remove tunneling flag in session_flags

decoders/session_flags/CMakeLists.txt

@@ -1,15 +1,15 @@
 add_subdirectory(mesa_sts)
 add_definitions(-fPIC)
 
-set(SESSION_FLAGS_SRC session_flags_plugin.cpp session_flags.cpp fet.cpp tunneling.cpp onlinemean.c)
+set(SESSION_FLAGS_SRC session_flags_plugin.cpp session_flags.cpp fet.cpp onlinemean.c)
 
 add_library(session_flags STATIC ${SESSION_FLAGS_SRC})
 add_library(session_flags_dyn SHARED ${SESSION_FLAGS_SRC})
 set_target_properties(session_flags PROPERTIES LINK_FLAGS "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map")
 target_include_directories(session_flags PUBLIC ${CMAKE_SOURCE_DIR}/deps/)
 include_directories(${CMAKE_BINARY_DIR}/vendors/cjson/src/cjson/include)
-target_link_libraries(session_flags toml cjson-static hyperscan_static hyperscan_runtime_static libmesa_sts)
+target_link_libraries(session_flags toml cjson-static libmesa_sts)
 set_target_properties(session_flags PROPERTIES PREFIX "") 
 
 set_target_properties(session_flags_dyn PROPERTIES PREFIX "") 
-target_link_libraries(session_flags_dyn toml cjson-static hyperscan_static hyperscan_runtime_static libmesa_sts)
+target_link_libraries(session_flags_dyn toml cjson-static libmesa_sts)

decoders/session_flags/session_flags.cpp

@@ -737,13 +737,6 @@ struct session_flags_result *session_flags(struct session_flags_plugin_info *sf_
 	session_flags_calculate_dir(stat, all_pkts);
 	session_flags_calculate_random_looking(sf_plugin_info, stat, session, topic_id, all_pkts);
 
-	const struct packet *pkt = session_get0_current_packet(session);
-	size_t payload_len = packet_get_payload_len(pkt);
-	if (g_sf_conf.tunneling_enabled && payload_len > 0 && (topic_id == sf_plugin_info->tcp_topic_id))// detect tunneling on tcp only
-	{
-		tunneling_scan_sequence(sf_plugin_info, session, ctx, payload_len, flow_type, all_pkts);
-	}
-
 	if (stat->stream_live_time_ms >= START_JUDGE_TIME_MS)
 	{
 		if (all_pkts > g_sf_conf.main_dir_front_n_pkts)

decoders/session_flags/session_flags_internal.h

@@ -1,9 +1,7 @@
 #pragma once
 #include <stdint.h>
 #include "onlinemean.h"
-#include "tunneling.h"
 
-#include "hs/hs_runtime.h"
 #include "stellar/session.h"
 #include "stellar/session_flags.h"
 #include "toml/toml.h"
@@ -80,7 +78,6 @@ struct session_flags_plugin_info{
 	int session_flags_topic_id;
 	int tcp_topic_id;
 	int udp_topic_id;
-	hs_database_t *tunneling_hs_db;
 };
 
 struct session_flags_iter_values
@@ -134,7 +131,6 @@ struct session_flags_stat
 	uint64_t last_iter_ts_ms;
 	int main_dir; 
 	struct random_looking_stat_info random_looking_stat;
-	struct tunneling_stat_info tunneling_stat;
 	struct session_flags_iter iter;
 	struct session_flags_result result;
 };
@@ -142,7 +138,6 @@ struct session_flags_stat
 struct session_flags_ctx
 {
 	struct session_flags_stat stat;
-	hs_stream_t	*tunneling_hs_stream;
 	uint64_t history_flags;
 };
 

decoders/session_flags/session_flags_plugin.cpp

@@ -65,8 +65,6 @@ static void session_flags_exdata_free_cb(int idx, void *ex_ptr, void *arg)
 	{
 		return;
 	}
-	struct session_flags_ctx *ctx = (struct session_flags_ctx *)ex_ptr;
-	tunneling_hs_stream_free(ctx);
 
 	free(ex_ptr);
 }
@@ -89,10 +87,6 @@ void session_flags_entry(struct session *session, int topic_id, const void *msg,
 		session_exdata_set(session, sf_plugin_info->sess_ctx_exdata_idx, ctx);
 
 		session_flags_stat_init(&ctx->stat, session_get_direction(session));
-		if (g_sf_conf.tunneling_enabled)
-		{
-			tunneling_hs_stream_init(sf_plugin_info, ctx);
-		}
 	}
 
 	struct session_flags_stat *stat = &ctx->stat;
@@ -316,7 +310,6 @@ extern "C" void *session_flags_plugin_init(struct stellar *st)
 
 	memset(&g_sf_conf, 0, sizeof(g_sf_conf));
 	session_flags_load_config(sf_plugin_info, CFG_FILE_PATH, &g_sf_conf);
-	tunneling_hyperscan_engine_init(sf_plugin_info, &g_sf_conf);
 
 	json = cJSON_Parse(g_sf_conf.random_looking_judge_list);
 	if (json == NULL)
@@ -400,10 +393,6 @@ extern "C" void session_flags_plugin_exit(void *plugin_ctx)
 		return;
 	}
 
-	struct session_flags_plugin_info *sf_plugin_info = (struct session_flags_plugin_info *)plugin_ctx;
-	
-	tunneling_hyperscan_engine_exit(sf_plugin_info->tunneling_hs_db);
-
 	free(plugin_ctx);
 
 	return;

decoders/session_flags/tunneling.cpp

@@ -1,217 +0,0 @@
-#include <cctype>
-#include <stdlib.h>
-#include <stdio.h>
-#include "cJSON.h"
-#include "session_flags_internal.h"
-#include "tunneling.h"
-#include "stellar/log.h"
-
-#define UNUSED(x) (void)(x)
-
-thread_local hs_scratch_t *hs_scratch = NULL;
-extern struct session_flags_init_conf g_sf_conf;
-
-static char tunneling_length_to_character(enum flow_type flow_type, size_t len)
-{
-    char ret;
-
-    switch(len)
-    {
-        case 1 ... 200:
-            ret = 'A';
-            break;
-        case 201 ... 600:
-            ret = 'B';
-            break;
-        case 601 ... 1000:
-            ret = 'C';
-            break;
-        case 1001 ... 1460:
-            ret = 'D';
-            break;
-        default:
-            ret = 'Z';
-            break;
-    }
-
-    if (flow_type == FLOW_TYPE_C2S)
-    {
-        return ret;
-    }
-    else
-    {
-        return tolower(ret);
-    }
-}
-
-static int tunneling_match_event_handler(unsigned int id, unsigned long long from, unsigned long long to, unsigned int flags, void *context) {
-    UNUSED(id);
-    UNUSED(from);
-    UNUSED(to);
-    UNUSED(flags);
-
-    struct session_flags_ctx *ctx = (struct session_flags_ctx *)context;
-	ctx->stat.result.flags |= SESSION_FLAGS_TUNNELING;
-    return 0;
-}
-
-int tunneling_scan_sequence(struct session_flags_plugin_info *sf_plugin_info, struct session *session, struct session_flags_ctx *ctx, size_t payload_len, enum flow_type flow_type, uint64_t pkts_cnt)
-{
-    if (ctx->stat.result.flags & SESSION_FLAGS_TUNNELING)
-    {
-        return 0;
-    }
-
-    ctx->stat.tunneling_stat.payload_pkt_num++;
-    if (ctx->stat.result.is_tls && ctx->stat.tunneling_stat.payload_pkt_num <= g_sf_conf.tunneling_tls_ignore_pkts)
-    {
-        return 0;
-    }
-
-    if((ctx->stat.result.is_tls==0) && (ctx->stat.tunneling_stat.payload_pkt_num > g_sf_conf.tunneling_max_scan_pkts))
-    {
-        return 0;
-    }
-
-    if((ctx->stat.result.is_tls) && (ctx->stat.tunneling_stat.payload_pkt_num > g_sf_conf.tunneling_max_scan_pkts+g_sf_conf.tunneling_tls_ignore_pkts))
-    {
-        return 0;
-    }
-
-    if (hs_scratch == NULL)
-    {
-        hs_error_t err = hs_alloc_scratch(sf_plugin_info->tunneling_hs_db, &hs_scratch);
-        if (err != HS_SUCCESS)
-        {
-            STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "hs_alloc_scratch failed, err:%d", err);
-            return -1;
-        }
-    }
-
-    char tunneling_seq_char = tunneling_length_to_character(flow_type, payload_len);
-    STELLAR_LOG_DEBUG(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "session: %s, is tls:%s, total_num: %d, payload_pkt_num: %d, tunneling_seq_char:%c, payload_len:%d", 
-                            session_get0_readable_addr(session), ctx->stat.result.is_tls == true ? "yes":"no", pkts_cnt, ctx->stat.tunneling_stat.payload_pkt_num, tunneling_seq_char, payload_len);
-
-    hs_error_t err = hs_scan_stream(ctx->tunneling_hs_stream, &tunneling_seq_char, 1, 0, hs_scratch, tunneling_match_event_handler, ctx);
-    if (err != HS_SUCCESS)
-    {
-        STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "hs_scan_stream failed, err:%d", err);
-        return -1;
-    }
-    if (ctx->stat.result.flags & SESSION_FLAGS_TUNNELING)
-    {
-        ctx->stat.result.identify[session_flags_tunneling_mask] = pkts_cnt;
-    }
-
-    return 0;
-}
-
-void tunneling_hs_stream_init(struct session_flags_plugin_info *sf_plugin_info, struct session_flags_ctx *ctx)
-{
-    hs_error_t err = hs_open_stream(sf_plugin_info->tunneling_hs_db, 0, &ctx->tunneling_hs_stream);
-    if (err != HS_SUCCESS)
-    {
-        STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "hs_open_stream failed, err:%d", err);
-        return;
-    }
-}
-
-void tunneling_hs_stream_free(struct session_flags_ctx *ctx)
-{
-    if (ctx->tunneling_hs_stream == NULL)
-    {
-        return;
-    }
-
-    hs_close_stream(ctx->tunneling_hs_stream, hs_scratch, NULL, NULL);
-}
-
-int tunneling_hyperscan_engine_init(struct session_flags_plugin_info *sf_plugin_info, struct session_flags_init_conf *g_sf_conf)
-{
-    cJSON *json = NULL, *item = NULL;
-    int array_num;
-    char **pcre = NULL;
-    hs_compile_error_t *compile_err;
-    hs_error_t err;
-    unsigned int *flags = NULL;
-    unsigned int *ids = NULL;
-    int ret = 0;
-
-    g_sf_conf->tunneling_enabled = 0;
-
-    json = cJSON_Parse(g_sf_conf->tunneling_pcre_list);
-	if (json == NULL)
-	{
-        STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "cJSON_Parse failed, tunneling_pcre_list:%s", g_sf_conf->tunneling_pcre_list);
-		goto END;
-	}
-	item = cJSON_GetObjectItem(json, "tunneling_pcre_list");
-	if (item == NULL)
-	{
-        STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "cJSON_GetObjectItem failed, tunneling_pcre_list:%s", g_sf_conf->tunneling_pcre_list);
-		goto END;
-	}
-	array_num = cJSON_GetArraySize(item);
-	if (array_num < 0)
-	{
-        STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "array size error, array_num:%d", array_num);
-		goto END;
-	}
-
-    if (array_num == 0)
-    {
-        goto END;
-    }
-
-    g_sf_conf->tunneling_enabled = 1;
-    pcre = (char **)calloc(array_num, sizeof(char *));
-	for (int i = 0; i < array_num; i++)
-	{
-		pcre[i] = cJSON_GetArrayItem(item, i)->valuestring;
-    }
-
-    flags = (unsigned int *)calloc(array_num, sizeof(unsigned int));
-    ids = (unsigned int *)calloc(array_num, sizeof(unsigned int));
-    for (int i = 0; i < array_num; i++)
-    {
-        flags[i] = HS_FLAG_DOTALL;
-        ids[i] = i;
-    }
-
-    err = hs_compile_multi(pcre, flags, ids, array_num, HS_MODE_STREAM, NULL, &sf_plugin_info->tunneling_hs_db, &compile_err);
-    if (err != HS_SUCCESS)
-    {
-        STELLAR_LOG_FATAL(sf_plugin_info->log_handle, SESSION_FLAGS_LOG_MODULE, "hs_compile_multi failed, err:%d, pattern id: %d, err_msg: %s, pattern: %s", err, compile_err->expression, compile_err->message, pcre[compile_err->expression]);
-        cJSON_Delete(json);
-        free(pcre);
-        ret = -1;
-        goto END;
-    }
-
-END:
-    if (json != NULL)
-    {
-        cJSON_Delete(json);
-    }
-    if (pcre != NULL)
-    {
-        free(pcre);
-    }
-    if (flags != NULL)
-    {
-        free(flags);
-    }
-    if (ids != NULL)
-    {   
-        free(ids);
-    }
-    return ret;
-}
-
-void tunneling_hyperscan_engine_exit(hs_database_t *tunneling_hs_db)
-{
-    if (tunneling_hs_db != NULL)
-    {
-        hs_free_database(tunneling_hs_db);
-    }
-}

decoders/session_flags/tunneling.h

@@ -1,18 +0,0 @@
-#pragma once
-
-#include <cstdint>
-#include <stdlib.h>
-#include <hs/hs_common.h>
-#include <hs/hs.h>
-#include "stellar/session.h"
-
-struct tunneling_stat_info
-{
-    uint8_t payload_pkt_num;
-};
-
-int tunneling_scan_sequence(struct session_flags_plugin_info *sf_plugin_info, struct session *session, struct session_flags_ctx *ctx, size_t payload_len, flow_type flow_type, uint64_t pkts_cnt);
-void tunneling_hs_stream_init(struct session_flags_plugin_info *sf_plugin_info, struct session_flags_ctx *ctx);
-void tunneling_hs_stream_free(struct session_flags_ctx *ctx);
-int tunneling_hyperscan_engine_init(struct session_flags_plugin_info *sf_plugin_info, struct session_flags_init_conf *g_sf_conf);
-void tunneling_hyperscan_engine_exit(hs_database_t *tunneling_hs_db);

test/decoders/session_flags/CMakeLists.txt

@@ -17,18 +17,16 @@ add_executable(gtest_session_flags_pcap session_flags_pcap_test.cpp
                                         ${PROJECT_SOURCE_DIR}/decoders/session_flags/fet.cpp 
                                         ${PROJECT_SOURCE_DIR}/decoders/session_flags/onlinemean.c 
                                         ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags_plugin.cpp
-                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags.cpp 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags.cpp)
-                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/tunneling.cpp)
+target_link_libraries(gtest_session_flags_pcap gtest pcap logger cjson-static libmesa_sts)
-target_link_libraries(gtest_session_flags_pcap gtest pcap hyperscan_static hyperscan_runtime_static logger cjson-static libmesa_sts)
 
 add_executable(gtest_session_flags_static session_flags_static_test.cpp 
                                         dummy.c 
                                         ${PROJECT_SOURCE_DIR}/decoders/session_flags/fet.cpp 
                                         ${PROJECT_SOURCE_DIR}/decoders/session_flags/onlinemean.c 
                                         ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags_plugin.cpp
-                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags.cpp 
+                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/session_flags.cpp)
-                                        ${PROJECT_SOURCE_DIR}/decoders/session_flags/tunneling.cpp)
+target_link_libraries(gtest_session_flags_static gtest pcap logger cjson-static libmesa_sts)
-target_link_libraries(gtest_session_flags_static gtest pcap hyperscan_static hyperscan_runtime_static logger cjson-static libmesa_sts)
 
 add_executable(session_flags_test_main plugin_test_main.cpp)
 set_target_properties(session_flags_test_main 

test/decoders/session_flags/session_flags_pcap_test.cpp

@@ -537,6 +537,7 @@ TEST(session_flags, bidirectional)
 	free(ctx);
 }
 
+#if 0
 TEST(session_flags, tunneling_tls_fet)
 {
 	char error[100];
@@ -614,6 +615,7 @@ TEST(session_flags, tunneling_tls)
 	pcap_close(handle);
 	free(ctx);
 }
+#endif
 
 int main(int argc, char **argv)
 {

vendors/CMakeLists.txt

@@ -98,40 +98,3 @@ add_dependencies(libevent-static libevent)
 set_property(TARGET libevent-static PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libevent.a)
 set_property(TARGET libevent-static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)
 set_property(TARGET libevent-static PROPERTY INTERFACE_LINK_LIBRARIES pthread)
-
-set(VENDOR_BUILD ${CMAKE_BINARY_DIR}/vendor/vbuild)
-# colm-0.14.7
-ExternalProject_Add(colm PREFIX colm 
-                    URL ${CMAKE_CURRENT_SOURCE_DIR}/colm-0.14.7.tar.gz
-	                CONFIGURE_COMMAND ./autogen.sh && ./configure --prefix=${VENDOR_BUILD}
-	                BUILD_COMMAND make	
-	                INSTALL_COMMAND make install
-	                BUILD_IN_SOURCE 1)
-
-# ragel-7.0.4
-ExternalProject_Add(ragel PREFIX ragel
-                    URL ${CMAKE_CURRENT_SOURCE_DIR}/ragel-7.0.4.tar.gz
-	                CONFIGURE_COMMAND ./autogen.sh && ./configure --prefix=${VENDOR_BUILD} --disable-manual --with-colm=${VENDOR_BUILD}
-	                DEPENDS colm
-	                BUILD_COMMAND make	
-	                INSTALL_COMMAND make install
-	                BUILD_IN_SOURCE 1)
-
-# HyperScan 5.4.2
-ExternalProject_Add(hyperscan PREFIX hyperscan
-                    URL ${CMAKE_CURRENT_SOURCE_DIR}/hyperscan-5.4.2.tar.gz
-	                DEPENDS ragel
-	                CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${VENDOR_BUILD} -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC")
-
-ExternalProject_Get_Property(hyperscan INSTALL_DIR)
-file(MAKE_DIRECTORY ${VENDOR_BUILD}/include)
-
-add_library(hyperscan_static STATIC IMPORTED GLOBAL)
-add_dependencies(hyperscan_static hyperscan)
-set_property(TARGET hyperscan_static PROPERTY IMPORTED_LOCATION ${VENDOR_BUILD}/lib64/libhs.a)
-set_property(TARGET hyperscan_static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${VENDOR_BUILD}/include)
-
-add_library(hyperscan_runtime_static STATIC IMPORTED GLOBAL)
-add_dependencies(hyperscan_runtime_static hyperscan)
-set_property(TARGET hyperscan_runtime_static PROPERTY IMPORTED_LOCATION ${VENDOR_BUILD}/lib64/libhs_runtime.a)
-set_property(TARGET hyperscan_runtime_static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${VENDOR_BUILD}/include)