|
suricata
|
|
suricata
|
#include "suricata-common.h"#include "suricata.h"#include "decode.h"#include "conf.h"#include "threadvars.h"#include "tm-threads.h"#include "runmodes.h"#include "util-random.h"#include "util-time.h"#include "flow.h"#include "flow-queue.h"#include "flow-hash.h"#include "flow-util.h"#include "flow-var.h"#include "flow-private.h"#include "flow-timeout.h"#include "flow-manager.h"#include "flow-storage.h"#include "flow-bypass.h"#include "stream-tcp-private.h"#include "stream-tcp-reassemble.h"#include "stream-tcp.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-byte.h"#include "util-misc.h"#include "util-debug.h"#include "util-privs.h"#include "detect.h"#include "detect-engine-state.h"#include "stream.h"#include "app-layer-parser.h"#include "threads.h"
Go to the source code of this file.
Macros | |
| #define | FLOW_DEFAULT_EMERGENCY_RECOVERY 30 |
| #define | FLOW_DEFAULT_HASHSIZE 65536 |
| #define | FLOW_DEFAULT_MEMCAP (32 * 1024 * 1024) /* 32 MB */ |
| #define | FLOW_DEFAULT_PREALLOC 10000 |
| #define | SET_DEFAULTS(p, n, e, c, b, ne, ee, ce, be) |
Functions | |
| SC_ATOMIC_DECLARE (unsigned int, flow_prune_idx) | |
| SC_ATOMIC_DECLARE (unsigned int, flow_flags) | |
| void | FlowRegisterTests (void) |
| Function to register the Flow Unitests. More... | |
| void | FlowInitFlowProto (void) |
| Function to set the default timeout, free function and flow state function for all supported flow_proto. More... | |
| int | FlowSetProtoFreeFunc (uint8_t proto, void(*Free)(void *)) |
| Function to set the function to get protocol specific flow state. More... | |
| int | FlowSetMemcap (uint64_t size) |
| Update memcap value. More... | |
| uint64_t | FlowGetMemcap (void) |
| Return memcap value. More... | |
| uint64_t | FlowGetMemuse (void) |
| void | FlowCleanupAppLayer (Flow *f) |
| int | FlowUpdateSpareFlows (void) |
| Make sure we have enough spare flows. More... | |
| void | FlowSetIPOnlyFlag (Flow *f, int direction) |
| Set the IPOnly scanned flag for 'direction'. More... | |
| void | FlowSetHasAlertsFlag (Flow *f) |
| Set flag to indicate that flow has alerts. More... | |
| int | FlowHasAlerts (const Flow *f) |
| Check if flow has alerts. More... | |
| void | FlowSetChangeProtoFlag (Flow *f) |
| Set flag to indicate to change proto for the flow. More... | |
| void | FlowUnsetChangeProtoFlag (Flow *f) |
| Unset flag to indicate to change proto for the flow. More... | |
| int | FlowChangeProto (Flow *f) |
| Check if change proto flag is set for flow. More... | |
| int | FlowGetPacketDirection (const Flow *f, const Packet *p) |
| determine the direction of the packet compared to the flow More... | |
| void | FlowHandlePacketUpdate (Flow *f, Packet *p) |
| Update Packet and Flow. More... | |
| void | FlowHandlePacket (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) |
| Entry point for packet flow handling. More... | |
| void | FlowInitConfig (char quiet) |
| initialize the configuration More... | |
| void | FlowShutdown (void) |
| shutdown the flow engine More... | |
| int | FlowClearMemory (Flow *f, uint8_t proto_map) |
| Function clear the flow memory before queueing it to spare flow queue. More... | |
| AppProto | FlowGetAppProtocol (const Flow *f) |
| void * | FlowGetAppState (const Flow *f) |
| uint8_t | FlowGetDisruptionFlags (const Flow *f, uint8_t flags) |
| get 'disruption' flags: GAP/DEPTH/PASS More... | |
| void | FlowUpdateState (Flow *f, enum FlowState s) |
Variables | |
| int | run_mode |
Flow implementation.
Definition in file flow.c.
| #define FLOW_DEFAULT_EMERGENCY_RECOVERY 30 |
Definition at line 66 of file flow.c.
Referenced by FlowInitConfig().
| #define FLOW_DEFAULT_HASHSIZE 65536 |
Definition at line 69 of file flow.c.
Referenced by FlowInitConfig().
| #define FLOW_DEFAULT_MEMCAP (32 * 1024 * 1024) /* 32 MB */ |
Definition at line 71 of file flow.c.
Referenced by FlowInitConfig().
| #define FLOW_DEFAULT_PREALLOC 10000 |
Definition at line 73 of file flow.c.
Referenced by FlowInitConfig().
| #define SET_DEFAULTS | ( | p, | |
| n, | |||
| e, | |||
| c, | |||
| b, | |||
| ne, | |||
| ee, | |||
| ce, | |||
| be | |||
| ) |
Referenced by FlowInitFlowProto().
| int FlowChangeProto | ( | Flow * | f | ) |
Check if change proto flag is set for flow.
| f | flow |
| 1 | change proto flag is set |
| 0 | change proto flag is not set |
Definition at line 240 of file flow.c.
References Flow_::flags, and FLOW_CHANGE_PROTO.
Referenced by AppLayerHandleTCPData(), and SMTPParserCleanup().
| void FlowCleanupAppLayer | ( | Flow * | f | ) |
Definition at line 125 of file flow.c.
References Flow_::alparser, Flow_::alstate, AppLayerParserStateCleanup(), and Flow_::proto.
Referenced by AppLayerIncTxCounter().
| int FlowClearMemory | ( | Flow * | f, |
| uint8_t | proto_map | ||
| ) |
Function clear the flow memory before queueing it to spare flow queue.
| f | pointer to the flow needed to be cleared. |
| proto_map | mapped value of the protocol to FLOW_PROTO's. |
Definition at line 959 of file flow.c.
References flow_freefuncs, FLOW_RECYCLE, FlowFreeStorage(), FlowProtoFreeFunc_::Freefunc, Flow_::protoctx, SCEnter, and SCReturnInt.
Referenced by FlowGetFlowFromHash(), FlowShutdown(), FlowStorageRegister(), and TagTimeoutCheck().
Definition at line 992 of file flow.c.
References Flow_::alproto.
Referenced by DetectSignatureApplyActions(), and SigMatchSignaturesGetSgh().
| void* FlowGetAppState | ( | const Flow * | f | ) |
Definition at line 997 of file flow.c.
References Flow_::alstate.
Referenced by DetectEngineStateResetTxs(), DetectTlsRegister(), HttpXFFGetIP(), and HttpXFFGetIPFromTx().
| uint8_t FlowGetDisruptionFlags | ( | const Flow * | f, |
| uint8_t | flags | ||
| ) |
get 'disruption' flags: GAP/DEPTH/PASS
| f | locked flow |
| flags | existing flags to be ammended |
| flags | original flags + disrupt flags (if any) handle UDP |
Definition at line 1009 of file flow.c.
References TcpSession_::client, flags, TcpStream_::flags, Flow_::proto, Flow_::protoctx, TcpSession_::server, STREAM_DEPTH, STREAM_GAP, STREAM_TOSERVER, STREAMTCP_STREAM_FLAG_DEPTH_REACHED, and STREAMTCP_STREAM_FLAG_GAP.
Referenced by DetectSignatureApplyActions(), OutputRegisterTxLogger(), and SigMatchSignaturesGetSgh().
| uint64_t FlowGetMemcap | ( | void | ) |
Return memcap value.
| memcap | value |
Definition at line 113 of file flow.c.
References flow_config, and SC_ATOMIC_GET.
Referenced by RunModeUnixSocketGetDefaultMode().
| uint64_t FlowGetMemuse | ( | void | ) |
Definition at line 119 of file flow.c.
References SC_ATOMIC_GET.
Referenced by FlowManagerThreadSpawn(), and RunModeUnixSocketGetDefaultMode().
determine the direction of the packet compared to the flow
| 0 | to_server |
| 1 | to_client |
Definition at line 254 of file flow.c.
References CMP_ADDR, CMP_PORT, Packet_::dp, FlowGetPacketDirection(), ICMPV4_IS_ERROR_MSG, MAX, Flow_::max_ttl_toclient, Flow_::max_ttl_toserver, MIN, Flow_::min_ttl_toclient, Flow_::min_ttl_toserver, PKT_IS_ICMPV4, Packet_::proto, Flow_::sp, Packet_::sp, Flow_::src, Packet_::src, TOCLIENT, TOSERVER, and ttl.
Referenced by FlowGetPacketDirection(), FlowHandlePacketUpdate(), and StreamTcpPacket().
| void FlowHandlePacket | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | p | ||
| ) |
Entry point for packet flow handling.
This is called for every packet.
| tv | threadvars |
| dtv | decode thread vars (for flow output api thread data) |
| p | packet to handle flow for |
Definition at line 428 of file flow.c.
References Packet_::flags, Packet_::flow, FlowGetFlowFromHash(), and PKT_HAS_FLOW.
Referenced by UTHBuildPacketOfFlows().
Update Packet and Flow.
Updates packet and flow based on the new packet.
| f | locked flow |
| p | packet |
Definition at line 330 of file flow.c.
References BypassedFlowUpdate(), COPY_TIMESTAMP, DecodeSetNoPacketInspectionFlag, DecodeSetNoPayloadInspectionFlag, EngineModeIsIPS(), Flow_::flags, Packet_::flags, FLOW_BYPASSED_TIMEOUT, FLOW_NOPACKET_INSPECTION, FLOW_NOPAYLOAD_INSPECTION, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_FIRST, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_FIRST, FLOW_PROTO_DETECT_TC_DONE, FLOW_PROTO_DETECT_TS_DONE, FLOW_STATE_CAPTURE_BYPASSED, FLOW_STATE_ESTABLISHED, FLOW_STATE_LOCAL_BYPASSED, FLOW_TO_DST_SEEN, FLOW_TO_SRC_SEEN, Packet_::flowflags, FlowGetPacketDirection(), FlowUpdateState(), GET_PKT_LEN, IPV4_GET_IPTTL, IPV6_GET_HLIM, Flow_::lastts, Packet_::pcap_cnt, PKT_IS_IPV4, PKT_IS_IPV6, PKT_PROTO_DETECT_TC_DONE, PKT_PROTO_DETECT_TS_DONE, Flow_::proto, SC_ATOMIC_GET, SCLogDebug, Flow_::todstbytecnt, Flow_::todstpktcnt, TOSERVER, Flow_::tosrcbytecnt, Flow_::tosrcpktcnt, and Packet_::ts.
| int FlowHasAlerts | ( | const Flow * | f | ) |
Check if flow has alerts.
| f | flow |
| 1 | has alerts |
| 0 | has not alerts |
Definition at line 208 of file flow.c.
References Flow_::flags, and FLOW_HAS_ALERTS.
| void FlowInitConfig | ( | char | quiet | ) |
initialize the configuration
set config values for memcap, prealloc and hash_size
Definition at line 444 of file flow.c.
References ByteExtractStringUint32(), CLS, ConfGet(), ConfGetInt(), FlowCnf_::emergency_recovery, FALSE, FBLOCK_INIT, FLOW_CHECK_MEMCAP, flow_config, FLOW_DEFAULT_EMERGENCY_RECOVERY, FLOW_DEFAULT_HASHSIZE, FLOW_DEFAULT_MEMCAP, FLOW_DEFAULT_PREALLOC, flow_hash, flow_recycle_q, flow_spare_q, FlowAlloc(), FlowEnqueue(), FlowInitFlowProto(), FlowQueueInit(), FlowStorageSize(), FlowCnf_::hash_rand, FlowCnf_::hash_size, FlowQueue_::len, ParseSizeStringU64(), FlowCnf_::prealloc, RandomGet(), SC_ATOMIC_ADD, SC_ATOMIC_GET, SC_ATOMIC_INIT, SC_ATOMIC_SET, SC_ERR_FATAL, SC_ERR_FLOW_INIT, SC_ERR_INVALID_VALUE, SC_ERR_INVALID_YAML_CONF_ENTRY, SC_ERR_SIZE_PARSE, SCLogDebug, SCLogError, SCMallocAligned, and unlikely.
Referenced by __attribute__(), DecodeICMPV6(), DecodeIPV4(), DecodeIPV6(), DecodePPP(), DecodePPPOESession(), DecodeRaw(), DecodeTCP(), DetectFastPatternRegister(), DetectFragBitsRegister(), DetectFragOffsetFree(), DetectIcmpIdFree(), DetectIPProtoRemoveAllSMs(), DetectPortHashFree(), DetectReplaceFreeInternal(), DetectSetupParseRegexes(), FlowStorageRegister(), FlowUpdateState(), ICMPv4GetCounterpart(), PreRunInit(), SCSigSignatureOrderingModuleCleanup(), SigParseApplyDsizeToContent(), TagTimeoutCheck(), TmModuleFlowRecyclerRegister(), Unified2AlertInitCtx(), and UTHParseSignature().
| void FlowInitFlowProto | ( | void | ) |
Function to set the default timeout, free function and flow state function for all supported flow_proto.
Definition at line 652 of file flow.c.
References FlowProtoTimeout_::bypassed_timeout, ByteExtractStringUint32(), FlowProtoTimeout_::closed_timeout, ConfGetNode(), ConfNodeLookupChild(), ConfNodeLookupChildValue(), FlowProtoTimeout_::est_timeout, FLOW_DEFAULT_BYPASSED_TIMEOUT, FLOW_DEFAULT_CLOSED_TIMEOUT, FLOW_DEFAULT_EMERG_BYPASSED_TIMEOUT, FLOW_DEFAULT_EMERG_CLOSED_TIMEOUT, FLOW_DEFAULT_EMERG_EST_TIMEOUT, FLOW_DEFAULT_EMERG_NEW_TIMEOUT, FLOW_DEFAULT_EST_TIMEOUT, FLOW_DEFAULT_NEW_TIMEOUT, flow_freefuncs, FLOW_IPPROTO_ICMP_BYPASSED_TIMEOUT, FLOW_IPPROTO_ICMP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_ICMP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_ICMP_EST_TIMEOUT, FLOW_IPPROTO_ICMP_NEW_TIMEOUT, FLOW_IPPROTO_TCP_BYPASSED_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_TCP_EST_TIMEOUT, FLOW_IPPROTO_TCP_NEW_TIMEOUT, FLOW_IPPROTO_UDP_BYPASSED_TIMEOUT, FLOW_IPPROTO_UDP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_UDP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_UDP_EST_TIMEOUT, FLOW_IPPROTO_UDP_NEW_TIMEOUT, FLOW_PROTO_DEFAULT, FLOW_PROTO_ICMP, FLOW_PROTO_TCP, FLOW_PROTO_UDP, flow_timeouts_emerg, flow_timeouts_normal, FlowTimeoutsInit(), FlowProtoFreeFunc_::Freefunc, FlowProtoTimeout_::new_timeout, proto, and SET_DEFAULTS.
Referenced by FlowInitConfig(), and FlowUpdateState().
| void FlowRegisterTests | ( | void | ) |
Function to register the Flow Unitests.
Definition at line 1259 of file flow.c.
References FlowMgrRegisterTests(), RegisterFlowStorageTests(), and UtRegisterTest().
| void FlowSetChangeProtoFlag | ( | Flow * | f | ) |
Set flag to indicate to change proto for the flow.
| f | flow |
Definition at line 221 of file flow.c.
References Flow_::flags, and FLOW_CHANGE_PROTO.
Referenced by AppLayerRequestProtocolChange().
| void FlowSetHasAlertsFlag | ( | Flow * | f | ) |
Set flag to indicate that flow has alerts.
| f | flow |
Definition at line 197 of file flow.c.
References Flow_::flags, and FLOW_HAS_ALERTS.
Referenced by PacketAlertFinalize().
| void FlowSetIPOnlyFlag | ( | Flow * | f, |
| int | direction | ||
| ) |
Set the IPOnly scanned flag for 'direction'.
| f | Flow to set the flag in |
| direction | direction to set the flag in |
Definition at line 186 of file flow.c.
References Flow_::flags, FLOW_TOCLIENT_IPONLY_SET, and FLOW_TOSERVER_IPONLY_SET.
Referenced by PacketAlertFinalize(), and SigMatchSignaturesGetSgh().
| int FlowSetMemcap | ( | uint64_t | size | ) |
Update memcap value.
| size | new memcap value |
Definition at line 98 of file flow.c.
References flow_config, SC_ATOMIC_GET, and SC_ATOMIC_SET.
Referenced by RunModeUnixSocketGetDefaultMode().
| int FlowSetProtoFreeFunc | ( | uint8_t | proto, |
| void(*)(void *) | Free | ||
| ) |
Function to set the function to get protocol specific flow state.
| proto | protocol of which function is needed to be set. |
| Free | Function pointer which will be called to free the protocol specific memory. |
Definition at line 983 of file flow.c.
References flow_freefuncs, FlowGetProtoMapping(), and FlowProtoFreeFunc_::Freefunc.
Referenced by FlowUpdateState(), and StreamTcpInitConfig().
| void FlowShutdown | ( | void | ) |
shutdown the flow engine
Definition at line 599 of file flow.c.
References BUG_ON, FBLOCK_DESTROY, flow_config, flow_hash, flow_recycle_q, flow_spare_q, FlowClearMemory(), FlowDequeue(), FlowFree(), FlowGetProtoMapping(), FlowQueueDestroy(), FlowCnf_::hash_size, Flow_::hnext, Flow_::proto, SC_ATOMIC_DESTROY, SC_ATOMIC_GET, SC_ATOMIC_SUB, and SCFreeAligned.
Referenced by __attribute__(), DecodeICMPV6(), DecodeIPV4(), DecodeIPV6(), DecodePPP(), DecodePPPOESession(), DecodeRaw(), DecodeTCP(), DetectFastPatternRegister(), DetectFragBitsRegister(), DetectFragOffsetFree(), DetectIcmpIdFree(), DetectIPProtoRemoveAllSMs(), DetectPortHashFree(), DetectReplaceFreeInternal(), DetectSetupParseRegexes(), FlowStorageRegister(), FlowUpdateState(), ICMPv4GetCounterpart(), PostRunDeinit(), SCSigSignatureOrderingModuleCleanup(), SigParseApplyDsizeToContent(), TagTimeoutCheck(), TmModuleFlowRecyclerRegister(), Unified2AlertInitCtx(), and UTHParseSignature().
| void FlowUnsetChangeProtoFlag | ( | Flow * | f | ) |
Unset flag to indicate to change proto for the flow.
| f | flow |
Definition at line 230 of file flow.c.
References Flow_::flags, and FLOW_CHANGE_PROTO.
Referenced by AppLayerProtoDetectReset().
| int FlowUpdateSpareFlows | ( | void | ) |
Make sure we have enough spare flows.
Enforce the prealloc parameter, so keep at least prealloc flows in the spare queue and free flows going over the limit.
| 1 | if the queue was properly updated (or if it already was in good shape) |
| 0 | otherwise. |
Definition at line 144 of file flow.c.
References flow_config, flow_spare_q, FlowAlloc(), FlowDequeue(), FlowEnqueue(), FlowFree(), FQLOCK_LOCK, FQLOCK_UNLOCK, FlowQueue_::len, len, FlowCnf_::prealloc, and SCEnter.
Definition at line 1033 of file flow.c.
References FAIL_IF, Flow_::fb, FLOW_CHECK_MEMCAP, flow_config, FLOW_DEFAULT_EMERG_EST_TIMEOUT, FLOW_DEFAULT_EMERG_NEW_TIMEOUT, FLOW_DEFAULT_EST_TIMEOUT, FLOW_DEFAULT_NEW_TIMEOUT, FLOW_EMERGENCY, flow_freefuncs, FLOW_IPPROTO_ICMP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_ICMP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_ICMP_EST_TIMEOUT, FLOW_IPPROTO_ICMP_NEW_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_TCP_EST_TIMEOUT, FLOW_IPPROTO_TCP_NEW_TIMEOUT, FLOW_IPPROTO_UDP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_UDP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_UDP_EST_TIMEOUT, FLOW_IPPROTO_UDP_NEW_TIMEOUT, FLOW_PROTO_DEFAULT, FLOW_PROTO_ICMP, FLOW_PROTO_TCP, FLOW_PROTO_UDP, FLOW_QUIET, flow_spare_q, flow_timeouts_emerg, flow_timeouts_normal, FlowGetProtoMapping(), FlowInitConfig(), FlowInitFlowProto(), FlowSetProtoFreeFunc(), FlowShutdown(), FlowQueue_::len, PASS, FlowCnf_::prealloc, SC_ATOMIC_GET, SC_ATOMIC_SET, TimeSetIncrementTime(), and UTHBuildPacketOfFlows().
Referenced by FlowGetFlowFromHash(), FlowHandlePacketUpdate(), PacketBypassCallback(), and StreamTcpFreeConfig().
| SC_ATOMIC_DECLARE | ( | unsigned | int, |
| flow_prune_idx | |||
| ) |
atomic int that is used when freeing a flow from the hash. In this case we walk the hash to find a flow to free. This var records where we left off in the hash. Without this only the top rows of the hash are freed. This isn't just about fairness. Under severe presure, the hash rows on top would be all freed and the time to find a flow to free increased with every run.
| SC_ATOMIC_DECLARE | ( | unsigned | int, |
| flow_flags | |||
| ) |
atomic flags
| int run_mode |
Run mode selected
Definition at line 204 of file suricata.c.
1.8.11