Bypass v7 #2276
Closed
Bypass v7 #2276
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch adds a bypassed state to flow that will be set on flow when a bypass decision is taken. This will allow to remove faster the flow entry from the flow table instead of waiting for the "established" timeout.
This will allow us to remove the Flow from the table and treat it separately.
We possibly have packets for a flow in the queue and we don't need to bypass for each of them if the flow is already bypassed.
This permits to enable/disable in suricata.yaml and the bypass function will be called when stream.depth is reached.
If a flow is encrypted, suricata is stopping the inspection
so we can just get it out via bypass.
This patch also invert to test to check the option value.
This should limit the number of tests in conditional.
For a basic test of feature, use the following ruleset:
```
table ip filter {
chain output {
type filter hook output priority 0;
meta mark set ct mark counter
mark 0x00000001 counter accept
oif lo tcp dport ssh counter queue num 0
oif lo tcp sport ssh counter queue num 0
}
chain connmark_save {
type filter hook output priority 1;
mark 0x00000001 counter
ct mark set mark counter
}
}
```
And use mark and mask of 1 in nfq configuration. Then you
can test the system by scp big file to 127.0.0.1.
This adds a new keyword which permits to call the bypass callback when a sig is matched. The callback must be called when the match of the sig is complete.
If a packet triggers a rule which contains both bypass and filestore keywords, it won't be stored since it's not inspected. To avoid that, when a rule containing filestore keyword we make sure that also bypass keyword is present.
inliniac
reviewed
Sep 24, 2016
|
|
||
| if (p->BypassPacketsFlow) { | ||
| /* only set bypassed state if succesful */ | ||
| SC_ATOMIC_SET(p->flow->flow_state, FLOW_STATE_BYPASSED); |
inliniac
reviewed
Sep 24, 2016
| @@ -448,6 +448,8 @@ typedef struct Packet_ | |||
| /** The release function for packet structure and data */ | |||
| void (*ReleasePacket)(struct Packet_ *); | |||
|
|
|||
| void (*BypassPacketsFlow)(struct Packet_ *); | |||
There was a problem hiding this comment.
missing comment explaining what this is for
inliniac
reviewed
Sep 24, 2016
|
|
||
| SCMutexLock(&f.m); | ||
| int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1, http_len1); | ||
| if (r != 0) { |
inliniac
reviewed
Sep 24, 2016
|
|
||
| SCMutexLock(&f.m); | ||
| r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_len2); | ||
| if (r != 0) { |
inliniac
reviewed
Sep 24, 2016
|
|
||
| FAIL_IF(PacketAlertCheck(p1, 1)); | ||
|
|
||
| SCMutexLock(&f.m); |
There was a problem hiding this comment.
wrong lock func, use FLOWLOCK_WRLOCK
(I have a patch that mass changes this for the entire tree)
inliniac
reviewed
Sep 24, 2016
| StreamTcpInitConfig(TRUE); | ||
|
|
||
| de_ctx = DetectEngineCtxInit(); | ||
| if (de_ctx == NULL) |
There was a problem hiding this comment.
FAIL_IF
Please update the rest of the unittests as well
inliniac
reviewed
Sep 24, 2016
| @@ -507,6 +524,10 @@ static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, | |||
| PKT_SET_SRC(p, PKT_SRC_WIRE); | |||
|
|
|||
| p->nfq_v.nfq_index = ntv->nfq_index; | |||
| /* if bypass mask is set then we may want to bypass so set pointer */ | |||
| if (nfq_config.bypass_mask) { | |||
There was a problem hiding this comment.
so this mask is used as a global switch to see if bypass is enabled at all for nfq?
There was a problem hiding this comment.
yes, it may be a bit implicit but I was seeing a new variable has bit too much.
inliniac
reviewed
Sep 24, 2016
| SigGroupBuild(de_ctx); | ||
| DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); | ||
|
|
||
| SCMutexLock(&f.m); |
inliniac
reviewed
Sep 24, 2016
| @@ -492,6 +501,14 @@ static void NFQReleasePacket(Packet *p) | |||
| PacketFreeOrRelease(p); | |||
| } | |||
|
|
|||
| static void NFQBypassCallback(Packet *p) | |||
There was a problem hiding this comment.
this will need to act on the root packet in case of tunnel packets
|
ok, updating the branch. |
Closed
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Nov 20, 2017
An empty value for coredump.max-dump in the config-file leads to a segfault because of a NULL-pointer dereference in CoredumpLoadConfig().
Here is a configuration example:
coredump.max-dump: []
This lets suricata crash with a segfault:
ASAN-output:
==9412==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f22e851aa28 bp 0x7ffd90006fc0 sp 0x7ffd90006740 T0)
0 0x7f22e851aa27 in strcasecmp (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27)
1 0x5608a7ec0108 in CoredumpLoadConfig /root/suricata-1/src/util-coredump-config.c:52
2 0x5608a7e8bb22 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2752
3 0x5608a7e8c577 in main /root/suricata-1/src/suricata.c:2892
4 0x7f22e4c622b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
5 0x5608a7a30c59 in _start (/usr/local/bin/suricata+0xc4c59)
Bug OISF#2276
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Dec 4, 2017
An empty value for coredump.max-dump in the config-file leads to a segfault because of a NULL-pointer dereference in CoredumpLoadConfig().
Here is a configuration example:
coredump.max-dump: []
This lets suricata crash with a segfault:
ASAN-output:
==9412==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f22e851aa28 bp 0x7ffd90006fc0 sp 0x7ffd90006740 T0)
0 0x7f22e851aa27 in strcasecmp (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27)
1 0x5608a7ec0108 in CoredumpLoadConfig /root/suricata-1/src/util-coredump-config.c:52
2 0x5608a7e8bb22 in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2752
3 0x5608a7e8c577 in main /root/suricata-1/src/suricata.c:2892
4 0x7f22e4c622b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
5 0x5608a7a30c59 in _start (/usr/local/bin/suricata+0xc4c59)
Bug OISF#2276
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an update of #2228 changing a lot of things.
Main change is that it introduces a bypassed state in flow which will allow suricata to get rid fast of bypassed flows instead of waiting for "established" timeout. This will lower the pressure on the flow table. Also as the bypassed information is added in the EVE entry of flow the user will know that bypass has been done on the flow.
Another change is that definition of bypass is not done anymore at registration but it is done inside the capture. For instance, in NFQ capture (which is the only one implemented in this PR), the bypass is activated if the bypass_mask is set in the configuration file.
Also remarks on PR #2228 have been addressed.
PR builds: