aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: replace DetectEngineCtx flag with EngineModeIsFirewall

Browse Source
pull/13432/head
Victor Julien 3 months ago committed by Victor Julien
parent b0b3808a55
commit d5ae9156b9
5 changed files with 11 additions and 15 deletions
Show Stats Download Patch File Download Diff File

6
src/detect-engine-alert.c
Unescape Escape View File

@ -16,6 +16,7 @@
*/ */
#include "suricata-common.h" #include "suricata-common.h"
#include "suricata.h"
#include "detect.h" #include "detect.h"
#include "detect-engine-alert.h" #include "detect-engine-alert.h"
@ -409,13 +410,12 @@ static inline void FlowApplySignatureActions(
static inline void PacketAlertFinalizeProcessQueue( static inline void PacketAlertFinalizeProcessQueue(
const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
{ {
const bool have_fw_rules = (de_ctx->flags & DE_HAS_FIREWALL) != 0; const bool have_fw_rules = EngineModeIsFirewall();
if (det_ctx->alert_queue_size > 1) { if (det_ctx->alert_queue_size > 1) {
/* sort the alert queue before thresholding and appending to Packet */ /* sort the alert queue before thresholding and appending to Packet */
qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert), qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert),
(de_ctx->flags & DE_HAS_FIREWALL) ? AlertQueueSortHelperFirewall have_fw_rules ? AlertQueueSortHelperFirewall : AlertQueueSortHelper);
: AlertQueueSortHelper);
} }
bool dropped = false; bool dropped = false;

2
src/detect-engine-build.c
Unescape Escape View File

@ -2266,7 +2266,7 @@ int SigGroupBuild(DetectEngineCtx *de_ctx)
VarNameStoreActivate(); VarNameStoreActivate();
} }
if (de_ctx->flags & DE_HAS_FIREWALL) { if (EngineModeIsFirewall()) {
FirewallAnalyzer(de_ctx); FirewallAnalyzer(de_ctx);
} }
return 0; return 0;

3
src/detect-engine-loader.c
Unescape Escape View File

@ -300,7 +300,6 @@ static int LoadFirewallRuleFiles(DetectEngineCtx *de_ctx)
int32_t skipped_sigs = 0; int32_t skipped_sigs = 0;
SCLogNotice("fw: rule file full path \"%s\"", de_ctx->firewall_rule_file_exclusive); SCLogNotice("fw: rule file full path \"%s\"", de_ctx->firewall_rule_file_exclusive);
de_ctx->flags |= DE_HAS_FIREWALL;
int ret = DetectLoadSigFile(de_ctx, de_ctx->firewall_rule_file_exclusive, &good_sigs, int ret = DetectLoadSigFile(de_ctx, de_ctx->firewall_rule_file_exclusive, &good_sigs,
&bad_sigs, &skipped_sigs, true); &bad_sigs, &skipped_sigs, true);
@ -360,8 +359,6 @@ static int LoadFirewallRuleFiles(DetectEngineCtx *de_ctx)
de_ctx->sig_stat.good_sigs_total += good_sigs; de_ctx->sig_stat.good_sigs_total += good_sigs;
} }
} }
de_ctx->flags |= DE_HAS_FIREWALL;
return 0; return 0;
} }

12
src/detect.c
Unescape Escape View File

@ -660,7 +660,7 @@ static inline uint8_t DetectRulePacketRules(ThreadVars *const tv,
{ {
uint8_t action = 0; uint8_t action = 0;
bool fw_verdict = false; bool fw_verdict = false;
const bool have_fw_rules = (de_ctx->flags & DE_HAS_FIREWALL) != 0; const bool have_fw_rules = EngineModeIsFirewall();
const Signature *next_s = NULL; const Signature *next_s = NULL;
/* inspect the sigs against the packet */ /* inspect the sigs against the packet */
@ -1043,8 +1043,8 @@ static inline void DetectRunPostRules(ThreadVars *tv, const DetectEngineCtx *de_
/* firewall: "fail" closed if we don't have an ACCEPT. This can happen /* firewall: "fail" closed if we don't have an ACCEPT. This can happen
* if there was no rule group. */ * if there was no rule group. */
// TODO review packet src types here // TODO review packet src types here
if (de_ctx->flags & DE_HAS_FIREWALL && !(p->action & ACTION_ACCEPT) && if (EngineModeIsFirewall() && !(p->action & ACTION_ACCEPT) && p->pkt_src == PKT_SRC_WIRE &&
p->pkt_src == PKT_SRC_WIRE && scratch->default_action == ACTION_DROP) { scratch->default_action == ACTION_DROP) {
SCLogDebug("packet %" PRIu64 ": droppit as no ACCEPT set %02x (pkt %s)", p->pcap_cnt, SCLogDebug("packet %" PRIu64 ": droppit as no ACCEPT set %02x (pkt %s)", p->pcap_cnt,
p->action, PktSrcToString(p->pkt_src)); p->action, PktSrcToString(p->pkt_src));
PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_PACKET_POLICY); PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_PACKET_POLICY);
@ -1618,7 +1618,7 @@ static int DetectRunTxCheckFirewallPolicy(DetectEngineThreadCtx *det_ctx, Packet
thread_local Signature default_accept; thread_local Signature default_accept;
static inline void DetectRunAppendDefaultAccept(DetectEngineThreadCtx *det_ctx, Packet *p) static inline void DetectRunAppendDefaultAccept(DetectEngineThreadCtx *det_ctx, Packet *p)
{ {
if (det_ctx->de_ctx->flags & DE_HAS_FIREWALL) { if (EngineModeIsFirewall()) {
memset(&default_accept, 0, sizeof(default_accept)); memset(&default_accept, 0, sizeof(default_accept));
default_accept.action = ACTION_ACCEPT; default_accept.action = ACTION_ACCEPT;
default_accept.action_scope = ACTION_SCOPE_PACKET; default_accept.action_scope = ACTION_SCOPE_PACKET;
@ -1724,7 +1724,7 @@ static void DetectRunTx(ThreadVars *tv,
uint32_t fw_verdicted = 0; uint32_t fw_verdicted = 0;
uint32_t tx_inspected = 0; uint32_t tx_inspected = 0;
const bool have_fw_rules = (de_ctx->flags & DE_HAS_FIREWALL) != 0; const bool have_fw_rules = EngineModeIsFirewall();
SCLogDebug("packet %" PRIu64, p->pcap_cnt); SCLogDebug("packet %" PRIu64, p->pcap_cnt);
@ -2263,7 +2263,7 @@ static void DetectFlow(ThreadVars *tv,
/* in firewall mode, we still need to run the fw rulesets even for exception policy pass */ /* in firewall mode, we still need to run the fw rulesets even for exception policy pass */
bool skip = false; bool skip = false;
if (de_ctx->flags & DE_HAS_FIREWALL) { if (EngineModeIsFirewall()) {
skip = (f->flags & (FLOW_ACTION_ACCEPT)); skip = (f->flags & (FLOW_ACTION_ACCEPT));
} else { } else {

3
src/detect.h
Unescape Escape View File

@ -327,8 +327,7 @@ typedef struct DetectPort_ {
#define FILE_SIG_NEED_SIZE 0x80 #define FILE_SIG_NEED_SIZE 0x80
/* Detection Engine flags */ /* Detection Engine flags */
#define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */ #define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
#define DE_HAS_FIREWALL 0x02 /**< firewall rules loaded, default policies active */
typedef struct IPOnlyCIDRItem_ { typedef struct IPOnlyCIDRItem_ {
/* address data for this item */ /* address data for this item */

Write Preview
Loading…
Cancel
Save