Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tx track modif 7087 v14 #11915

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+108 −17
Open

Tx track modif 7087 v14 #11915

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6afc347
app-layer: track modified/processed txs
catenacyber May 31, 2024
a682fa7
rust/ftp: handle NULL inputs
catenacyber Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions rust/src/applayer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,10 @@ pub struct AppLayerTxData {
pub file_tx: u8,
/// Number of times this tx data has already been logged for one stream match
pub stream_logged: u8,
/// The tx has been updated and needs to be processed : detection, logging, cleaning
/// It can then be skipped until new data arrives.
/// There is a boolean for both directions : to server and to client
pub updated: [bool; 2],

/// detection engine flags for use by detection engine
detect_flags_ts: u64,
Expand Down Expand Up @@ -155,6 +159,7 @@ impl AppLayerTxData {
file_flags: 0,
file_tx: 0,
stream_logged: 0,
updated: [true; 2],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

creating a new tx should not lead to it being updated in both dirs? Just in the dir it was created in?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, will optimize

detect_flags_ts: 0,
detect_flags_tc: 0,
de_state: std::ptr::null_mut(),
Expand All @@ -178,6 +183,7 @@ impl AppLayerTxData {
file_flags: 0,
file_tx: 0,
stream_logged: 0,
updated: [true; 2],
detect_flags_ts,
detect_flags_tc,
de_state: std::ptr::null_mut(),
Expand Down
1 change: 1 addition & 0 deletions rust/src/applayertemplate/template.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ impl TemplateState {
start = rem;

if let Some(tx) = self.find_request() {
tx.tx_data.updated[1] = true;
Copy link
Member

@victorjulien victorjulien Oct 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really like this indexing with just a number to indicate a direction. Can we either index by some name or use something like updated_ts / updated_tc

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guess I will go for updated_ts as it is used in other parts of the code

tx.response = Some(response);
SCLogNotice!("Found response for request:");
SCLogNotice!("- Request: {:?}", tx.request);
Expand Down
2 changes: 2 additions & 0 deletions rust/src/dcerpc/dcerpc.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,7 @@ impl DCERPCState {
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
index += 1;
if !tx_old.req_done || !tx_old.resp_done {
tx_old.tx_data.updated = [true; 2];
tx_old.req_done = true;
tx_old.resp_done = true;
break;
Expand Down Expand Up @@ -533,6 +534,7 @@ impl DCERPCState {
}
}
}
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down
2 changes: 2 additions & 0 deletions rust/src/dcerpc/dcerpc_udp.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ impl DCERPCUDPState {
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
index += 1;
if !tx_old.req_done || !tx_old.resp_done {
tx_old.tx_data.updated = [true; 2];
tx_old.req_done = true;
tx_old.resp_done = true;
break;
Expand Down Expand Up @@ -164,6 +165,7 @@ impl DCERPCUDPState {
}

if let Some(tx) = otx {
tx.tx_data.updated = [true; 2];
let done = (hdr.flags1 & PFCL1_FRAG) == 0 || (hdr.flags1 & PFCL1_LASTFRAG) != 0;

match hdr.pkt_type {
Expand Down
2 changes: 2 additions & 0 deletions rust/src/enip/enip.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ impl EnipState {
fn purge_tx_flood(&mut self) {
let mut event_set = false;
for tx in self.transactions.iter_mut() {
tx.tx_data.updated = [true; 2];
tx.done = true;
if !event_set {
tx.tx_data.set_event(EnipEvent::TooManyTransactions as u8);
Expand All @@ -216,6 +217,7 @@ impl EnipState {
if let Some(req) = &tx.request {
if tx.response.is_none() {
tx.done = true;
tx.tx_data.updated = [true; 2];
if response_matches_request(req, pdu) {
return Some(tx);
}
Expand Down
16 changes: 14 additions & 2 deletions rust/src/ftp/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,9 @@ pub fn ftp_pasv_response(i: &[u8]) -> IResult<&[u8], u16> {

#[no_mangle]
pub unsafe extern "C" fn rs_ftp_active_port(input: *const u8, len: u32) -> u16 {
if input.is_null() {
return 0;
}
let buf = build_slice!(input, len as usize);
match ftp_active_port(buf) {
Ok((_, dport)) => {
Expand All @@ -105,7 +108,10 @@ pub unsafe extern "C" fn rs_ftp_active_port(input: *const u8, len: u32) -> u16 {

#[no_mangle]
pub unsafe extern "C" fn rs_ftp_pasv_response(input: *const u8, len: u32) -> u16 {
let buf = std::slice::from_raw_parts(input, len as usize);
if input.is_null() {
return 0;
}
let buf = build_slice!(input, len as usize);
match ftp_pasv_response(buf) {
Ok((_, dport)) => {
return dport;
Expand Down Expand Up @@ -147,6 +153,9 @@ pub fn ftp_active_eprt(i: &[u8]) -> IResult<&[u8], u16> {

#[no_mangle]
pub unsafe extern "C" fn rs_ftp_active_eprt(input: *const u8, len: u32) -> u16 {
if input.is_null() {
return 0;
}
let buf = build_slice!(input, len as usize);
match ftp_active_eprt(buf) {
Ok((_, dport)) => {
Expand All @@ -163,7 +172,10 @@ pub unsafe extern "C" fn rs_ftp_active_eprt(input: *const u8, len: u32) -> u16 {
}
#[no_mangle]
pub unsafe extern "C" fn rs_ftp_epsv_response(input: *const u8, len: u32) -> u16 {
let buf = std::slice::from_raw_parts(input, len as usize);
if input.is_null() {
return 0;
}
let buf = build_slice!(input, len as usize);
match ftp_epsv_response(buf) {
Ok((_, dport)) => {
return dport;
Expand Down
2 changes: 2 additions & 0 deletions rust/src/http2/http2.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -752,6 +752,7 @@ impl HTTP2State {
let tx = &mut self.transactions[index - 1];
tx.tx_data.update_file_flags(self.state_data.file_flags);
tx.update_file_flags(tx.tx_data.file_flags);
tx.tx_data.updated = [true; 2];
return Some(tx);
} else {
// do not use SETTINGS_MAX_CONCURRENT_STREAMS as it can grow too much
Expand All @@ -764,6 +765,7 @@ impl HTTP2State {
tx_old.set_event(HTTP2Event::TooManyStreams);
// use a distinct state, even if we do not log it
tx_old.state = HTTP2TransactionState::HTTP2StateTodrop;
tx_old.tx_data.updated = [true; 2];
}
return None;
}
Expand Down
2 changes: 2 additions & 0 deletions rust/src/ldap/ldap.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ impl LdapState {
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
index += 1;
if !tx_old.complete {
tx_old.tx_data.updated = [true; 2];
tx_old.complete = true;
tx_old
.tx_data
Expand Down Expand Up @@ -278,6 +279,7 @@ impl LdapState {
if let Some(tx) = self.find_request(response.message_id) {
tx.complete = tx_is_complete(&response.protocol_op, Direction::ToClient);
let tx_id = tx.id();
tx.tx_data.updated[1] = true;
tx.responses.push_back(response);
let consumed = start.len() - rem.len();
self.set_frame_tc(flow, tx_id, consumed as i64);
Expand Down
4 changes: 4 additions & 0 deletions rust/src/modbus/modbus.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ impl ModbusState {
for tx in &mut self.transactions {
if let Some(req) = &tx.request {
if tx.response.is_none() && resp.matches(req) {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand All @@ -139,6 +140,7 @@ impl ModbusState {
for tx in &mut self.transactions {
if let Some(resp) = &tx.response {
if tx.request.is_none() && req.matches(resp) {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down Expand Up @@ -184,6 +186,7 @@ impl ModbusState {
match self.find_response_and_validate(&mut msg) {
Some(tx) => {
tx.set_events_from_flags(&msg.error_flags);
tx.tx_data.updated = [true; 2];
tx.request = Some(msg);
}
None => {
Expand All @@ -210,6 +213,7 @@ impl ModbusState {
} else {
tx.set_events_from_flags(&msg.error_flags);
}
tx.tx_data.updated = [true; 2];
tx.response = Some(msg);
}
None => {
Expand Down
2 changes: 2 additions & 0 deletions rust/src/mqtt/mqtt.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ impl MQTTState {
if !tx.complete {
if let Some(mpktid) = tx.pkt_id {
if mpktid == pkt_id {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand All @@ -196,6 +197,7 @@ impl MQTTState {
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
index += 1;
if !tx_old.complete {
tx_old.tx_data.updated = [true; 2];
tx_old.complete = true;
MQTTState::set_event(tx_old, MQTTEvent::TooManyTransactions);
break;
Expand Down
3 changes: 3 additions & 0 deletions rust/src/nfs/nfs.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,7 @@ impl NFSState {
// set at least one another transaction to the drop state
for tx_old in &mut self.transactions {
if !tx_old.request_done || !tx_old.response_done {
tx_old.tx_data.updated = [true; 2];
tx_old.request_done = true;
tx_old.response_done = true;
tx_old.is_file_closed = true;
Expand Down Expand Up @@ -484,6 +485,7 @@ impl NFSState {
pub fn mark_response_tx_done(&mut self, xid: u32, rpc_status: u32, nfs_status: u32, resp_handle: &[u8])
{
if let Some(mytx) = self.get_tx_by_xid(xid) {
mytx.tx_data.updated = [true; 2];
mytx.response_done = true;
mytx.rpc_response_status = rpc_status;
mytx.nfs_response_status = nfs_status;
Expand Down Expand Up @@ -736,6 +738,7 @@ impl NFSState {
tx.tx_data.update_file_flags(self.state_data.file_flags);
d.update_file_flags(tx.tx_data.file_flags);
SCLogDebug!("Found NFS file TX with ID {} XID {:04X}", tx.id, tx.xid);
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down
3 changes: 3 additions & 0 deletions rust/src/pgsql/pgsql.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@ impl PgsqlState {
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
index += 1;
if tx_old.tx_res_state < PgsqlTxProgress::TxDone {
tx_old.tx_data.updated = [true; 2];
// we don't check for TxReqDone for the majority of requests are basically completed
// when they're parsed, as of now
tx_old.tx_req_state = PgsqlTxProgress::TxFlushedOut;
Expand Down Expand Up @@ -360,6 +361,7 @@ impl PgsqlState {
// A simplified finite state machine for PostgreSQL v3 can be found at:
// https://samadhiweb.com/blog/2013.04.28.graphviz.postgresv3.html
if let Some(tx) = self.find_or_create_tx() {
tx.tx_data.updated[0] = true;
tx.request = Some(request);
if let Some(state) = new_state {
if Self::request_is_complete(state) {
Expand Down Expand Up @@ -518,6 +520,7 @@ impl PgsqlState {
self.state_progress = state;
}
if let Some(tx) = self.find_or_create_tx() {
tx.tx_data.updated[1] = true;
if tx.tx_res_state == PgsqlTxProgress::TxInit {
tx.tx_res_state = PgsqlTxProgress::TxReceived;
}
Expand Down
7 changes: 6 additions & 1 deletion rust/src/rfb/rfb.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,12 @@ impl RFBState {

fn get_current_tx(&mut self) -> Option<&mut RFBTransaction> {
let tx_id = self.tx_id;
self.transactions.iter_mut().find(|tx| tx.tx_id == tx_id)
let r = self.transactions.iter_mut().find(|tx| tx.tx_id == tx_id);
if let Some(tx) = r {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
return None;
}

fn parse_request(&mut self, flow: *const Flow, stream_slice: StreamSlice) -> AppLayerResult {
Expand Down
1 change: 1 addition & 0 deletions rust/src/smb/dcerpc.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ impl SMBState {
_ => { false },
};
if found {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down
2 changes: 2 additions & 0 deletions rust/src/smb/files.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ impl SMBState {
tx.tx_data.update_file_flags(self.state_data.file_flags);
d.update_file_flags(tx.tx_data.file_flags);
}
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand All @@ -152,6 +153,7 @@ impl SMBState {
tx.tx_data.update_file_flags(self.state_data.file_flags);
d.update_file_flags(tx.tx_data.file_flags);
}
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down
1 change: 1 addition & 0 deletions rust/src/smb/session.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ impl SMBState {
_ => { false },
};
if hit {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down
5 changes: 5 additions & 0 deletions rust/src/smb/smb.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -805,6 +805,7 @@ impl SMBState {
for tx_old in &mut self.transactions.range_mut(self.tx_index_completed..) {
index += 1;
if !tx_old.request_done || !tx_old.response_done {
tx_old.tx_data.updated = [true; 2];
tx_old.request_done = true;
tx_old.response_done = true;
tx_old.set_event(SMBEvent::TooManyTransactions);
Expand Down Expand Up @@ -923,6 +924,7 @@ impl SMBState {
false
};
if found {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand All @@ -947,6 +949,7 @@ impl SMBState {
false
};
if found {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down Expand Up @@ -985,6 +988,7 @@ impl SMBState {
_ => { false },
};
if found {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down Expand Up @@ -1018,6 +1022,7 @@ impl SMBState {
_ => { false },
};
if hit {
tx.tx_data.updated = [true; 2];
return Some(tx);
}
}
Expand Down
2 changes: 2 additions & 0 deletions rust/src/ssh/ssh.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,7 @@ pub unsafe extern "C" fn rs_ssh_parse_request(
let state = &mut cast_pointer!(state, SSHState);
let buf = stream_slice.as_slice();
let hdr = &mut state.transaction.cli_hdr;
state.transaction.tx_data.updated[0] = true;
if hdr.flags < SSHConnectionState::SshStateBannerDone {
return state.parse_banner(buf, false, pstate, flow, &stream_slice);
} else {
Expand All @@ -431,6 +432,7 @@ pub unsafe extern "C" fn rs_ssh_parse_response(
let state = &mut cast_pointer!(state, SSHState);
let buf = stream_slice.as_slice();
let hdr = &mut state.transaction.srv_hdr;
state.transaction.tx_data.updated[1] = true;
if hdr.flags < SSHConnectionState::SshStateBannerDone {
return state.parse_banner(buf, true, pstate, flow, &stream_slice);
} else {
Expand Down
2 changes: 2 additions & 0 deletions src/app-layer-dnp3.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -886,6 +886,7 @@ static void DNP3HandleUserDataRequest(DNP3State *dnp3, const uint8_t *input,
/* Update the saved transport header so subsequent segments
* will be matched to this sequence number. */
tx->th = th;
tx->tx_data.updated[0] = true;
}
else {
ah = (DNP3ApplicationHeader *)(input + sizeof(DNP3LinkHeader) +
Expand Down Expand Up @@ -963,6 +964,7 @@ static void DNP3HandleUserDataResponse(DNP3State *dnp3, const uint8_t *input,
/* Replace the transport header in the transaction with this
* one in case there are more frames. */
tx->th = th;
tx->tx_data.updated[1] = true;
}
else {
ah = (DNP3ApplicationHeader *)(input + offset);
Expand Down
3 changes: 2 additions & 1 deletion src/app-layer-ftp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -714,6 +714,7 @@ static AppLayerResult FTPParseResponse(Flow *f, void *ftp_state, AppLayerParserS
SCReturnStruct(APP_LAYER_ERROR);
}
lasttx = tx;
tx->tx_data.updated[1] = true;
if (state->command == FTP_COMMAND_UNKNOWN || tx->command_descriptor == NULL) {
/* unknown */
tx->command_descriptor = &FtpCommands[FTP_COMMAND_MAX - 1];
Expand Down Expand Up @@ -1046,7 +1047,7 @@ static AppLayerResult FTPDataParse(Flow *f, FtpDataState *ftpdata_state,
SCTxDataUpdateFileFlags(&ftpdata_state->tx_data, ftpdata_state->state_data.file_flags);
if (ftpdata_state->tx_data.file_tx == 0)
ftpdata_state->tx_data.file_tx = direction & (STREAM_TOSERVER | STREAM_TOCLIENT);

ftpdata_state->tx_data.updated[(direction & STREAM_TOSERVER) ? 0 : 1] = true;
/* we depend on detection engine for file pruning */
const uint16_t flags = FileFlowFlagsToFlags(ftpdata_state->tx_data.file_flags, direction);
int ret = 0;
Expand Down
Loading
Loading