Move some code out of NetSessions

- TCPStateStats update when a session is removed was moved to Connection - Stepping Stone manager moved to a singleton object in SteppingStoneManager
2025-10-02 14:48:21 +00:00 · 2021-03-11 13:17:17 -07:00 · 2021-03-11 13:17:17 -07:00 · 50713b3c2d
commit 50713b3c2d
parent 14ffd9646f
7 changed files with 38 additions and 34 deletions
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -170,6 +170,19 @@ void Connection::CheckEncapsulation(const std::shared_ptr<EncapsulationStack>& a

 void Connection::Done()
 	{
+	// TODO: this still doesn't feel like the right place to do this, but it's better
+	// here than in SessionManager. This really should be down in the TCP analyzer
+	// somewhere, but it's session-related, so maybe not?
+	if ( ConnTransport() == TRANSPORT_TCP )
+		{
+		auto ta = static_cast<analyzer::tcp::TCP_Analyzer*>(GetRootAnalyzer());
+		assert(ta->IsAnalyzer("TCP"));
+		analyzer::tcp::TCP_Endpoint* to = ta->Orig();
+		analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
+
+		sessions->tcp_stats.StateLeft(to->state, tr->state);
+		}
+
 	finished = 1;

 	if ( root_analyzer && ! root_analyzer->IsFinished() )
--- a/src/RunState.cc
+++ b/src/RunState.cc
@ -37,6 +37,7 @@ extern "C" {
 #include "zeek/plugin/Manager.h"
 #include "zeek/broker/Manager.h"
 #include "zeek/packet_analysis/Manager.h"
+#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"

 extern "C" {
 extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
@ -45,6 +46,8 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
 static double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 extern int signal_val;

+using namespace zeek::analyzer::stepping_stone;
+
 namespace zeek::run_state {
 namespace detail {

@ -194,6 +197,9 @@ void init_run(const std::optional<std::string>& interface,

 	sessions = new NetSessions();

+	// Initialize the stepping stone manager. We intentionally throw away the result here.
+	SteppingStoneManager::Get();
+
 	if ( do_watchdog )
 		{
 		// Set up the watchdog to make sure we don't wedge.
@ -408,6 +414,7 @@ void delete_run()
 	util::detail::set_processing_status("TERMINATING", "delete_run");

 	delete sessions;
+	delete SteppingStoneManager::Get();

 	for ( int i = 0; i < zeek::detail::NUM_ADDR_ANONYMIZATION_METHODS; ++i )
 		delete zeek::detail::ip_anonymizer[i];
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -22,7 +22,6 @@

 #include "zeek/analyzer/protocol/icmp/ICMP.h"
 #include "zeek/analyzer/protocol/udp/UDP.h"
-#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
 #include "zeek/analyzer/Manager.h"

 #include "zeek/iosource/IOSource.h"
@ -30,14 +29,6 @@

 #include "zeek/analyzer/protocol/stepping-stone/events.bif.h"

-// These represent NetBIOS services on ephemeral ports.  They're numbered
-// so that we can use a single int to hold either an actual TCP/UDP server
-// port or one of these.
-enum NetBIOS_Service {
-	NETBIOS_SERVICE_START = 0x10000L,	// larger than any port
-	NETBIOS_SERVICE_DCE_RPC,
-};
-
 zeek::NetSessions* zeek::sessions;
 zeek::NetSessions*& sessions = zeek::sessions;

@ -45,11 +36,6 @@ namespace zeek {

 NetSessions::NetSessions()
 	{
-	if ( stp_correlate_pair )
-		stp_manager = new analyzer::stepping_stone::SteppingStoneManager();
-	else
-		stp_manager = nullptr;
-
 	packet_filter = nullptr;

 	memset(&stats, 0, sizeof(SessionStats));
@ -58,7 +44,6 @@ NetSessions::NetSessions()
 NetSessions::~NetSessions()
 	{
 	delete packet_filter;
-	delete stp_manager;

 	for ( const auto& entry : tcp_conns )
 		Unref(entry.second);
@ -389,16 +374,6 @@ void NetSessions::Remove(Connection* c)
 		const detail::ConnIDKey& key = c->Key();
 		c->CancelTimers();

-		if ( c->ConnTransport() == TRANSPORT_TCP )
-			{
-			auto ta = static_cast<analyzer::tcp::TCP_Analyzer*>(c->GetRootAnalyzer());
-			assert(ta->IsAnalyzer("TCP"));
-			analyzer::tcp::TCP_Endpoint* to = ta->Orig();
-			analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
-
-			tcp_stats.StateLeft(to->state, tr->state);
-			}
-
 		c->Done();
 		c->RemovalEvent();

--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -11,8 +11,6 @@
 #include "zeek/NetVar.h"
 #include "zeek/analyzer/protocol/tcp/Stats.h"

-class ConnCompressor;
-
 namespace zeek {

 class EncapsulationStack;
@ -20,8 +18,6 @@ class Packet;
 class Connection;
 struct ConnID;

-namespace analyzer::stepping_stone { class SteppingStoneManager; }
-
 struct SessionStats {
 	size_t num_TCP_conns;
 	size_t max_TCP_conns;
@ -76,8 +72,6 @@ public:
 		return packet_filter;
 		}

-	analyzer::stepping_stone::SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
-
 	unsigned int CurrentConnections()
 		{
 		return tcp_conns.size() + udp_conns.size() + icmp_conns.size();
@ -123,6 +117,8 @@ public:
 	unsigned int ConnectionMemoryUsage();
 	unsigned int ConnectionMemoryUsageConnVals();
 	unsigned int MemoryAllocation();
+
+	// TODO: should this move somewhere else?
 	analyzer::tcp::TCPStateStats tcp_stats;	// keeps statistics on TCP states

 protected:
@ -171,7 +167,6 @@ protected:

 	SessionStats stats;

-	analyzer::stepping_stone::SteppingStoneManager* stp_manager;
 	detail::PacketFilter* packet_filter;
 };

--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@ -16,6 +16,8 @@

 namespace zeek::analyzer::stepping_stone {

+SteppingStoneManager* SteppingStoneManager::instance = nullptr;
+
 SteppingStoneEndpoint::SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m)
 	{
 	endp = e;
@ -156,7 +158,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
 SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
 	: analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
 	{
-	stp_manager = sessions->GetSTPManager();
+	stp_manager = SteppingStoneManager::Get();

 	orig_endp = resp_endp = nullptr;
 	orig_stream_pos = resp_stream_pos = 1;
@ -215,4 +217,12 @@ void SteppingStone_Analyzer::Done()
 	Unref(resp_endp);
 	}

+SteppingStoneManager* SteppingStoneManager::Get()
+	{
+	if ( ! instance && stp_correlate_pair )
+		instance = new SteppingStoneManager();
+
+	return instance;
+	}
+
 } // namespace zeek::analyzer::stepping_stone
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.h
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h
@ -80,9 +80,13 @@ public:
 	// Use postfix ++, since the first ID needs to be even.
 	int NextID()	{ return endp_cnt++; }

+	static SteppingStoneManager* Get();
+
 protected:
 	EndpointQueue ordered_endps;
 	int endp_cnt = 0;
+
+	static SteppingStoneManager* instance;
 };

 } // namespace analyzer::stepping_stone
--- a/src/analyzer/protocol/tcp/Stats.h
+++ b/src/analyzer/protocol/tcp/Stats.h
@ -9,7 +9,7 @@ namespace zeek::analyzer::tcp {
 class TCPStateStats {
 public:
 	TCPStateStats();
-	~TCPStateStats() { }
+	~TCPStateStats() = default;

 	void ChangeState(EndpointState o_prev, EndpointState o_now,
 				EndpointState r_prev, EndpointState r_now);