From e9857200b3704d4c4a0feedca098a8b6898b9b21 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 21 Oct 2014 10:04:57 +0200 Subject: [PATCH] detect: set action from utility function Set actions that are set directly from Signatures using the new utility function DetectSignatureApplyActions. This will apply the actions and also store info about the 'drop' that first made the rule drop. --- src/decode.h | 4 ++++ src/detect-engine-alert.c | 4 ++-- src/detect-engine-iponly.c | 2 +- src/detect-engine-state.c | 10 +++++----- src/detect.c | 17 ++++++++++++++++- src/detect.h | 1 + 6 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/decode.h b/src/decode.h index 9a0bfde924..0ea4c15f7a 100644 --- a/src/decode.h +++ b/src/decode.h @@ -277,6 +277,9 @@ typedef struct PacketAlert_ { typedef struct PacketAlerts_ { uint16_t cnt; PacketAlert alerts[PACKET_ALERT_MAX]; + /* single pa used when we're dropping, + * so we can log it out in the drop log. */ + PacketAlert drop; } PacketAlerts; /** number of decoder events we support per packet. Power of 2 minus 1 @@ -723,6 +726,7 @@ typedef struct DecodeThreadVars_ (p)->payload_len = 0; \ (p)->pktlen = 0; \ (p)->alerts.cnt = 0; \ + (p)->alerts.drop.action = 0; \ (p)->pcap_cnt = 0; \ (p)->tunnel_rtv_cnt = 0; \ (p)->tunnel_tpr_cnt = 0; \ diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 428ff42195..8f91a4b837 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -286,8 +286,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx } } - /* set verdict on packet */ - PACKET_UPDATE_ACTION(p, p->alerts.alerts[i].action); + /* set actions on packet */ + DetectSignatureApplyActions(p, p->alerts.alerts[i].s); if (PACKET_TEST_ACTION(p, ACTION_PASS)) { /* Ok, reset the alert cnt to end in the previous of pass diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index d279295d48..d98fa0e50c 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -1086,7 +1086,7 @@ void IPOnlyMatchPacket(ThreadVars *tv, PacketAlertAppend(det_ctx, s, p, 0, 0); } else { /* apply actions for noalert/rule suppressed as well */ - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } } } diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 2ca789afa7..5c84bc7abf 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -331,7 +331,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, PacketAlertAppend(det_ctx, s, p, tx_id, PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); } else { - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } alert_cnt = 1; @@ -373,7 +373,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, PacketAlertAppend(det_ctx, s, p, 0, PACKET_ALERT_FLAG_STATE_MATCH); } else { - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } alert_cnt = 1; @@ -387,7 +387,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, PacketAlertAppend(det_ctx, s, p, 0, PACKET_ALERT_FLAG_STATE_MATCH); } else { - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } } @@ -442,7 +442,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, PacketAlertAppend(det_ctx, s, p, 0, PACKET_ALERT_FLAG_STATE_MATCH); } else { - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } alert_cnt = 1; } @@ -736,7 +736,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, PacketAlertAppend(det_ctx, s, p, 0, PACKET_ALERT_FLAG_STATE_MATCH); } else { - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } } diff --git a/src/detect.c b/src/detect.c index a3f7d3406f..3bc7d3b46f 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1688,7 +1688,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh PacketAlertAppend(det_ctx, s, p, 0, alert_flags); } else { /* apply actions even if not alerting */ - PACKET_UPDATE_ACTION(p, s->action); + DetectSignatureApplyActions(p, s); } alerts++; next: @@ -1826,6 +1826,21 @@ end: SCReturnInt((int)(alerts > 0)); } +/** \brief Apply action(s) and Set 'drop' sig info, + * if applicable */ +void DetectSignatureApplyActions(Packet *p, const Signature *s) +{ + PACKET_UPDATE_ACTION(p, s->action); + + if (s->action & ACTION_DROP) { + if (p->alerts.drop.action == 0) { + p->alerts.drop.num = s->num; + p->alerts.drop.action = s->action; + p->alerts.drop.s = (Signature *)s; + } + } +} + /* tm module api functions */ /** \brief Detection engine thread wrapper. diff --git a/src/detect.h b/src/detect.h index 4a7ce480fc..13481ae7d5 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1207,6 +1207,7 @@ void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int); int SigMatchSignaturesRunPostMatch(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s); +void DetectSignatureApplyActions(Packet *p, const Signature *s); #endif /* __DETECT_H__ */