1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
*/
#ifndef __STREAM_TCP_H__
#define __STREAM_TCP_H__
#include "stream-tcp-private.h"
#define COUNTER_STREAMTCP_STREAMS 1
#include "app-layer-detect-proto.h"
#include "util-mpm.h"
#include "stream.h"
#include "stream-tcp-reassemble.h"
#define STREAM_VERBOSE FALSE
/* Flag to indicate that the checksum validation for the stream engine
has been enabled */
#define STREAMTCP_INIT_FLAG_CHECKSUM_VALIDATION 0x01
/*global flow data*/
typedef struct TcpStreamCnf_ {
/** stream tracking
*
* max stream mem usage
*/
uint64_t memcap;
uint64_t reassembly_memcap; /**< max memory usage for stream reassembly */
uint32_t ssn_init_flags; /**< new ssn flags will be initialized to this */
uint8_t segment_init_flags; /**< new seg flags will be initialized to this */
uint16_t zero_copy_size; /**< use zero copy for app layer above segments
* of this size */
uint32_t prealloc_sessions; /**< ssns to prealloc per stream thread */
int midstream;
int async_oneside;
uint32_t reassembly_depth; /**< Depth until when we reassemble the stream */
uint16_t reassembly_toserver_chunk_size;
uint16_t reassembly_toclient_chunk_size;
int check_overlap_different_data;
/** reassembly -- inline mode
*
* sliding window size for raw stream reassembly
*/
uint32_t reassembly_inline_window;
uint8_t flags;
uint8_t max_synack_queued;
} TcpStreamCnf;
typedef struct StreamTcpThread_ {
int ssn_pool_id;
/** if set to true, we activate the TCP tuple reuse code in the
* stream engine. */
int runmode_flow_stream_async;
uint64_t pkts;
/** queue for pseudo packet(s) that were created in the stream
* process and need further handling. Currently only used when
* receiving (valid) RST packets */
PacketQueue pseudo_queue;
uint16_t counter_tcp_sessions;
/** sessions not picked up because memcap was reached */
uint16_t counter_tcp_ssn_memcap;
/** pseudo packets processed */
uint16_t counter_tcp_pseudo;
/** pseudo packets failed to setup */
uint16_t counter_tcp_pseudo_failed;
/** packets rejected because their csum is invalid */
uint16_t counter_tcp_invalid_checksum;
/** TCP packets with no associated flow */
uint16_t counter_tcp_no_flow;
/** sessions reused */
uint16_t counter_tcp_reused_ssn;
/** syn pkts */
uint16_t counter_tcp_syn;
/** syn/ack pkts */
uint16_t counter_tcp_synack;
/** rst pkts */
uint16_t counter_tcp_rst;
/** tcp reassembly thread data */
TcpReassemblyThreadCtx *ra_ctx;
} StreamTcpThread;
TcpStreamCnf stream_config;
void TmModuleStreamTcpRegister (void);
void StreamTcpInitConfig (char);
void StreamTcpFreeConfig(char);
void StreamTcpRegisterTests (void);
void StreamTcpSessionPktFree (Packet *);
void StreamTcpIncrMemuse(uint64_t);
void StreamTcpDecrMemuse(uint64_t);
int StreamTcpCheckMemcap(uint64_t);
Packet *StreamTcpPseudoSetup(Packet *, uint8_t *, uint32_t);
int StreamTcpSegmentForEach(const Packet *p, uint8_t flag,
StreamSegmentCallback CallbackFunc,
void *data);
void StreamTcpReassembleConfigEnableOverlapCheck(void);
/** ------- Inline functions: ------ */
/**
* \brief If we are on IPS mode, and got a drop action triggered from
* the IP only module, or from a reassembled msg and/or from an
* applayer detection, then drop the rest of the packets of the
* same stream and avoid inspecting it any further
* \param p pointer to the Packet to check
* \retval 1 if we must drop this stream
* \retval 0 if the stream still legal
*/
static inline int StreamTcpCheckFlowDrops(Packet *p)
{
/* If we are on IPS mode, and got a drop action triggered from
* the IP only module, or from a reassembled msg and/or from an
* applayer detection, then drop the rest of the packets of the
* same stream and avoid inspecting it any further */
if (EngineModeIsIPS() && (p->flow->flags & FLOW_ACTION_DROP))
return 1;
return 0;
}
/**
* \brief Function to flip the direction When we missed the SYN packet,
* SYN/ACK is considered as sent by server, but our engine flagged the
* packet as from client for the host whose packet is received first in
* the session.
*
* \param ssn TcpSession to whom this packet belongs
* \param p Packet whose flag has to be changed
*/
static inline void StreamTcpPacketSwitchDir(TcpSession *ssn, Packet *p)
{
SCLogDebug("ssn %p: switching pkt direction", ssn);
if (PKT_IS_TOSERVER(p)) {
p->flowflags &= ~FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_TOCLIENT;
if (p->flowflags & FLOW_PKT_TOSERVER_FIRST) {
p->flowflags &= ~FLOW_PKT_TOSERVER_FIRST;
p->flowflags |= FLOW_PKT_TOCLIENT_FIRST;
}
} else {
p->flowflags &= ~FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_TOSERVER;
if (p->flowflags & FLOW_PKT_TOCLIENT_FIRST) {
p->flowflags &= ~FLOW_PKT_TOCLIENT_FIRST;
p->flowflags |= FLOW_PKT_TOSERVER_FIRST;
}
}
}
enum {
/* stream has no segments for forced reassembly, nor for detection */
STREAM_HAS_UNPROCESSED_SEGMENTS_NONE = 0,
/* stream seems to have segments that need to be forced reassembled */
STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_REASSEMBLY = 1,
/* stream has no segments for forced reassembly, but only segments that
* have been sent for detection, but are stuck in the detection queues */
STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION = 2,
};
static inline int StreamNeedsReassembly(TcpSession *ssn, int direction)
{
/* server tcp state */
if (direction) {
if (ssn->server.seg_list != NULL &&
(!(ssn->server.seg_list_tail->flags & SEGMENTTCP_FLAG_RAW_PROCESSED) ||
!(ssn->server.seg_list_tail->flags & SEGMENTTCP_FLAG_APPLAYER_PROCESSED)) ) {
return STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_REASSEMBLY;
} else if (ssn->toclient_smsg_head != NULL) {
return STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION;
} else {
return STREAM_HAS_UNPROCESSED_SEGMENTS_NONE;
}
} else {
if (ssn->client.seg_list != NULL &&
(!(ssn->client.seg_list_tail->flags & SEGMENTTCP_FLAG_RAW_PROCESSED) ||
!(ssn->client.seg_list_tail->flags & SEGMENTTCP_FLAG_APPLAYER_PROCESSED)) ) {
return STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_REASSEMBLY;
} else if (ssn->toserver_smsg_head != NULL) {
return STREAM_HAS_UNPROCESSED_SEGMENTS_NEED_ONLY_DETECTION;
} else {
return STREAM_HAS_UNPROCESSED_SEGMENTS_NONE;
}
}
}
TmEcode StreamTcpThreadInit(ThreadVars *, void *, void **);
TmEcode StreamTcpThreadDeinit(ThreadVars *tv, void *data);
int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
PacketQueue *pq);
void StreamTcpSessionClear(void *ssnptr);
uint32_t StreamTcpGetStreamSize(TcpStream *stream);
#endif /* __STREAM_TCP_H__ */
|
