diff --git a/src/Conn.cc b/src/Conn.cc index 6cbf140228..ef5064b8e6 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -170,6 +170,19 @@ void Connection::CheckEncapsulation(const std::shared_ptr& a void Connection::Done() { + // TODO: this still doesn't feel like the right place to do this, but it's better + // here than in SessionManager. This really should be down in the TCP analyzer + // somewhere, but it's session-related, so maybe not? + if ( ConnTransport() == TRANSPORT_TCP ) + { + auto ta = static_cast(GetRootAnalyzer()); + assert(ta->IsAnalyzer("TCP")); + analyzer::tcp::TCP_Endpoint* to = ta->Orig(); + analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); + + sessions->tcp_stats.StateLeft(to->state, tr->state); + } + finished = 1; if ( root_analyzer && ! root_analyzer->IsFinished() ) diff --git a/src/RunState.cc b/src/RunState.cc index 7c868dce04..10e3ab2051 100644 --- a/src/RunState.cc +++ b/src/RunState.cc @@ -37,6 +37,7 @@ extern "C" { #include "zeek/plugin/Manager.h" #include "zeek/broker/Manager.h" #include "zeek/packet_analysis/Manager.h" +#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" extern "C" { extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); @@ -45,6 +46,8 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); static double last_watchdog_proc_time = 0.0; // value of above during last watchdog extern int signal_val; +using namespace zeek::analyzer::stepping_stone; + namespace zeek::run_state { namespace detail { @@ -194,6 +197,9 @@ void init_run(const std::optional& interface, sessions = new NetSessions(); + // Initialize the stepping stone manager. We intentionally throw away the result here. + SteppingStoneManager::Get(); + if ( do_watchdog ) { // Set up the watchdog to make sure we don't wedge. @@ -408,6 +414,7 @@ void delete_run() util::detail::set_processing_status("TERMINATING", "delete_run"); delete sessions; + delete SteppingStoneManager::Get(); for ( int i = 0; i < zeek::detail::NUM_ADDR_ANONYMIZATION_METHODS; ++i ) delete zeek::detail::ip_anonymizer[i]; diff --git a/src/Sessions.cc b/src/Sessions.cc index 35481f30aa..0d20398c03 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -22,7 +22,6 @@ #include "zeek/analyzer/protocol/icmp/ICMP.h" #include "zeek/analyzer/protocol/udp/UDP.h" -#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" #include "zeek/analyzer/Manager.h" #include "zeek/iosource/IOSource.h" @@ -30,14 +29,6 @@ #include "zeek/analyzer/protocol/stepping-stone/events.bif.h" -// These represent NetBIOS services on ephemeral ports. They're numbered -// so that we can use a single int to hold either an actual TCP/UDP server -// port or one of these. -enum NetBIOS_Service { - NETBIOS_SERVICE_START = 0x10000L, // larger than any port - NETBIOS_SERVICE_DCE_RPC, -}; - zeek::NetSessions* zeek::sessions; zeek::NetSessions*& sessions = zeek::sessions; @@ -45,11 +36,6 @@ namespace zeek { NetSessions::NetSessions() { - if ( stp_correlate_pair ) - stp_manager = new analyzer::stepping_stone::SteppingStoneManager(); - else - stp_manager = nullptr; - packet_filter = nullptr; memset(&stats, 0, sizeof(SessionStats)); @@ -58,7 +44,6 @@ NetSessions::NetSessions() NetSessions::~NetSessions() { delete packet_filter; - delete stp_manager; for ( const auto& entry : tcp_conns ) Unref(entry.second); @@ -389,16 +374,6 @@ void NetSessions::Remove(Connection* c) const detail::ConnIDKey& key = c->Key(); c->CancelTimers(); - if ( c->ConnTransport() == TRANSPORT_TCP ) - { - auto ta = static_cast(c->GetRootAnalyzer()); - assert(ta->IsAnalyzer("TCP")); - analyzer::tcp::TCP_Endpoint* to = ta->Orig(); - analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); - - tcp_stats.StateLeft(to->state, tr->state); - } - c->Done(); c->RemovalEvent(); diff --git a/src/Sessions.h b/src/Sessions.h index 127456c630..1b381d32db 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -11,8 +11,6 @@ #include "zeek/NetVar.h" #include "zeek/analyzer/protocol/tcp/Stats.h" -class ConnCompressor; - namespace zeek { class EncapsulationStack; @@ -20,8 +18,6 @@ class Packet; class Connection; struct ConnID; -namespace analyzer::stepping_stone { class SteppingStoneManager; } - struct SessionStats { size_t num_TCP_conns; size_t max_TCP_conns; @@ -76,8 +72,6 @@ public: return packet_filter; } - analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; } - unsigned int CurrentConnections() { return tcp_conns.size() + udp_conns.size() + icmp_conns.size(); @@ -123,6 +117,8 @@ public: unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); unsigned int MemoryAllocation(); + + // TODO: should this move somewhere else? analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states protected: @@ -171,7 +167,6 @@ protected: SessionStats stats; - analyzer::stepping_stone::SteppingStoneManager* stp_manager; detail::PacketFilter* packet_filter; }; diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc index 0810cc0770..27e56d3b43 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -16,6 +16,8 @@ namespace zeek::analyzer::stepping_stone { +SteppingStoneManager* SteppingStoneManager::instance = nullptr; + SteppingStoneEndpoint::SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m) { endp = e; @@ -156,7 +158,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig) SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) : analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { - stp_manager = sessions->GetSTPManager(); + stp_manager = SteppingStoneManager::Get(); orig_endp = resp_endp = nullptr; orig_stream_pos = resp_stream_pos = 1; @@ -215,4 +217,12 @@ void SteppingStone_Analyzer::Done() Unref(resp_endp); } +SteppingStoneManager* SteppingStoneManager::Get() + { + if ( ! instance && stp_correlate_pair ) + instance = new SteppingStoneManager(); + + return instance; + } + } // namespace zeek::analyzer::stepping_stone diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h index 7c7869c9d8..8166900dc4 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h @@ -80,9 +80,13 @@ public: // Use postfix ++, since the first ID needs to be even. int NextID() { return endp_cnt++; } + static SteppingStoneManager* Get(); + protected: EndpointQueue ordered_endps; int endp_cnt = 0; + + static SteppingStoneManager* instance; }; } // namespace analyzer::stepping_stone diff --git a/src/analyzer/protocol/tcp/Stats.h b/src/analyzer/protocol/tcp/Stats.h index 86b11eea79..d9ca5127e7 100644 --- a/src/analyzer/protocol/tcp/Stats.h +++ b/src/analyzer/protocol/tcp/Stats.h @@ -9,7 +9,7 @@ namespace zeek::analyzer::tcp { class TCPStateStats { public: TCPStateStats(); - ~TCPStateStats() { } + ~TCPStateStats() = default; void ChangeState(EndpointState o_prev, EndpointState o_now, EndpointState r_prev, EndpointState r_now);