#include "suricata-common.h"
#include "suricata.h"
#include "packet.h"
#include "decode.h"
#include "detect.h"
#include "flow.h"
#include "flow-util.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-pool.h"
#include "util-pool-thread.h"
#include "util-checksum.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-device.h"
#include "stream-tcp-private.h"
#include "stream-tcp.h"
#include "stream-tcp-cache.h"
#include "stream-tcp-inline.h"
#include "stream-tcp-reassemble.h"
#include "stream-tcp-sack.h"
#include "stream-tcp-util.h"
#include "stream.h"
#include "pkt-var.h"
#include "host.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-protos.h"
#include "app-layer-htp-mem.h"
#include "util-host-os-info.h"
#include "util-privs.h"
#include "util-profiling.h"
#include "util-misc.h"
#include "util-validate.h"
#include "util-runmodes.h"
#include "util-random.h"
#include "util-exception-policy.h"
#include "util-time.h"
#include "source-pcap-file.h"
#include "action-globals.h"
#include "tests/stream-tcp.c"

Include dependency graph for stream-tcp.c:

Macros
#define	STREAMTCP_DEFAULT_PREALLOC 2048

#define	STREAMTCP_DEFAULT_MEMCAP (64 * 1024 * 1024) /* 64mb */

#define	STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (256 * 1024 * 1024) /* 256mb */

#define	STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE 2560

#define	STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE 2560

#define	STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5

#define	StreamTcpUpdateLastAck(ssn, stream, ack)
	macro to update last_ack only if the new value is higher More...

#define	StreamTcpAsyncLastAckUpdate(ssn, stream)

#define	StreamTcpUpdateNextSeq(ssn, stream, seq)

#define	StreamTcpUpdateNextWin(ssn, stream, win)
	macro to update next_win only if the new value is higher More...

#define	PSEUDO_PKT_SET_IPV4HDR(nipv4h, ipv4h)

#define	PSEUDO_PKT_SET_IPV6HDR(nipv6h, ipv6h)

#define	PSEUDO_PKT_SET_TCPHDR(ntcph, tcph)

Functions
void	StreamTcpReturnStreamSegments (TcpStream *)
	return all segments in this stream into the pool(s) More...

void	StreamTcpInitConfig (bool quiet)
	To initialize the stream global configuration data. More...

int	StreamTcpGetFlowState (void *)

void	StreamTcpSetOSPolicy (TcpStream stream, Packet p)
	Function to set the OS policy for the given stream based on the destination of the received packet. More...

uint64_t	StreamTcpReassembleMemuseGlobalCounter (void)

	SC_ATOMIC_DECLARE (uint64_t, st_memuse)

void	StreamTcpInitMemuse (void)

void	StreamTcpIncrMemuse (uint64_t size)

void	StreamTcpDecrMemuse (uint64_t size)

uint64_t	StreamTcpMemuseCounter (void)

int	StreamTcpCheckMemcap (uint64_t size)
	Check if alloc'ing "size" would mean we're over memcap. More...

int	StreamTcpSetMemcap (uint64_t size)
	Update memcap value. More...

uint64_t	StreamTcpGetMemcap (void)
	Return memcap value. More...

void	StreamTcpStreamCleanup (TcpStream *stream)

void	StreamTcpSessionCleanup (TcpSession *ssn)
	Session cleanup function. Does not free the ssn. More...

void	StreamTcpSessionClear (void *ssnptr)
	Function to return the stream back to the pool. It returns the segments in the stream to the segment pool. More...

void	StreamTcpSessionPktFree (Packet *p)
	Function to return the stream segments back to the pool. More...

int	StreamTcpInlineDropInvalid (void)
	See if stream engine is dropping invalid packet in inline mode. More...

void	StreamTcpFreeConfig (bool quiet)

int	StreamTcpPacket (ThreadVars tv, Packet p, StreamTcpThread stt, PacketQueueNoLock pq)

int	TcpSessionPacketSsnReuse (const Packet p, const Flow f, const void *tcp_ssn)

TmEcode	StreamTcp (ThreadVars tv, Packet p, void data, PacketQueueNoLock pq)

TmEcode	StreamTcpThreadInit (ThreadVars tv, void initdata, void **data)

TmEcode	StreamTcpThreadDeinit (ThreadVars tv, void data)

void	StreamTcpUpdateAppLayerProgress (TcpSession *ssn, char direction, const uint32_t progress)
	update reassembly progress More...

void	StreamTcpSetSessionNoReassemblyFlag (TcpSession *ssn, char direction)
	disable reassembly More...

void	StreamTcpSetDisableRawReassemblyFlag (TcpSession *ssn, char direction)
	Set the No reassembly flag for the given direction in given TCP session. More...

void	StreamTcpSetSessionBypassFlag (TcpSession *ssn)
	enable bypass More...

void	StreamTcpDetectLogFlush (ThreadVars tv, StreamTcpThread stt, Flow f, Packet p, PacketQueueNoLock *pq)
	create packets in both directions to flush out logging and detection before switching protocols. In IDS mode, create first in packet dir, 2nd in opposing In IPS mode, do the reverse. Flag TCP engine that data needs to be inspected regardless of how far we are wrt inspect limits. More...

int	StreamTcpSegmentForEach (const Packet p, uint8_t flag, StreamSegmentCallback CallbackFunc, void data)

int	StreamTcpSegmentForSession (const Packet p, uint8_t flag, StreamSegmentCallback CallbackFunc, void data)
	Run callback function on each TCP segment in both directions of a session. More...

int	StreamTcpBypassEnabled (void)

int	StreamTcpInlineMode (void)
	See if stream engine is operating in inline mode. More...

void	TcpSessionSetReassemblyDepth (TcpSession *ssn, uint32_t size)

const char *	StreamTcpStateAsString (const enum TcpState state)

const char *	StreamTcpSsnStateAsString (const TcpSession *ssn)

Variables
thread_local uint64_t	t_pcapcnt

int	g_detect_disabled

PoolThread *	ssn_pool = NULL

TcpStreamCnf	stream_config

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t; Gurvinder Singh gurvi.nosp@m.nder.nosp@m.singh.nosp@m.dahi.nosp@m.ya@gm.nosp@m.ail..nosp@m.com

TCP stream tracking and reassembly engine.

Todo:

4WHS: what if after the 2nd SYN we turn out to be normal 3WHS anyway?

Definition in file stream-tcp.c.

Macro Definition Documentation

◆ PSEUDO_PKT_SET_IPV4HDR

#define PSEUDO_PKT_SET_IPV4HDR	(	nipv4h,
		ipv4h
	)

Value:

        do { \
        IPV4_SET_RAW_VER(nipv4h, IPV4_GET_RAW_VER(ipv4h)); \
        IPV4_SET_RAW_HLEN(nipv4h, IPV4_GET_RAW_HLEN(ipv4h)); \
        IPV4_SET_RAW_IPLEN(nipv4h, IPV4_GET_RAW_IPLEN(ipv4h)); \
        IPV4_SET_RAW_IPTOS(nipv4h, IPV4_GET_RAW_IPTOS(ipv4h)); \
        IPV4_SET_RAW_IPPROTO(nipv4h, IPV4_GET_RAW_IPPROTO(ipv4h)); \
        (nipv4h)->s_ip_src = IPV4_GET_RAW_IPDST(ipv4h); \
        (nipv4h)->s_ip_dst = IPV4_GET_RAW_IPSRC(ipv4h); \
    } while (0)

Definition at line 6123 of file stream-tcp.c.

◆ PSEUDO_PKT_SET_IPV6HDR

#define PSEUDO_PKT_SET_IPV6HDR	(	nipv6h,
		ipv6h
	)

Value:

        do { \
        (nipv6h)->s_ip6_src[0] = (ipv6h)->s_ip6_dst[0]; \
        (nipv6h)->s_ip6_src[1] = (ipv6h)->s_ip6_dst[1]; \
        (nipv6h)->s_ip6_src[2] = (ipv6h)->s_ip6_dst[2]; \
        (nipv6h)->s_ip6_src[3] = (ipv6h)->s_ip6_dst[3]; \
        (nipv6h)->s_ip6_dst[0] = (ipv6h)->s_ip6_src[0]; \
        (nipv6h)->s_ip6_dst[1] = (ipv6h)->s_ip6_src[1]; \
        (nipv6h)->s_ip6_dst[2] = (ipv6h)->s_ip6_src[2]; \
        (nipv6h)->s_ip6_dst[3] = (ipv6h)->s_ip6_src[3]; \
        IPV6_SET_RAW_NH(nipv6h, IPV6_GET_RAW_NH(ipv6h));    \
    } while (0)

Definition at line 6133 of file stream-tcp.c.

◆ PSEUDO_PKT_SET_TCPHDR

#define PSEUDO_PKT_SET_TCPHDR	(	ntcph,
		tcph
	)

Value:

        do { \
        COPY_PORT((tcph)->th_dport, (ntcph)->th_sport); \
        COPY_PORT((tcph)->th_sport, (ntcph)->th_dport); \
        (ntcph)->th_seq = (tcph)->th_ack; \
        (ntcph)->th_ack = (tcph)->th_seq; \
    } while (0)

Definition at line 6145 of file stream-tcp.c.

◆ STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED

#define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5

Definition at line 91 of file stream-tcp.c.

◆ STREAMTCP_DEFAULT_MEMCAP

#define STREAMTCP_DEFAULT_MEMCAP (64 * 1024 * 1024) /* 64mb */

Definition at line 87 of file stream-tcp.c.

◆ STREAMTCP_DEFAULT_PREALLOC

#define STREAMTCP_DEFAULT_PREALLOC 2048

Definition at line 86 of file stream-tcp.c.

◆ STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP

#define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (256 * 1024 * 1024) /* 256mb */

Definition at line 88 of file stream-tcp.c.

◆ STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE

#define STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE 2560

Definition at line 90 of file stream-tcp.c.

◆ STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE

#define STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE 2560

Definition at line 89 of file stream-tcp.c.

◆ StreamTcpAsyncLastAckUpdate

#define StreamTcpAsyncLastAckUpdate	(	ssn,
		stream
	)

Value:

    {                              \
    if ((ssn)->flags & STREAMTCP_FLAG_ASYNC) {                                  \
        if (SEQ_GT((stream)->next_seq, (stream)->last_ack)) {                   \
            uint32_t ack_diff = (stream)->next_seq - (stream)->last_ack;        \
            (stream)->last_ack += ack_diff;                                     \
            SCLogDebug("ssn %p: ASYNC last_ack set to %"PRIu32", moved %u forward",     \
                    (ssn), (stream)->next_seq, ack_diff);                               \
        }                                                                       \
    }                                                                           \
}

Definition at line 844 of file stream-tcp.c.

◆ StreamTcpUpdateLastAck

#define StreamTcpUpdateLastAck	(	ssn,
		stream,
		ack
	)

Value:

    { \
    if (SEQ_GT((ack), (stream)->last_ack)) \
    { \
        SCLogDebug("ssn %p: last_ack set to %"PRIu32", moved %u forward", (ssn), (ack), (ack) - (stream)->last_ack); \
        if ((SEQ_LEQ((stream)->last_ack, (stream)->next_seq) && SEQ_GT((ack),(stream)->next_seq))) { \
            SCLogDebug("last_ack just passed next_seq: %u (was %u) > %u", (ack), (stream)->last_ack, (stream)->next_seq); \
        } else { \
            SCLogDebug("next_seq (%u) <> last_ack now %d", (stream)->next_seq, (int)(stream)->next_seq - (ack)); \
        }\
        (stream)->last_ack = (ack); \
        StreamTcpSackPruneList((stream)); \
    } else { \
        SCLogDebug("ssn %p: no update: ack %u, last_ack %"PRIu32", next_seq %u (state %u)", \
                    (ssn), (ack), (stream)->last_ack, (stream)->next_seq, (ssn)->state); \
    }\
}

macro to update last_ack only if the new value is higher

Parameters

ssn	session
stream	stream to update
ack	ACK value to test and set

Definition at line 827 of file stream-tcp.c.

◆ StreamTcpUpdateNextSeq

#define StreamTcpUpdateNextSeq	(	ssn,
		stream,
		seq
	)

Value:

    {                      \
    (stream)->next_seq = seq;                                           \
    SCLogDebug("ssn %p: next_seq %" PRIu32, (ssn), (stream)->next_seq); \
    StreamTcpAsyncLastAckUpdate((ssn), (stream));                       \
}

Definition at line 855 of file stream-tcp.c.

◆ StreamTcpUpdateNextWin

#define StreamTcpUpdateNextWin	(	ssn,
		stream,
		win
	)

Value:

    { \
    uint32_t sacked_size__ = StreamTcpSackedSize((stream)); \
    if (SEQ_GT(((win) + sacked_size__), (stream)->next_win)) { \
        (stream)->next_win = ((win) + sacked_size__); \
        SCLogDebug("ssn %p: next_win set to %"PRIu32, (ssn), (stream)->next_win); \
    } \
}

macro to update next_win only if the new value is higher

Parameters

ssn	session
stream	stream to update
win	window value to test and set

Definition at line 868 of file stream-tcp.c.

Function Documentation

◆ SC_ATOMIC_DECLARE()

SC_ATOMIC_DECLARE	(	uint64_t	,
		st_memuse
	)

◆ StreamTcp()

TmEcode StreamTcp	(	ThreadVars *	tv,
		Packet *	p,
		void *	data,
		PacketQueueNoLock *	pq
	)

Definition at line 5362 of file stream-tcp.c.

References StreamTcpThread_::counter_tcp_no_flow, Packet_::flow, FlowGetPacketDirection(), Packet_::pcap_cnt, PKT_IS_TCP, Packet_::pkt_src, PktSrcToString(), SCLogDebug, StatsIncr(), t_pcapcnt, TM_ECODE_OK, TOSERVER, and tv.

Here is the call graph for this function:

◆ StreamTcpBypassEnabled()

int StreamTcpBypassEnabled ( void )

Definition at line 6513 of file stream-tcp.c.

References TcpStreamCnf_::flags, stream_config, and STREAMTCP_INIT_FLAG_BYPASS.

◆ StreamTcpCheckMemcap()

int StreamTcpCheckMemcap ( uint64_t size )

Check if alloc'ing "size" would mean we're over memcap.

Return values

1	if in bounds
0	if not in bounds

Definition at line 164 of file stream-tcp.c.

References SC_ATOMIC_GET, and stream_config.

◆ StreamTcpDecrMemuse()

void StreamTcpDecrMemuse ( uint64_t size )

Definition at line 131 of file stream-tcp.c.

References BUG_ON, RunmodeIsUnittests(), SC_ATOMIC_GET, SC_ATOMIC_SUB, SCLogDebug, and StreamTcpMemuseCounter().

Referenced by StreamTcpSessionCleanup().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ StreamTcpDetectLogFlush()

void StreamTcpDetectLogFlush	(	ThreadVars *	tv,
		StreamTcpThread *	stt,
		Flow *	f,
		Packet *	p,
		PacketQueueNoLock *	pq
	)

create packets in both directions to flush out logging and detection before switching protocols. In IDS mode, create first in packet dir, 2nd in opposing In IPS mode, do the reverse. Flag TCP engine that data needs to be inspected regardless of how far we are wrt inspect limits.

Definition at line 6347 of file stream-tcp.c.

References TcpSession_::client, TcpStream_::flags, PKT_IS_TOSERVER, Flow_::protoctx, TcpSession_::server, STREAMTCP_STREAM_FLAG_TRIGGER_RAW, StreamTcpInlineMode(), and ts.

Here is the call graph for this function:

◆ StreamTcpFreeConfig()

void StreamTcpFreeConfig ( bool quiet )

Definition at line 668 of file stream-tcp.c.

References SCMutexLock, and StreamTcpReassembleFree().

Referenced by StreamTcpUTDeinit().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ StreamTcpGetFlowState()

int StreamTcpGetFlowState ( void * )

◆ StreamTcpGetMemcap()

uint64_t StreamTcpGetMemcap ( void )

Return memcap value.

Parameters

memcap memcap value

Definition at line 192 of file stream-tcp.c.

References SC_ATOMIC_GET, and stream_config.

◆ StreamTcpIncrMemuse()

void StreamTcpIncrMemuse ( uint64_t size )

Definition at line 124 of file stream-tcp.c.

References SC_ATOMIC_ADD, SCLogDebug, and StreamTcpMemuseCounter().

Here is the call graph for this function:

◆ StreamTcpInitConfig()

void StreamTcpInitConfig ( bool quiet )

To initialize the stream global configuration data.

Parameters

quiet It tells the mode of operation, if it is true nothing will be get printed.

Definition at line 356 of file stream-tcp.c.

References TcpStreamCnf_::async_oneside, ConfGet(), ConfGetBool(), ConfGetInt(), ConfGetNode(), EngineModeIsIPS(), EXCEPTION_POLICY_NOT_SET, ExceptionPolicyParse(), FatalError, TcpStreamCnf_::flags, TcpStreamCnf_::max_synack_queued, TcpStreamCnf_::midstream, TcpStreamCnf_::midstream_policy, ParseSizeStringU16(), ParseSizeStringU32(), ParseSizeStringU64(), TcpStreamCnf_::prealloc_sessions, TcpStreamCnf_::reassembly_depth, TcpStreamCnf_::reassembly_memcap_policy, TcpStreamCnf_::reassembly_toserver_chunk_size, RunmodeIsUnittests(), SC_ATOMIC_GET, SC_ATOMIC_INIT, SC_ATOMIC_SET, SCLogDebug, SCLogError, SCLogWarning, TcpStreamCnf_::ssn_memcap_policy, stream_config, STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED, STREAMTCP_DEFAULT_MEMCAP, STREAMTCP_DEFAULT_PREALLOC, STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP, STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE, STREAMTCP_INIT_FLAG_BYPASS, STREAMTCP_INIT_FLAG_CHECKSUM_VALIDATION, STREAMTCP_INIT_FLAG_DROP_INVALID, STREAMTCP_INIT_FLAG_INLINE, and WarnInvalidConfEntry.

Referenced by PreRunInit(), and StreamTcpUTInit().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ StreamTcpInitMemuse()

void StreamTcpInitMemuse ( void )

Definition at line 119 of file stream-tcp.c.

References SC_ATOMIC_INIT.

Referenced by UtRunTests().

Here is the caller graph for this function:

◆ StreamTcpInlineDropInvalid()

int StreamTcpInlineDropInvalid ( void )

See if stream engine is dropping invalid packet in inline mode.

Return values

0	no
1	yes

Definition at line 330 of file stream-tcp.c.

References TcpStreamCnf_::flags, stream_config, STREAMTCP_INIT_FLAG_DROP_INVALID, and STREAMTCP_INIT_FLAG_INLINE.

◆ StreamTcpInlineMode()

int StreamTcpInlineMode ( void )

See if stream engine is operating in inline mode.

Return values

0	no
1	yes

Definition at line 6524 of file stream-tcp.c.

References TcpStreamCnf_::flags, stream_config, and STREAMTCP_INIT_FLAG_INLINE.

Referenced by StreamDataRightEdge(), StreamReassembleRaw(), StreamReassembleRawHasDataReady(), StreamTcpDetectLogFlush(), and StreamTcpReassembleHandleSegment().

Here is the caller graph for this function:

◆ StreamTcpMemuseCounter()

uint64_t StreamTcpMemuseCounter ( void )

Definition at line 152 of file stream-tcp.c.

References SC_ATOMIC_GET.

Referenced by StreamTcpDecrMemuse(), and StreamTcpIncrMemuse().

Here is the caller graph for this function:

◆ StreamTcpPacket()

int StreamTcpPacket	(	ThreadVars *	tv,
		Packet *	p,
		StreamTcpThread *	stt,
		PacketQueueNoLock *	pq
	)

Definition at line 4949 of file stream-tcp.c.

References TcpSession_::client, StreamTcpThread_::counter_tcp_rst, StreamTcpThread_::counter_tcp_syn, StreamTcpThread_::counter_tcp_synack, DEBUG_ASSERT_FLOW_LOCKED, TcpSession_::flags, Packet_::flow, Packet_::pcap_cnt, PKT_IS_TOCLIENT, PKT_IS_TOSERVER, Flow_::protoctx, SCEnter, SCLogDebug, TcpSession_::server, StatsIncr(), STREAM_PKT_BROKEN_ACK, STREAMTCP_FLAG_ASYNC, StreamTcpSetEvent, TcpStream_::tcp_flags, TCP_GET_ACK, TcpSession_::tcp_packet_flags, Packet_::tcph, TH_ACK, TH_RST, TH_SYN, and tv.

Here is the call graph for this function:

◆ StreamTcpReassembleMemuseGlobalCounter()

uint64_t StreamTcpReassembleMemuseGlobalCounter ( void )

Definition at line 148 of file stream-tcp-reassemble.c.

◆ StreamTcpReturnStreamSegments()

void StreamTcpReturnStreamSegments ( TcpStream * stream )

return all segments in this stream into the pool(s)

Parameters

stream the stream to cleanup

Definition at line 390 of file stream-tcp-reassemble.c.

References RB_FOREACH_SAFE, RB_REMOVE, TcpStream_::seg_tree, and StreamTcpSegmentReturntoPool().

Referenced by StreamTcpPruneSession(), StreamTcpSessionPktFree(), and StreamTcpStreamCleanup().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ StreamTcpSegmentForEach()

int StreamTcpSegmentForEach	(	const Packet *	p,
		uint8_t	flag,
		StreamSegmentCallback	CallbackFunc,
		void *	data
	)

Definition at line 6371 of file stream-tcp.c.

Referenced by StreamSegmentForEach().

Here is the caller graph for this function:

◆ StreamTcpSegmentForSession()

int StreamTcpSegmentForSession	(	const Packet *	p,
		uint8_t	flag,
		StreamSegmentCallback	CallbackFunc,
		void *	data
	)

Run callback function on each TCP segment in both directions of a session.

Note: when stream engine is running in inline mode all segments are used, in IDS/non-inline mode only ack'd segments are iterated.; Must be called under flow lock.