aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

capture: block IDS + IPS combination

Browse Source 
In general, improve IPS setup error checking.

Ticket: #5588.
pull/10921/head
Victor Julien 2 years ago committed by Victor Julien
parent 58bff9b855
commit 2d625cd78e
6 changed files with 36 additions and 75 deletions
Show Stats Download Patch File Download Diff File

42
src/runmode-af-packet.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2011-2020 Open Information Security Foundation
/* Copyright (C) 2011-2024 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -88,14 +88,14 @@ static int AFPRunModeIsIPS(void)
const char *live_dev = LiveGetDeviceName(ldev);
if (live_dev == NULL) {
SCLogError("Problem with config file");
return 0;
return -1;
}
if_root = ConfFindDeviceConfig(af_packet_node, live_dev);
if (if_root == NULL) {
if (if_default == NULL) {
SCLogError("Problem with config file");
return 0;
return -1;
}
if_root = if_default;
}
@ -115,44 +115,22 @@ static int AFPRunModeIsIPS(void)
}
if (has_ids && has_ips) {
SCLogWarning("AF_PACKET using both IPS and TAP/IDS mode, this will not "
"be allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
for (ldev = 0; ldev < nlive; ldev++) {
const char *live_dev = LiveGetDeviceName(ldev);
if (live_dev == NULL) {
SCLogError("Problem with config file");
return 0;
}
if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev);
const char *copymodestr = NULL;
if (if_root == NULL) {
if (if_default == NULL) {
SCLogError("Problem with config file");
return 0;
}
if_root = if_default;
}
if (!((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) ==
1) &&
(strcmp(copymodestr, "ips") == 0))) {
SCLogError("AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. "
"Sniffing '%s' but expect bad result as stream-inline is activated.",
live_dev, live_dev);
}
}
SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See "
"ticket #5588.");
return -1;
}
return has_ips;
}
static void AFPRunModeEnableIPS(void)
static int AFPRunModeEnableIPS(void)
{
if (AFPRunModeIsIPS()) {
int r = AFPRunModeIsIPS();
if (r == 1) {
SCLogInfo("Setting IPS mode");
EngineModeSetIPS();
}
return r;
}
void RunModeIdsAFPRegister(void)

6
src/runmode-dpdk.c
Unescape Escape View File

@ -1685,12 +1685,14 @@ static int DPDKRunModeIsIPS(void)
return has_ips;
}
static void DPDKRunModeEnableIPS(void)
static int DPDKRunModeEnableIPS(void)
{
if (DPDKRunModeIsIPS()) {
int r = DPDKRunModeIsIPS();
if (r == 1) {
SCLogInfo("Setting IPS mode");
EngineModeSetIPS();
}
return r;
}
const char *RunModeDpdkGetDefaultMode(void)

40
src/runmode-netmap.c
Unescape Escape View File

@ -79,14 +79,14 @@ static int NetmapRunModeIsIPS(void)
const char *live_dev = LiveGetDeviceName(ldev);
if (live_dev == NULL) {
SCLogError("Problem with config file");
return 0;
return -1;
}
if_root = ConfNodeLookupKeyValue(netmap_node, "interface", live_dev);
if (if_root == NULL) {
if (if_default == NULL) {
SCLogError("Problem with config file");
return 0;
return -1;
}
if_root = if_default;
}
@ -106,44 +106,22 @@ static int NetmapRunModeIsIPS(void)
}
if (has_ids && has_ips) {
SCLogWarning("Netmap using both IPS and TAP/IDS mode, this will not be "
"allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
for (ldev = 0; ldev < nlive; ldev++) {
const char *live_dev = LiveGetDeviceName(ldev);
if (live_dev == NULL) {
SCLogError("Problem with config file");
return 0;
}
if_root = ConfNodeLookupKeyValue(netmap_node, "interface", live_dev);
const char *copymodestr = NULL;
if (if_root == NULL) {
if (if_default == NULL) {
SCLogError("Problem with config file");
return 0;
}
if_root = if_default;
}
if (!((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) ==
1) &&
(strcmp(copymodestr, "ips") == 0))) {
SCLogError("Netmap IPS mode used and interface '%s' is in IDS or TAP mode. "
"Sniffing '%s' but expect bad result as stream-inline is activated.",
live_dev, live_dev);
}
}
SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See "
"ticket #5588.");
return -1;
}
return has_ips;
}
static void NetmapRunModeEnableIPS(void)
static int NetmapRunModeEnableIPS(void)
{
if (NetmapRunModeIsIPS()) {
int r = NetmapRunModeIsIPS();
if (r == 1) {
SCLogInfo("Netmap: Setting IPS mode");
EngineModeSetIPS();
}
return r;
}
void RunModeIdsNetmapRegister(void)

13
src/runmodes.c
Unescape Escape View File

@ -98,7 +98,7 @@ typedef struct RunMode_ {
const char *description;
/* runmode function */
int (*RunModeFunc)(void);
void (*RunModeIsIPSEnabled)(void);
int (*RunModeIsIPSEnabled)(void);
} RunMode;
typedef struct RunModes_ {
@ -393,22 +393,23 @@ static const char *RunModeGetConfOrDefault(int capture_mode, const char *capture
return custom_mode;
}
void RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
{
if (runmode == NULL) {
runmode = RunModeGetConfOrDefault(capture_mode, capture_plugin_name);
if (runmode == NULL) // non-standard runmode
return;
return 0;
}
RunMode *mode = RunModeGetCustomMode(capture_mode, runmode);
if (mode == NULL) {
return;
return 0;
}
if (mode->RunModeIsIPSEnabled != NULL) {
mode->RunModeIsIPSEnabled();
return mode->RunModeIsIPSEnabled();
}
return 0;
}
/**
@ -489,7 +490,7 @@ int RunModeNeedsBypassManager(void)
* \param RunModeFunc The function to be run for this runmode.
*/
void RunModeRegisterNewRunMode(enum RunModes runmode, const char *name, const char *description,
int (*RunModeFunc)(void), void (*RunModeIsIPSEnabled)(void))
int (*RunModeFunc)(void), int (*RunModeIsIPSEnabled)(void))
{
if (RunModeGetCustomMode(runmode, name) != NULL) {
FatalError("runmode '%s' has already "

4
src/runmodes.h
Unescape Escape View File

@ -80,11 +80,11 @@ char *RunmodeGetActive(void);
const char *RunModeGetMainMode(void);
void RunModeListRunmodes(void);
void RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name);
int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name);
void RunModeDispatch(int, const char *, const char *capture_plugin_name, const char *capture_plugin_args);
void RunModeRegisterRunModes(void);
void RunModeRegisterNewRunMode(enum RunModes, const char *, const char *, int (*RunModeFunc)(void),
void (*RunModeIsIPSEnabled)(void));
int (*RunModeIsIPSEnabled)(void));
void RunModeInitializeThreadSettings(void);
void RunModeInitializeOutputs(void);
void RunModeShutDown(void);

6
src/suricata.c
Unescape Escape View File

@ -2697,8 +2697,10 @@ int PostConfLoadedSetup(SCInstance *suri)
LiveDeviceFinalize(); // must be after EBPF extension registration
RunModeEngineIsIPS(
suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name);
if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode,
suricata.capture_plugin_name) < 0) {
FatalError("IPS mode setup failed");
}
if (EngineModeIsUnknown()) { // if still uninitialized, set the default
SCLogInfo("Setting engine mode to IDS mode by default");

Write Preview
Loading…
Cancel
Save