detect grouping: port based group whitelisting

Whitelist some ports in grouping to make sure they get their own group.

src/detect-engine-siggroup.c

@@ -629,6 +629,9 @@ int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHea
     for (idx = 0; idx < src->init->sig_size; idx++)
         (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx];
 
+    if (src->init->whitelist)
+        (*dst)->init->whitelist = 1;
+
     if (src->mpm_content_minlen != 0) {
         if ((*dst)->mpm_content_minlen == 0)
             (*dst)->mpm_content_minlen = src->mpm_content_minlen;

src/detect.c

@@ -2980,6 +2980,24 @@ int RulesGroupByProto(DetectEngineCtx *de_ctx)
     return 0;
 }
 
+int tcp_whitelisted[] = { 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080, -1 };
+int udp_whitelisted[] = { 53, 135, 5060, -1 };
+
+static int PortIsWhitelisted(const DetectPort *a, int ipproto)
+{
+    int *w = tcp_whitelisted;
+    if (ipproto == IPPROTO_UDP)
+        w = udp_whitelisted;
+    while (*w++ != -1) {
+        if (a->port >= *w && a->port2 <= *w) {
+            SCLogDebug("port group %u:%u whitelisted -> %d", a->port, a->port2, *w);
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int (*CompareFunc)(DetectPort *, DetectPort *), uint32_t max_idx);
 int CreateGroupedPortListCmpCnt(DetectPort *a, DetectPort *b);
 
@@ -3026,6 +3044,13 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3
             DetectPort *tmp = DetectPortCopySingle(de_ctx, p);
             BUG_ON(tmp == NULL);
             SigGroupHeadAppendSig(de_ctx, &tmp->sh, s);
+            tmp->sh->init->whitelist = PortIsWhitelisted(tmp, ipproto);
+            if (tmp->sh->init->whitelist) {
+                SCLogDebug("%s/%s Rule %u whitelisted port group %u:%u",
+                        direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient",
+                        ipproto == 6 ? "TCP" : "UDP",
+                        s->id, p->port, p->port2);
+            }
 
             int r = DetectPortInsert(de_ctx, &list , tmp);
             BUG_ON(r == -1);
@@ -3082,7 +3107,10 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3
     }
 #if 0
     for (iter = list ; iter != NULL; iter = iter->next) {
-        SCLogInfo("PORT %u-%u %p (sgh=%s)", iter->port, iter->port2, iter->sh, iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own");
+        SCLogInfo("PORT %u-%u %p (sgh=%s, whitelisted=%s)",
+                iter->port, iter->port2, iter->sh,
+                iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own",
+                iter->sh->init->whitelist ? "true" : "false");
     }
 #endif
     SCLogInfo("%s %s: %u port groups, %u unique SGH's, %u copies",
@@ -3218,8 +3246,17 @@ error:
     return -1;
 }
 
+static int PortGroupIsWhitelisted(const DetectPort *a)
+{
+    return a->sh->init->whitelist;
+}
+
 int CreateGroupedPortListCmpCnt(DetectPort *a, DetectPort *b)
 {
+    if (PortGroupIsWhitelisted(a) && !PortGroupIsWhitelisted(b))
+        return 1;
+    if (!PortGroupIsWhitelisted(a) && PortGroupIsWhitelisted(b))
+        return 0;
     if (a->sh->sig_cnt > b->sh->sig_cnt) {
         SCLogDebug("pg %u:%u %u > %u:%u %u",
                 a->port, a->port2, a->sh->sig_cnt,

src/detect.h

@@ -987,6 +987,7 @@ typedef struct SigGroupHeadInitData_ {
 
     uint8_t protos[256];    /**< proto(s) this sgh is for */
     uint32_t direction;     /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */
+    int whitelist;          /**< try to make this group a unique one */
 
     /* port ptr */
     struct DetectPort_ *port;