detect/parse: allow signature parsing to fail silently

A sigmatches 'Setup' function may indicate it intends to fail silently after the first error. It will return -2 instead of -1 in this case. This is tracked in the DetectEngineCtx object, so errors will be shown again at rule reloads.
6 years ago · 4d44ca7739
parent aa5a6ab5f1
commit 4d44ca7739
4 changed files with 47 additions and 11 deletions
--- a/src/detect-engine-loader.c
+++ b/src/detect-engine-loader.c
@ -180,20 +180,22 @@ static int DetectLoadSigFile(DetectEngineCtx *de_ctx, char *sig_file,
            SCLogDebug("signature %"PRIu32" loaded", sig->id);
            good++;
        } else {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "error parsing signature \"%s\" from "
-                 "file %s at line %"PRId32"", line, sig_file, lineno - multiline);
+            if (!de_ctx->sigerror_silent) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE, "error parsing signature \"%s\" from "
+                        "file %s at line %"PRId32"", line, sig_file, lineno - multiline);

+                if (!SigStringAppend(&de_ctx->sig_stat, sig_file, line, de_ctx->sigerror, (lineno - multiline))) {
+                    SCLogError(SC_ERR_MEM_ALLOC, "Error adding sig \"%s\" from "
+                            "file %s at line %"PRId32"", line, sig_file, lineno - multiline);
+                }
+                if (de_ctx->sigerror) {
+                    de_ctx->sigerror = NULL;
+                }
+            }
            if (rule_engine_analysis_set) {
                EngineAnalysisRulesFailure(line, sig_file, lineno - multiline);
            }
            bad++;
-            if (!SigStringAppend(&de_ctx->sig_stat, sig_file, line, de_ctx->sigerror, (lineno - multiline))) {
-                SCLogError(SC_ERR_MEM_ALLOC, "Error adding sig \"%s\" from "
-                     "file %s at line %"PRId32"", line, sig_file, lineno - multiline);
-            }
-            if (de_ctx->sigerror) {
-                de_ctx->sigerror = NULL;
-            }
        }
        multiline = 0;
    }
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -258,6 +258,14 @@ void SigMatchFree(SigMatch *sm)
    SCFree(sm);
 }

+static enum DetectKeywordId SigTableGetIndex(const SigTableElmt *e)
+{
+    const SigTableElmt *table = &sigmatch_table[0];
+    ptrdiff_t offset = e - table;
+    BUG_ON(offset >= DETECT_TBLSIZE);
+    return (enum DetectKeywordId)offset;
+}
+
 /* Get the detection module by name */
 static SigTableElmt *SigTableGet(char *name)
 {
@ -278,6 +286,12 @@ static SigTableElmt *SigTableGet(char *name)
    return NULL;
 }

+bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx,
+        const enum DetectKeywordId id)
+{
+    return de_ctx->sm_types_silent_error[id];
+}
+
 bool SigMatchStrictEnabled(const enum DetectKeywordId id)
 {
    if (id < DETECT_TBLSIZE) {
@ -792,7 +806,17 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
    }
    if (setup_ret < 0) {
        SCLogDebug("\"%s\" failed to setup", st->name);
-        goto error;
+
+        /* handle 'silent' error case */
+        if (setup_ret == -2) {
+            enum DetectKeywordId idx = SigTableGetIndex(st);
+            if (de_ctx->sm_types_silent_error[idx] == false) {
+                de_ctx->sm_types_silent_error[idx] = true;
+                return -1;
+            }
+            return -2;
+        }
+        return setup_ret;
    }
    s->init_data->negated = false;

@ -1839,8 +1863,13 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, const char *sigstr,
    /* default gid to 1 */
    sig->gid = 1;

-    if (SigParse(de_ctx, sig, sigstr, dir, &parser) < 0)
+    int ret = SigParse(de_ctx, sig, sigstr, dir, &parser);
+    if (ret == -2) {
+        de_ctx->sigerror_silent = true;
+        goto error;
+    } else if (ret < 0) {
        goto error;
+    }

    /* signature priority hasn't been overwritten.  Using default priority */
    if (sig->prio == -1)
@ -1982,6 +2011,7 @@ Signature *SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
    SCEnter();

    uint32_t oldsignum = de_ctx->signum;
+    de_ctx->sigerror_silent = false;

    Signature *sig;

--- a/src/detect-parse.h
+++ b/src/detect-parse.h
@ -59,6 +59,8 @@ int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx,
        Signature *s, const char *arg, int sm_type, int sm_list,
        AppProto alproto);

+bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx,
+        const enum DetectKeywordId id);
 bool SigMatchStrictEnabled(const enum DetectKeywordId id);

 const char *DetectListToHumanString(int list);
--- a/src/detect.h
+++ b/src/detect.h
@ -864,6 +864,7 @@ typedef struct DetectEngineCtx_ {
    /** Store rule file and line so that parsers can use them in errors. */
    char *rule_file;
    int rule_line;
+    bool sigerror_silent;
    const char *sigerror;

    /** list of keywords that need thread local ctxs */
@ -943,6 +944,7 @@ typedef struct DetectEngineCtx_ {
     *  set for it. If true, the setup function will have to
     *  run. */
    bool sm_types_prefilter[DETECT_TBLSIZE];
+    bool sm_types_silent_error[DETECT_TBLSIZE];

 } DetectEngineCtx;