aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Set DROP flag on a packet in addition to the REJECT flags. This makes sure we not only send a reject, but also drop the offending packet. Closes #248.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent fb5fb3ab3f
commit 477bc1d050
6 changed files with 65 additions and 29 deletions
Show Stats Download Patch File Download Diff File

2
src/action-globals.h
Unescape Escape View File

@ -23,6 +23,7 @@
#ifndef __ACTION_GLOBALS_H__ #ifndef __ACTION_GLOBALS_H__
#define __ACTION_GLOBALS_H__ #define __ACTION_GLOBALS_H__
/* Changing them as flags, so later we can have alerts /* Changing them as flags, so later we can have alerts
* and drop simultaneously */ * and drop simultaneously */
#define ACTION_ALERT 0x01 #define ACTION_ALERT 0x01
@ -31,4 +32,5 @@
#define ACTION_REJECT_DST 0x08 #define ACTION_REJECT_DST 0x08
#define ACTION_REJECT_BOTH 0x10 #define ACTION_REJECT_BOTH 0x10
#define ACTION_PASS 0x20 #define ACTION_PASS 0x20
#endif /* __ACTION_GLOBALS_H__ */ #endif /* __ACTION_GLOBALS_H__ */

3
src/alert-prelude.c
Unescape Escape View File

@ -234,8 +234,7 @@ static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
idmef_impact_set_severity(impact, severity); idmef_impact_set_severity(impact, severity);
if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH || if (p->action & ACTION_DROP) {
p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
idmef_action_t *action; idmef_action_t *action;
ret = idmef_action_new(&action); ret = idmef_action_new(&action);

46
src/decode.h
Unescape Escape View File

@ -608,11 +608,47 @@ typedef struct DecodeThreadVars_
/* macro's for setting the action /* macro's for setting the action
* handle the case of a root packet * handle the case of a root packet
* for tunnels */ * for tunnels */
#define ACCEPT_PACKET(p) ((p)->root ? ((p)->root->action = ACTION_ACCEPT) : ((p)->action = ACTION_ACCEPT)) #define ALERT_PACKET(p) do { \
#define DROP_PACKET(p) ((p)->root ? ((p)->root->action = ACTION_DROP) : ((p)->action = ACTION_DROP)) ((p)->root ? \
#define REJECT_PACKET(p) ((p)->root ? ((p)->root->action = ACTION_REJECT) : ((p)->action = ACTION_REJECT)) ((p)->root->action = ACTION_ALERT) : \
#define REJECT_PACKET_DST(p) ((p)->root ? ((p)->root->action = ACTION_REJECT_DST) : ((p)->action = ACTION_REJECT_DST)) ((p)->action = ACTION_ALERT)); \
#define REJECT_PACKET_BOTH(p) ((p)->root ? ((p)->root->action = ACTION_REJECT_BOTH) : ((p)->action = ACTION_REJECT_BOTH)) } while (0)
#define ACCEPT_PACKET(p) do { \
((p)->root ? \
((p)->root->action = ACTION_ACCEPT) : \
((p)->action = ACTION_ACCEPT)); \
} while (0)
#define DROP_PACKET(p) do { \
((p)->root ? \
((p)->root->action = ACTION_DROP) : \
((p)->action = ACTION_DROP)); \
} while (0)
#define REJECT_PACKET(p) do { \
((p)->root ? \
((p)->root->action = (ACTION_REJECT|ACTION_DROP)) : \
((p)->action = (ACTION_REJECT|ACTION_DROP))); \
} while (0)
#define REJECT_PACKET_DST(p) do { \
((p)->root ? \
((p)->root->action = (ACTION_REJECT_DST|ACTION_DROP)) : \
((p)->action = (ACTION_REJECT_DST|ACTION_DROP))); \
} while (0)
#define REJECT_PACKET_BOTH(p) do { \
((p)->root ? \
((p)->root->action = (ACTION_REJECT_BOTH|ACTION_DROP)) : \
((p)->action = (ACTION_REJECT_BOTH|ACTION_DROP))); \
} while (0)
#define PASS_PACKET(p) do { \
((p)->root ? \
((p)->root->action = ACTION_PASS) : \
((p)->action = ACTION_PASS)); \
} while (0)
#define TUNNEL_INCR_PKT_RTV(p) do { \ #define TUNNEL_INCR_PKT_RTV(p) do { \
SCMutexLock((p)->root ? &(p)->root->mutex_rtv_cnt : &(p)->mutex_rtv_cnt); \ SCMutexLock((p)->root ? &(p)->root->mutex_rtv_cnt : &(p)->mutex_rtv_cnt); \

36
src/detect-engine-threshold.c
Unescape Escape View File

@ -449,20 +449,20 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
/* Take the action to perform */ /* Take the action to perform */
switch (td->new_action) { switch (td->new_action) {
case TH_ACTION_ALERT: case TH_ACTION_ALERT:
p->action |= ACTION_ALERT; ALERT_PACKET(p);
break; break;
case TH_ACTION_DROP: case TH_ACTION_DROP:
p->action |= ACTION_DROP; DROP_PACKET(p);
break; break;
case TH_ACTION_REJECT: case TH_ACTION_REJECT:
p->action |= ACTION_REJECT; REJECT_PACKET(p);
break; break;
case TH_ACTION_PASS: case TH_ACTION_PASS:
p->action |= ACTION_PASS; PASS_PACKET(p);
break; break;
default: default:
/* Weird, leave the default action */ /* Weird, leave the default action */
break; break;
} }
ret = 1; ret = 1;
} }
@ -477,20 +477,20 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
/* Take the action to perform */ /* Take the action to perform */
switch (td->new_action) { switch (td->new_action) {
case TH_ACTION_ALERT: case TH_ACTION_ALERT:
p->action |= ACTION_ALERT; ALERT_PACKET(p);
break; break;
case TH_ACTION_DROP: case TH_ACTION_DROP:
p->action |= ACTION_DROP; DROP_PACKET(p);
break; break;
case TH_ACTION_REJECT: case TH_ACTION_REJECT:
p->action |= ACTION_REJECT; REJECT_PACKET(p);
break; break;
case TH_ACTION_PASS: case TH_ACTION_PASS:
p->action |= ACTION_PASS; PASS_PACKET(p);
break; break;
default: default:
/* Weird, leave the default action */ /* Weird, leave the default action */
break; break;
} }
ret = 1; ret = 1;
} }

3
src/source-ipfw.c
Unescape Escape View File

@ -469,8 +469,7 @@ TmEcode IPFWSetVerdict(ThreadVars *tv, IPFWThreadVars *ptv, Packet *p) {
IPFWpoll.fd=ipfw_sock; IPFWpoll.fd=ipfw_sock;
IPFWpoll.events= POLLWRNORM; IPFWpoll.events= POLLWRNORM;
if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH || if (p->action & ACTION_DROP) {
p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
verdict = IPFW_DROP; verdict = IPFW_DROP;
} else { } else {
verdict = IPFW_ACCEPT; verdict = IPFW_ACCEPT;

4
src/source-nfq.c
Unescape Escape View File

@ -758,14 +758,14 @@ void NFQSetVerdict(Packet *p) {
//printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num); //printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num);
SCMutexLock(&t->mutex_qh); SCMutexLock(&t->mutex_qh);
if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH || if (p->action & ACTION_DROP) {
p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
verdict = NF_DROP; verdict = NF_DROP;
#ifdef COUNTERS #ifdef COUNTERS
t->dropped++; t->dropped++;
#endif /* COUNTERS */ #endif /* COUNTERS */
} else { } else {
switch (nfq_config.mode) { switch (nfq_config.mode) {
default:
case NFQ_ACCEPT_MODE: case NFQ_ACCEPT_MODE:
verdict = NF_ACCEPT; verdict = NF_ACCEPT;
break; break;

Write Preview
Loading…
Cancel
Save