aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

suppress: support ip-lists

Browse Source 
Ticket: 1137

Support supplying a list of IP's to the suppress keyword. Variables from
the address-groups and negation is supported. The same logic (and code) is
used that is also used in parting the IP portions of regular detection
rules.
pull/1549/head
Victor Julien 10 years ago
parent 26fc5682ad
commit e85a44c383
4 changed files with 15 additions and 37 deletions
Show Stats Download Patch File Download Diff File

8
src/detect-engine-threshold.c
Unescape Escape View File

@ -465,13 +465,13 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
}
case TYPE_SUPPRESS:
{
int res = 0;
DetectAddress *m = NULL;
switch (td->track) {
case TRACK_DST:
res = DetectAddressMatch(td->addr, &p->dst);
m = DetectAddressLookupInHead(&td->addrs, &p->dst);
break;
case TRACK_SRC:
res = DetectAddressMatch(td->addr, &p->src);
m = DetectAddressLookupInHead(&td->addrs, &p->src);
break;
case TRACK_RULE:
default:
@ -479,7 +479,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
"track mode %d is not supported", td->track);
break;
}
if (res == 0)
if (m == NULL)
ret = 1;
else
ret = 2; /* suppressed but still need actions */

2
src/detect-threshold.c
Unescape Escape View File

@ -286,7 +286,7 @@ static void DetectThresholdFree(void *de_ptr)
{
DetectThresholdData *de = (DetectThresholdData *)de_ptr;
if (de) {
DetectAddressFree(de->addr);
DetectAddressHeadCleanup(&de->addrs);
SCFree(de);
}
}

2
src/detect-threshold.h
Unescape Escape View File

@ -60,7 +60,7 @@ typedef struct DetectThresholdData_ {
uint8_t new_action; /**< new_action alert|drop|pass|log|sdrop|reject */
uint32_t timeout; /**< timeout */
uint32_t flags; /**< flags used to set option */
DetectAddress* addr; /**< address group used by suppress keyword */
DetectAddressHead addrs;
} DetectThresholdData;
typedef struct DetectThresholdEntry_ {

40
src/util-threshold-config.c
Unescape Escape View File

@ -73,7 +73,7 @@ typedef enum ThresholdRuleType {
* suppress gen_id 1, sig_id 2000328
* suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10
*/
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-fA-F.:/]+)*\\s*$"
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"
/* Default path for the threshold.config file */
#if defined OS_WIN32 || defined __CYGWIN__
@ -296,16 +296,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
de->addr = NULL;
if (parsed_track != TRACK_RULE) {
de->addr = DetectAddressInit();
if (de->addr == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
goto error;
}
if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
@ -347,16 +341,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
de->addr = NULL;
if (parsed_track != TRACK_RULE) {
de->addr = DetectAddressInit();
if (de->addr == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
goto error;
}
if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
}
@ -400,13 +388,8 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
de->addr = DetectAddressInit();
if (de->addr == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
goto error;
}
if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
goto error;
}
@ -427,8 +410,7 @@ end:
return 0;
error:
if (de != NULL) {
if (de->addr != NULL)
DetectAddressFree(de->addr);
DetectAddressHeadCleanup(&de->addrs);
SCFree(de);
}
return -1;
@ -485,7 +467,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
de->addr = NULL;
sm = SigMatchAlloc();
if (sm == NULL) {
@ -549,7 +530,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
de->addr = NULL;
sm = SigMatchAlloc();
if (sm == NULL) {
@ -640,7 +620,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
de->seconds = parsed_seconds;
de->new_action = parsed_new_action;
de->timeout = parsed_timeout;
de->addr = NULL;
sm = SigMatchAlloc();
if (sm == NULL) {
@ -675,8 +654,7 @@ end:
return 0;
error:
if (de != NULL) {
if (de->addr != NULL)
DetectAddressFree(de->addr);
DetectAddressHeadCleanup(&de->addrs);
SCFree(de);
}
return -1;

Write Preview
Loading…
Cancel
Save