From e47598110a557bb9f87ea498d85ba91a45bb0cb6 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 12 Aug 2024 09:54:43 +0200
Subject: [PATCH] detect/datasets: implement unset command

Ticket: 7195

Otherwise, Suricata aborted on such a rule
---
 doc/userguide/rules/datasets.rst |  2 +-
 src/datasets.c                   | 20 ++++++++++++++++++++
 src/datasets.h                   |  1 +
 src/detect-dataset.c             |  6 ++++++
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/doc/userguide/rules/datasets.rst b/doc/userguide/rules/datasets.rst
index 069ee72aeb..bf6ab9b1ed 100644
--- a/doc/userguide/rules/datasets.rst
+++ b/doc/userguide/rules/datasets.rst
@@ -78,7 +78,7 @@ Syntax::
 
     dataset:<cmd>,<name>,<options>;
 
-    dataset:<set|isset|isnotset>,<name> \
+    dataset:<set|unset|isset|isnotset>,<name> \
         [, type <string|md5|sha256|ipv4|ip>, save <file name>, load <file name>, state <file name>, memcap <size>, hashsize <size>];
 
 type <type>
diff --git a/src/datasets.c b/src/datasets.c
index 9d08c3ed02..402c7d34fe 100644
--- a/src/datasets.c
+++ b/src/datasets.c
@@ -1751,3 +1751,23 @@ int DatasetRemoveSerialized(Dataset *set, const char *string)
     return DatasetOpSerialized(set, string, DatasetRemoveString, DatasetRemoveMd5,
             DatasetRemoveSha256, DatasetRemoveIPv4, DatasetRemoveIPv6);
 }
+
+int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len)
+{
+    if (set == NULL)
+        return -1;
+
+    switch (set->type) {
+        case DATASET_TYPE_STRING:
+            return DatasetRemoveString(set, data, data_len);
+        case DATASET_TYPE_MD5:
+            return DatasetRemoveMd5(set, data, data_len);
+        case DATASET_TYPE_SHA256:
+            return DatasetRemoveSha256(set, data, data_len);
+        case DATASET_TYPE_IPV4:
+            return DatasetRemoveIPv4(set, data, data_len);
+        case DATASET_TYPE_IPV6:
+            return DatasetRemoveIPv6(set, data, data_len);
+    }
+    return -1;
+}
diff --git a/src/datasets.h b/src/datasets.h
index 78602548ca..86bfed02b2 100644
--- a/src/datasets.h
+++ b/src/datasets.h
@@ -56,6 +56,7 @@ Dataset *DatasetFind(const char *name, enum DatasetTypes type);
 Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load,
         uint64_t memcap, uint32_t hashsize);
 int DatasetAdd(Dataset *set, const uint8_t *data, const uint32_t data_len);
+int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len);
 int DatasetLookup(Dataset *set, const uint8_t *data, const uint32_t data_len);
 DataRepResultType DatasetLookupwRep(Dataset *set, const uint8_t *data, const uint32_t data_len,
         const DataRepType *rep);
diff --git a/src/detect-dataset.c b/src/detect-dataset.c
index 5e96b9f27d..7dacc630b8 100644
--- a/src/detect-dataset.c
+++ b/src/detect-dataset.c
@@ -96,6 +96,12 @@ int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx,
                 return 1;
             break;
         }
+        case DETECT_DATASET_CMD_UNSET: {
+            int r = DatasetRemove(sd->set, data, data_len);
+            if (r == 1)
+                return 1;
+            break;
+        }
         default:
             abort();
     }