cipher_spec_buf,
server_change_cipher_spec_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
toserver_app_data_buf, toserver_app_data_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
JsonSshLogThread *aft = (JsonSshLogThread *)thread_data;
MemBuffer *buffer = (MemBuffer *)aft->buffer;
OutputSshCtx *ssh_ctx = aft->sshlog_ctx;
if (unlikely(p->flow == NULL)) {
return 0;
}
/* check if we have SSH state or not */
FLOWLOCK_WRLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_SSH)
goto end;
SshState *ssh_state = (SshState *)FlowGetAppState(p->flow);
if (unlikely(ssh_state == NULL)) {
goto end;
}
if (ssh_state->cli_hdr.software_version == NULL || ssh_state->srv_hdr.software_version == NULL)
goto end;
json_t *js = CreateJSONHeader((Packet *)p, 1, "ssh");//TODO
if (unlikely(js == NULL))
goto end;
json_t *tjs = json_object();
if (tjs == NULL) {
free(js);
goto end;
}
/* reset */
MemBufferReset(buffer);
json_t *cjs = json_object();
if (cjs != NULL) {
json_object_set_new(cjs, "proto_version",
json_string((char *)ssh_state->cli_hdr.proto_version));
json_object_set_new(cjs, "software_version",
json_string((char *)ssh_state->cli_hdr.software_version));
}
json_object_set_new(tjs, "client", cjs);
json_t *sjs = json_object();
if (sjs != NULL) {
json_object_set_new(sjs, "proto_version",
json_string((char *)ssh_state->srv_hdr.proto_version));
json_object_set_new(sjs, "software_version",
json_string((char *)ssh_state->srv_hdr.software_version));
}
json_object_set_new(tjs, "server", sjs);
json_object_set_new(js, "ssh", tjs);
OutputJSONBuffer(js, ssh_ctx->file_ctx, buffer);
json_object_clear(js);
json_decref(js);
/* we only log the state once */
ssh_state->cli_hdr.flags |= SSH_FLAG_STATE_LOGGED;
end:
FLOWLOCK_UNLOCK(p->flow);
return 0;
}
/** \test Send a get request in three chunks + more data. */
static int DetectSshVersionTestDetect03(void)
{
int result = 0;
Flow f;
uint8_t sshbuf1[] = "SSH-1.";
uint32_t sshlen1 = sizeof(sshbuf1) - 1;
uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
uint32_t sshlen2 = sizeof(sshbuf2) - 1;
uint8_t sshbuf3[] = "\n";
uint32_t sshlen3 = sizeof(sshbuf3) - 1;
uint8_t sshbuf4[] = "whatever...";
uint32_t sshlen4 = sizeof(sshbuf4) - 1;
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_SSH;
f.proto = IPPROTO_TCP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH,
STREAM_TOSERVER, sshbuf1, sshlen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
sshbuf2, sshlen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
sshbuf3, sshlen3);
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
sshbuf4, sshlen4);
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
SshState *ssh_state = f.alstate;
if (ssh_state == NULL) {
printf("no ssh state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("Error, 1.7 version is not 2 compat, so the sig should not match: ");
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
return result;
}
static TmEcode OutputTxLog(ThreadVars *tv, Packet *p, void *thread_data, PacketQueue *pq, PacketQueue *postpq)
{
BUG_ON(thread_data == NULL);
BUG_ON(list == NULL);
OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;
OutputTxLogger *logger = list;
OutputLoggerThreadStore *store = op_thread_data->store;
BUG_ON(logger == NULL && store != NULL);
BUG_ON(logger != NULL && store == NULL);
BUG_ON(logger == NULL && store == NULL);
if (p->flow == NULL)
return TM_ECODE_OK;
Flow * const f = p->flow;
FLOWLOCK_WRLOCK(f); /* WRITE lock before we updated flow logged id */
AppProto alproto = f->alproto;
if (AppLayerParserProtocolIsTxAware(p->proto, alproto) == 0)
goto end;
if (AppLayerParserProtocolHasLogger(p->proto, alproto) == 0)
goto end;
void *alstate = f->alstate;
if (alstate == NULL) {
SCLogDebug("no alstate");
goto end;
}
uint64_t total_txs = AppLayerParserGetTxCnt(p->proto, alproto, alstate);
uint64_t tx_id = AppLayerParserGetTransactionLogId(f->alparser);
for (; tx_id < total_txs; tx_id++)
{
int logger_not_logged = 0;
void *tx = AppLayerParserGetTx(p->proto, alproto, alstate, tx_id);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging");
continue;
}
int tx_progress_ts = AppLayerParserGetStateProgress(p->proto, alproto,
tx, FlowGetDisruptionFlags(f, STREAM_TOSERVER));
int tx_progress_tc = AppLayerParserGetStateProgress(p->proto, alproto,
tx, FlowGetDisruptionFlags(f, STREAM_TOCLIENT));
// call each logger here (pseudo code)
logger = list;
store = op_thread_data->store;
while (logger && store) {
BUG_ON(logger->LogFunc == NULL);
SCLogDebug("logger %p", logger);
if (logger->alproto == alproto) {
SCLogDebug("alproto match, logging tx_id %ju", tx_id);
if (AppLayerParserGetTxLogged(p->proto, alproto, alstate, tx,
logger->id)) {
SCLogDebug("logger has already logged this transaction");
goto next;
}
if (!(AppLayerParserStateIssetFlag(f->alparser,
APP_LAYER_PARSER_EOF))) {
if (logger->LogCondition) {
int r = logger->LogCondition(tv, p, alstate, tx, tx_id);
if (r == FALSE) {
SCLogDebug("conditions not met, not logging");
logger_not_logged = 1;
goto next;
}
} else {
if (tx_progress_tc < logger->tc_log_progress) {
SCLogDebug("progress not far enough, not logging");
logger_not_logged = 1;
goto next;
}
if (tx_progress_ts < logger->ts_log_progress) {
SCLogDebug("progress not far enough, not logging");
logger_not_logged = 1;
goto next;
}
}
}
PACKET_PROFILING_TMM_START(p, logger->module_id);
logger->LogFunc(tv, store->thread_data, p, f, alstate, tx, tx_id);
PACKET_PROFILING_TMM_END(p, logger->module_id);
AppLayerParserSetTxLogged(p->proto, alproto, alstate, tx,
logger->id);
}
next:
logger = logger->next;
store = store->next;
BUG_ON(logger == NULL && store != NULL);
BUG_ON(logger != NULL && store == NULL);
}
if (!logger_not_logged) {
SCLogDebug("updating log tx_id %ju", tx_id);
AppLayerParserSetTransactionLogId(f->alparser);
}
}
end:
FLOWLOCK_UNLOCK(f);
return TM_ECODE_OK;
}
/** \brief Get Flow for packet
*
* Hash retrieval function for flows. Looks up the hash bucket containing the
* flow pointer. Then compares the packet with the found flow to see if it is
* the flow we need. If it isn't, walk the list until the right flow is found.
*
* If the flow is not found or the bucket was emtpy, a new flow is taken from
* the queue. FlowDequeue() will alloc new flows as long as we stay within our
* memcap limit.
*
* The p->flow pointer is updated to point to the flow.
*
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
* \retval f *LOCKED* flow or NULL
*/
Flow *FlowGetFlowFromHash(ThreadVars *tv, DecodeThreadVars *dtv, const Packet *p, Flow **dest)
{
Flow *f = NULL;
/* get our hash bucket and lock it */
const uint32_t hash = p->flow_hash;
FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
FBLOCK_LOCK(fb);
SCLogDebug("fb %p fb->head %p", fb, fb->head);
/* see if the bucket already has a flow */
if (fb->head == NULL) {
f = FlowGetNew(tv, dtv, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
/* flow is locked */
fb->head = f;
fb->tail = f;
/* got one, now lock, initialize and return */
FlowInit(f, p);
f->flow_hash = hash;
f->fb = fb;
FlowUpdateState(f, FLOW_STATE_NEW);
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
/* ok, we have a flow in the bucket. Let's find out if it is our flow */
f = fb->head;
/* see if this is the flow we are looking for */
if (FlowCompare(f, p) == 0) {
Flow *pf = NULL; /* previous flow */
while (f) {
pf = f;
f = f->hnext;
if (f == NULL) {
f = pf->hnext = FlowGetNew(tv, dtv, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
fb->tail = f;
/* flow is locked */
f->hprev = pf;
/* initialize and return */
FlowInit(f, p);
f->flow_hash = hash;
f->fb = fb;
FlowUpdateState(f, FLOW_STATE_NEW);
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
if (FlowCompare(f, p) != 0) {
/* we found our flow, lets put it on top of the
* hash list -- this rewards active flows */
if (f->hnext) {
f->hnext->hprev = f->hprev;
}
if (f->hprev) {
f->hprev->hnext = f->hnext;
}
if (f == fb->tail) {
fb->tail = f->hprev;
}
f->hnext = fb->head;
f->hprev = NULL;
fb->head->hprev = f;
fb->head = f;
/* found our flow, lock & return */
FLOWLOCK_WRLOCK(f);
if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx) == 1)) {
f = TcpReuseReplace(tv, dtv, fb, f, hash, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
}
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
}
}
/* lock & return */
FLOWLOCK_WRLOCK(f);
if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx) == 1)) {
f = TcpReuseReplace(tv, dtv, fb, f, hash, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
}
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
/* FlowGetFlowFromHash
*
* Hash retrieval function for flows. Looks up the hash bucket containing the
* flow pointer. Then compares the packet with the found flow to see if it is
* the flow we need. If it isn't, walk the list until the right flow is found.
*
* If the flow is not found or the bucket was emtpy, a new flow is taken from
* the queue. FlowDequeue() will alloc new flows as long as we stay within our
* memcap limit.
*
* The p->flow pointer is updated to point to the flow.
*
* returns a *LOCKED* flow or NULL
*/
Flow *FlowGetFlowFromHash(const Packet *p)
{
Flow *f = NULL;
FlowHashCountInit;
/* get the key to our bucket */
uint32_t key = FlowGetKey(p);
/* get our hash bucket and lock it */
FlowBucket *fb = &flow_hash[key];
FBLOCK_LOCK(fb);
SCLogDebug("fb %p fb->head %p", fb, fb->head);
FlowHashCountIncr;
/* see if the bucket already has a flow */
if (fb->head == NULL) {
f = FlowGetNew(p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return NULL;
}
/* flow is locked */
fb->head = f;
fb->tail = f;
/* got one, now lock, initialize and return */
FlowInit(f, p);
f->fb = fb;
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
/* ok, we have a flow in the bucket. Let's find out if it is our flow */
f = fb->head;
/* see if this is the flow we are looking for */
if (FlowCompare(f, p) == 0) {
Flow *pf = NULL; /* previous flow */
while (f) {
FlowHashCountIncr;
pf = f;
f = f->hnext;
if (f == NULL) {
f = pf->hnext = FlowGetNew(p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return NULL;
}
fb->tail = f;
/* flow is locked */
f->hprev = pf;
/* initialize and return */
FlowInit(f, p);
f->fb = fb;
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
if (FlowCompare(f, p) != 0) {
/* we found our flow, lets put it on top of the
* hash list -- this rewards active flows */
if (f->hnext) {
f->hnext->hprev = f->hprev;
}
if (f->hprev) {
f->hprev->hnext = f->hnext;
}
if (f == fb->tail) {
fb->tail = f->hprev;
}
f->hnext = fb->head;
f->hprev = NULL;
fb->head->hprev = f;
fb->head = f;
/* found our flow, lock & return */
FLOWLOCK_WRLOCK(f);
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
}
}
/* lock & return */
FLOWLOCK_WRLOCK(f);
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
/**
* \internal
* \brief Forces reassembly for flows that need it.
*
* When this function is called we're running in virtually dead engine,
* so locking the flows is not strictly required. The reasons it is still
* done are:
* - code consistency
* - silence complaining profilers
* - allow us to aggressively check using debug valdation assertions
* - be robust in case of future changes
* - locking overhead if neglectable when no other thread fights us
*
* \param q The queue to process flows from.
*/
static inline void FlowForceReassemblyForHash(void)
{
Flow *f;
TcpSession *ssn;
int client_ok;
int server_ok;
int tcp_needs_inspection;
uint32_t idx = 0;
/* We use this packet just for reassembly purpose */
Packet *reassemble_p = PacketGetFromAlloc();
if (reassemble_p == NULL)
return;
for (idx = 0; idx < flow_config.hash_size; idx++) {
FlowBucket *fb = &flow_hash[idx];
FBLOCK_LOCK(fb);
/* get the topmost flow from the QUEUE */
f = fb->head;
/* we need to loop through all the flows in the queue */
while (f != NULL) {
PACKET_RECYCLE(reassemble_p);
FLOWLOCK_WRLOCK(f);
/* Get the tcp session for the flow */
ssn = (TcpSession *)f->protoctx;
/* \todo Also skip flows that shouldn't be inspected */
if (ssn == NULL) {
FLOWLOCK_UNLOCK(f);
f = f->hnext;
continue;
}
/* ah ah! We have some unattended toserver segments */
if ((client_ok = StreamHasUnprocessedSegments(ssn, 0)) == 1) {
StreamTcpThread *stt = SC_ATOMIC_GET(stream_pseudo_pkt_stream_tm_slot->slot_data);
ssn->client.last_ack = (ssn->client.seg_list_tail->seq +
ssn->client.seg_list_tail->payload_len);
FlowForceReassemblyPseudoPacketSetup(reassemble_p, 1, f, ssn, 1);
StreamTcpReassembleHandleSegment(stream_pseudo_pkt_stream_TV,
stt->ra_ctx, ssn, &ssn->server,
reassemble_p, NULL);
FlowDeReference(&reassemble_p->flow);
if (StreamTcpReassembleProcessAppLayer(stt->ra_ctx) < 0) {
SCLogDebug("shutdown flow timeout "
"StreamTcpReassembleProcessAppLayer() erroring "
"over something");
}
}
/* oh oh! We have some unattended toclient segments */
if ((server_ok = StreamHasUnprocessedSegments(ssn, 1)) == 1) {
StreamTcpThread *stt = SC_ATOMIC_GET(stream_pseudo_pkt_stream_tm_slot->slot_data);
ssn->server.last_ack = (ssn->server.seg_list_tail->seq +
ssn->server.seg_list_tail->payload_len);
FlowForceReassemblyPseudoPacketSetup(reassemble_p, 0, f, ssn, 1);
StreamTcpReassembleHandleSegment(stream_pseudo_pkt_stream_TV,
stt->ra_ctx, ssn, &ssn->client,
reassemble_p, NULL);
FlowDeReference(&reassemble_p->flow);
if (StreamTcpReassembleProcessAppLayer(stt->ra_ctx) < 0) {
SCLogDebug("shutdown flow timeout "
"StreamTcpReassembleProcessAppLayer() erroring "
"over something");
}
}
if (ssn->state >= TCP_ESTABLISHED && ssn->state != TCP_CLOSED)
tcp_needs_inspection = 1;
else
tcp_needs_inspection = 0;
FLOWLOCK_UNLOCK(f);
/* insert a pseudo packet in the toserver direction */
if (client_ok || tcp_needs_inspection)
{
FLOWLOCK_WRLOCK(f);
Packet *p = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 1);
FLOWLOCK_UNLOCK(f);
if (p == NULL) {
TmqhOutputPacketpool(NULL, reassemble_p);
FBLOCK_UNLOCK(fb);
return;
}
PKT_SET_SRC(p, PKT_SRC_FFR_SHUTDOWN);
if (stream_pseudo_pkt_detect_prev_TV != NULL) {
stream_pseudo_pkt_detect_prev_TV->
tmqh_out(stream_pseudo_pkt_detect_prev_TV, p);
} else {
TmSlot *s = stream_pseudo_pkt_detect_tm_slot;
while (s != NULL) {
TmSlotFunc SlotFunc = SC_ATOMIC_GET(s->SlotFunc);
SlotFunc(NULL, p, SC_ATOMIC_GET(s->slot_data), &s->slot_pre_pq,
&s->slot_post_pq);
s = s->slot_next;
}
if (stream_pseudo_pkt_detect_TV != NULL) {
stream_pseudo_pkt_detect_TV->
tmqh_out(stream_pseudo_pkt_detect_TV, p);
} else {
TmqhOutputPacketpool(NULL, p);
}
}
} /* if (ssn->client.seg_list != NULL) */
if (server_ok || tcp_needs_inspection)
{
FLOWLOCK_WRLOCK(f);
Packet *p = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1);
FLOWLOCK_UNLOCK(f);
if (p == NULL) {
TmqhOutputPacketpool(NULL, reassemble_p);
FBLOCK_UNLOCK(fb);
return;
}
PKT_SET_SRC(p, PKT_SRC_FFR_SHUTDOWN);
if (stream_pseudo_pkt_detect_prev_TV != NULL) {
stream_pseudo_pkt_detect_prev_TV->
tmqh_out(stream_pseudo_pkt_detect_prev_TV, p);
} else {
TmSlot *s = stream_pseudo_pkt_detect_tm_slot;
while (s != NULL) {
TmSlotFunc SlotFunc = SC_ATOMIC_GET(s->SlotFunc);
SlotFunc(NULL, p, SC_ATOMIC_GET(s->slot_data), &s->slot_pre_pq,
&s->slot_post_pq);
s = s->slot_next;
}
if (stream_pseudo_pkt_detect_TV != NULL) {
stream_pseudo_pkt_detect_TV->
tmqh_out(stream_pseudo_pkt_detect_TV, p);
} else {
TmqhOutputPacketpool(NULL, p);
}
}
} /* if (ssn->server.seg_list != NULL) */
/* next flow in the queue */
f = f->hnext;
} /* while (f != NULL) */
FBLOCK_UNLOCK(fb);
}
PKT_SET_SRC(reassemble_p, PKT_SRC_FFR_SHUTDOWN);
TmqhOutputPacketpool(NULL, reassemble_p);
return;
}
static int DetectSslVersionTestDetect02(void)
{
Flow f;
uint8_t sslbuf1[] = { 0x16 };
uint32_t ssllen1 = sizeof(sslbuf1);
uint8_t sslbuf2[] = { 0x03 };
uint32_t ssllen2 = sizeof(sslbuf2);
uint8_t sslbuf3[] = { 0x01 };
uint32_t ssllen3 = sizeof(sslbuf3);
uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
uint32_t ssllen4 = sizeof(sslbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, sslbuf1, ssllen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf2, ssllen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf3, ssllen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf4, ssllen4);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
SSLState *app_state = f.alstate;
FAIL_IF_NULL(app_state);
FAIL_IF(app_state->client_connp.content_type != 0x16);
FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}
/**
* \test Test matching for google in the issuer of a certificate
*
*/
static int DetectTlsIssuerTest02(void)
{
/* client hello */
uint8_t client_hello[] = {
0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
0x03, 0x04, 0x02, 0x02, 0x02
};
/* server hello */
uint8_t server_hello[] = {
0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
0x0b, 0x00, 0x02, 0x01, 0x00
};
/* certificate */
uint8_t certificate[] = {
0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
};
Flow f;
SSLState *ssl_state = NULL;
TcpSession ssn;
Packet *p1 = NULL;
Packet *p2 = NULL;
Packet *p3 = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1", 51251, 443);
p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_TLS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->pcap_cnt = 2;
p3->flow = &f;
p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p3->flowflags |= FLOW_PKT_TOCLIENT;
p3->flowflags |= FLOW_PKT_ESTABLISHED;
p3->pcap_cnt = 3;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = DEFAULT_MPM;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_cert_issuer\"; "
"tls_cert_issuer; content:\"google\"; nocase; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, client_hello,
sizeof(client_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
FAIL_IF(PacketAlertCheck(p1, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello, sizeof(server_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
FAIL_IF(PacketAlertCheck(p2, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
certificate, sizeof(certificate));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
FAIL_IF_NOT(PacketAlertCheck(p3, 1));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
PASS;
}
static TmEcode LogFilestoreLogWrap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq, int ipver)
{
SCEnter();
LogFilestoreLogThread *aft = (LogFilestoreLogThread *)data;
uint8_t flags = 0;
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (p->flowflags & FLOW_PKT_TOCLIENT)
flags |= STREAM_TOCLIENT;
else
flags |= STREAM_TOSERVER;
int file_close = (p->flags & PKT_PSEUDO_STREAM_END) ? 1 : 0;
int file_trunc = 0;
FLOWLOCK_WRLOCK(p->flow);
file_trunc = StreamTcpReassembleDepthReached(p);
FileContainer *ffc = AppLayerGetFilesFromFlow(p->flow, flags);
SCLogDebug("ffc %p", ffc);
if (ffc != NULL) {
File *ff;
for (ff = ffc->head; ff != NULL; ff = ff->next) {
int file_fd = -1;
if (FileForceMagic() && ff->magic == NULL) {
FilemagicGlobalLookup(ff);
}
SCLogDebug("ff %p", ff);
if (ff->flags & FILE_STORED) {
SCLogDebug("stored flag set");
continue;
}
if (!(ff->flags & FILE_STORE)) {
SCLogDebug("ff FILE_STORE not set");
continue;
}
FileData *ffd;
for (ffd = ff->chunks_head; ffd != NULL; ffd = ffd->next) {
SCLogDebug("ffd %p", ffd);
if (ffd->stored == 1) {
if (file_close == 1 && ffd->next == NULL) {
LogFilestoreLogCloseMetaFile(ff);
ff->flags |= FILE_STORED;
}
continue;
}
/* store */
SCLogDebug("trying to open file");
char filename[PATH_MAX] = "";
if (ff->file_id == 0) {
ff->file_id = SC_ATOMIC_ADD(file_id, 1);
snprintf(filename, sizeof(filename), "%s/file.%u",
g_logfile_base_dir, ff->file_id);
file_fd = open(filename, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
if (file_fd == -1) {
SCLogDebug("failed to open file");
continue;
}
/* create a .meta file that contains time, src/dst/sp/dp/proto */
LogFilestoreLogCreateMetaFile(p, ff, filename, ipver);
aft->file_cnt++;
} else {
snprintf(filename, sizeof(filename), "%s/file.%u",
g_logfile_base_dir, ff->file_id);
file_fd = open(filename, O_APPEND | O_NOFOLLOW | O_WRONLY);
if (file_fd == -1) {
SCLogDebug("failed to open file %s: %s", filename, strerror(errno));
continue;
}
}
ssize_t r = write(file_fd, (const void *)ffd->data, (size_t)ffd->len);
if (r == -1) {
SCLogDebug("write failed: %s", strerror(errno));
close(file_fd);
continue;
}
close(file_fd);
if (file_trunc && ff->state < FILE_STATE_CLOSED)
ff->state = FILE_STATE_TRUNCATED;
if (ff->state == FILE_STATE_CLOSED ||
ff->state == FILE_STATE_TRUNCATED ||
ff->state == FILE_STATE_ERROR ||
(file_close == 1 && ff->state < FILE_STATE_CLOSED))
{
if (ffd->next == NULL) {
LogFilestoreLogCloseMetaFile(ff);
ff->flags |= FILE_STORED;
}
}
ffd->stored = 1;
}
}
FilePrune(ffc);
}
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK);
}
static TmEcode LogHttpLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq, int ipproto)
{
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data;
LogHttpFileCtx *hlog = aft->httplog_ctx;
char timebuf[64];
size_t idx = 0;
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
/* check if we have HTTP state or not */
FLOWLOCK_WRLOCK(p->flow); /* WRITE lock before we updated flow logged id */
uint16_t proto = AppLayerGetProtoFromPacket(p);
if (proto != ALPROTO_HTTP)
goto end;
int r = AppLayerTransactionGetLoggedId(p->flow);
if (r < 0) {
goto end;
}
size_t logged = (size_t)r;
r = HtpTransactionGetLoggableId(p->flow);
if (r < 0) {
goto end;
}
size_t loggable = (size_t)r;
/* nothing to do */
if (logged >= loggable) {
goto end;
}
HtpState *htp_state = (HtpState *)AppLayerGetProtoStateFromPacket(p);
if (htp_state == NULL) {
SCLogDebug("no http state, so no request logging");
goto end;
}
if (htp_state->connp == NULL || htp_state->connp->conn == NULL)
goto end;
htp_tx_t *tx = NULL;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
Port sp, dp;
if ((PKT_IS_TOSERVER(p))) {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
break;
default:
goto end;
}
sp = p->sp;
dp = p->dp;
} else {
switch (ipproto) {
case AF_INET:
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
break;
case AF_INET6:
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip));
break;
default:
goto end;
}
sp = p->dp;
dp = p->sp;
}
for (idx = logged; idx < loggable; idx++)
{
tx = list_get(htp_state->connp->conn->transactions, idx);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging !!");
continue;
}
SCLogDebug("got a HTTP request and now logging !!");
/* reset */
MemBufferReset(aft->buffer);
if (hlog->flags & LOG_HTTP_CUSTOM) {
LogHttpLogCustom(aft, tx, &p->ts, srcip, sp, dstip, dp);
} else {
/* time */
MemBufferWriteString(aft->buffer, "%s ", timebuf);
/* hostname */
if (tx->parsed_uri != NULL &&
tx->parsed_uri->hostname != NULL)
{
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(tx->parsed_uri->hostname),
bstr_len(tx->parsed_uri->hostname));
} else {
MemBufferWriteString(aft->buffer, "<hostname unknown>");
}
MemBufferWriteString(aft->buffer, " [**] ");
/* uri */
if (tx->request_uri != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
MemBufferWriteString(aft->buffer, " [**] ");
/* user agent */
htp_header_t *h_user_agent = NULL;
if (tx->request_headers != NULL) {
h_user_agent = table_getc(tx->request_headers, "user-agent");
}
if (h_user_agent != NULL) {
PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
MemBufferWriteString(aft->buffer, "<useragent unknown>");
}
if (hlog->flags & LOG_HTTP_EXTENDED) {
LogHttpLogExtended(aft, tx);
}
/* ip/tcp header info */
MemBufferWriteString(aft->buffer,
" [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n",
srcip, sp, dstip, dp);
}
aft->uri_cnt ++;
SCMutexLock(&hlog->file_ctx->fp_mutex);
MemBufferPrintToFPAsString(aft->buffer, hlog->file_ctx->fp);
fflush(hlog->file_ctx->fp);
SCMutexUnlock(&hlog->file_ctx->fp_mutex);
AppLayerTransactionUpdateLoggedId(p->flow);
}
end:
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK);
}
