求snort的tcp重组实现分析。。。
static inline int CheckFlushPolicyOnData(
TcpSession *tcpssn, StreamTracker *talker,
StreamTracker *listener, TcpDataBlock *tdb, Packet *p)
{
uint32_t flushed = 0;
uint32_t avail;
STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
"In CheckFlushPolicyOnData\n"););
STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
"Talker flush policy: %s\n",
flush_policy_names););
STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
"Listener flush policy: %s\n",
flush_policy_names););
switch(listener->flush_mgr.flush_policy)
{
case STREAM_FLPOLICY_IGNORE:
STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
"STREAM_FLPOLICY_IGNORE\n"););
return 0;
case STREAM_FLPOLICY_FOOTPRINT_IPS:
{
int coerce;
STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
"STREAM_FLPOLICY_FOOTPRINT-IPS\n"););
avail = get_q_sequenced(listener);
coerce = CheckFlushCoercion(
p, &listener->flush_mgr, listener->tcp_policy->flush_factor);
if (
(avail > 0) &&
(coerce || (avail >= listener->flush_mgr.flush_pt) ||
(avail && talker->s_mgr.state == TCP_STATE_FIN_WAIT_1))
) {
uint32_t dir = GetForwardDir(p);
if ( talker->s_mgr.state == TCP_STATE_FIN_WAIT_1 )
listener->flags |= TF_FORCE_FLUSH;
flushed = flush_to_seq(
tcpssn, listener, avail, p,
GET_SRC_IP(p), GET_DST_IP(p),
p->tcph->th_sport, p->tcph->th_dport, dir);
}
}
break;
case STREAM_FLPOLICY_PROTOCOL_IPS:
{
uint32_t flags = GetForwardDir(p);
uint32_t flush_amt = flush_pdu_ips(tcpssn, listener, p, &flags);
uint32_t this_flush;
while ( flush_amt > 0 )
{
// if this payload is exactly one pdu, don't
// actually flush, just use the raw packet
if ( (tdb->seq == listener->seglist->seq) &&
(flush_amt == listener->seglist->size) &&
(flush_amt == p->dsize) )
{
this_flush = flush_amt;
listener->seglist->buffered = SL_BUF_FLUSHED;
listener->flush_count++;
p->packet_flags |= PKT_PDU_FULL;
ShowRebuiltPacket(p);
}
else
{
this_flush = flush_to_seq(
tcpssn, listener, flush_amt, p,
GET_SRC_IP(p), GET_DST_IP(p),
p->tcph->th_sport, p->tcph->th_dport, flags);
}
// if we didn't flush as expected, bail
if ( this_flush != flush_amt )
break;
flushed += this_flush;
flags = GetForwardDir(p);
flush_amt = flush_pdu_ips(tcpssn, listener, p, &flags);
}
if ( !flags )
{
if ( AutoDisable(listener, talker) )
return 0;
listener->flush_mgr.flush_policy = STREAM_FLPOLICY_FOOTPRINT_IPS;
listener->flush_mgr.flush_pt += ScPafMax();
listener->flush_mgr.flush_type = S5_FT_PAF_MAX;
return CheckFlushPolicyOnData(tcpssn, talker, listener, tdb, p);
}
}
break;
}
return flushed;
}
from 2.9.4 snort
求解其中的机制分析,谢谢!
(先占位放着,等我分析后补充!有清楚的请跟帖指点,谢谢!) 有个人写过一点,在这能下到pdf 没有吧。目前我没有搜到任何有价值的东西。。。
你给个链接,谢谢!
回复 2# ww2000e
回复 1# chishanmingshen
有同样的需求 本帖最后由 chishanmingshen 于 2014-08-24 22:16 编辑
refer to flush_to_seq()
页:
[1]