aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

suppress: support ip-lists

Browse Source 
Ticket: 1137

Support supplying a list of IP's to the suppress keyword. Variables from
the address-groups and negation is supported. The same logic (and code) is
used that is also used in parting the IP portions of regular detection
rules.
pull/1549/head
Victor Julien 10 years ago
parent 26fc5682ad
commit e85a44c383
4 changed files with 15 additions and 37 deletions
Show Stats Download Patch File Download Diff File

8
src/detect-engine-threshold.c
Unescape Escape View File

@ -465,13 +465,13 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
} }
case TYPE_SUPPRESS: case TYPE_SUPPRESS:
{ {
int res = 0; DetectAddress *m = NULL;
switch (td->track) { switch (td->track) {
case TRACK_DST: case TRACK_DST:
res = DetectAddressMatch(td->addr, &p->dst); m = DetectAddressLookupInHead(&td->addrs, &p->dst);
break; break;
case TRACK_SRC: case TRACK_SRC:
res = DetectAddressMatch(td->addr, &p->src); m = DetectAddressLookupInHead(&td->addrs, &p->src);
break; break;
case TRACK_RULE: case TRACK_RULE:
default: default:
@ -479,7 +479,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
"track mode %d is not supported", td->track); "track mode %d is not supported", td->track);
break; break;
} }
if (res == 0) if (m == NULL)
ret = 1; ret = 1;
else else
ret = 2; /* suppressed but still need actions */ ret = 2; /* suppressed but still need actions */

2
src/detect-threshold.c
Unescape Escape View File

@ -286,7 +286,7 @@ static void DetectThresholdFree(void *de_ptr)
{ {
DetectThresholdData *de = (DetectThresholdData *)de_ptr; DetectThresholdData *de = (DetectThresholdData *)de_ptr;
if (de) { if (de) {
DetectAddressFree(de->addr); DetectAddressHeadCleanup(&de->addrs);
SCFree(de); SCFree(de);
} }
} }

2
src/detect-threshold.h
Unescape Escape View File

@ -60,7 +60,7 @@ typedef struct DetectThresholdData_ {
uint8_t new_action; /**< new_action alert|drop|pass|log|sdrop|reject */ uint8_t new_action; /**< new_action alert|drop|pass|log|sdrop|reject */
uint32_t timeout; /**< timeout */ uint32_t timeout; /**< timeout */
uint32_t flags; /**< flags used to set option */ uint32_t flags; /**< flags used to set option */
DetectAddress* addr; /**< address group used by suppress keyword */ DetectAddressHead addrs;
} DetectThresholdData; } DetectThresholdData;
typedef struct DetectThresholdEntry_ { typedef struct DetectThresholdEntry_ {

40
src/util-threshold-config.c
Unescape Escape View File

@ -73,7 +73,7 @@ typedef enum ThresholdRuleType {
* suppress gen_id 1, sig_id 2000328 * suppress gen_id 1, sig_id 2000328
* suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10 * suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10
*/ */
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-fA-F.:/]+)*\\s*$" #define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"
/* Default path for the threshold.config file */ /* Default path for the threshold.config file */
#if defined OS_WIN32 || defined __CYGWIN__ #if defined OS_WIN32 || defined __CYGWIN__
@ -296,16 +296,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
de->seconds = parsed_seconds; de->seconds = parsed_seconds;
de->new_action = parsed_new_action; de->new_action = parsed_new_action;
de->timeout = parsed_timeout; de->timeout = parsed_timeout;
de->addr = NULL;
if (parsed_track != TRACK_RULE) { if (parsed_track != TRACK_RULE) {
de->addr = DetectAddressInit(); if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
if (de->addr == NULL) { SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
goto error;
}
if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
goto error; goto error;
} }
} }
@ -347,16 +341,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
de->seconds = parsed_seconds; de->seconds = parsed_seconds;
de->new_action = parsed_new_action; de->new_action = parsed_new_action;
de->timeout = parsed_timeout; de->timeout = parsed_timeout;
de->addr = NULL;
if (parsed_track != TRACK_RULE) { if (parsed_track != TRACK_RULE) {
de->addr = DetectAddressInit(); if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
if (de->addr == NULL) { SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
goto error;
}
if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
goto error; goto error;
} }
} }
@ -400,13 +388,8 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
de->new_action = parsed_new_action; de->new_action = parsed_new_action;
de->timeout = parsed_timeout; de->timeout = parsed_timeout;
de->addr = DetectAddressInit(); if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
if (de->addr == NULL) { SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
goto error;
}
if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
goto error; goto error;
} }
@ -427,8 +410,7 @@ end:
return 0; return 0;
error: error:
if (de != NULL) { if (de != NULL) {
if (de->addr != NULL) DetectAddressHeadCleanup(&de->addrs);
DetectAddressFree(de->addr);
SCFree(de); SCFree(de);
} }
return -1; return -1;
@ -485,7 +467,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
de->seconds = parsed_seconds; de->seconds = parsed_seconds;
de->new_action = parsed_new_action; de->new_action = parsed_new_action;
de->timeout = parsed_timeout; de->timeout = parsed_timeout;
de->addr = NULL;
sm = SigMatchAlloc(); sm = SigMatchAlloc();
if (sm == NULL) { if (sm == NULL) {
@ -549,7 +530,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
de->seconds = parsed_seconds; de->seconds = parsed_seconds;
de->new_action = parsed_new_action; de->new_action = parsed_new_action;
de->timeout = parsed_timeout; de->timeout = parsed_timeout;
de->addr = NULL;
sm = SigMatchAlloc(); sm = SigMatchAlloc();
if (sm == NULL) { if (sm == NULL) {
@ -640,7 +620,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
de->seconds = parsed_seconds; de->seconds = parsed_seconds;
de->new_action = parsed_new_action; de->new_action = parsed_new_action;
de->timeout = parsed_timeout; de->timeout = parsed_timeout;
de->addr = NULL;
sm = SigMatchAlloc(); sm = SigMatchAlloc();
if (sm == NULL) { if (sm == NULL) {
@ -675,8 +654,7 @@ end:
return 0; return 0;
error: error:
if (de != NULL) { if (de != NULL) {
if (de->addr != NULL) DetectAddressHeadCleanup(&de->addrs);
DetectAddressFree(de->addr);
SCFree(de); SCFree(de);
} }
return -1; return -1;

Write Preview
Loading…
Cancel
Save