aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: set action from utility function

Browse Source 
Set actions that are set directly from Signatures using the new
utility function DetectSignatureApplyActions. This will apply
the actions and also store info about the 'drop' that first made
the rule drop.
pull/1365/head
Victor Julien 11 years ago
parent c914f7bcdc
commit e9857200b3
6 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File

4
src/decode.h
Unescape Escape View File

@ -277,6 +277,9 @@ typedef struct PacketAlert_ {
typedef struct PacketAlerts_ { typedef struct PacketAlerts_ {
uint16_t cnt; uint16_t cnt;
PacketAlert alerts[PACKET_ALERT_MAX]; PacketAlert alerts[PACKET_ALERT_MAX];
/* single pa used when we're dropping,
* so we can log it out in the drop log. */
PacketAlert drop;
} PacketAlerts; } PacketAlerts;
/** number of decoder events we support per packet. Power of 2 minus 1 /** number of decoder events we support per packet. Power of 2 minus 1
@ -723,6 +726,7 @@ typedef struct DecodeThreadVars_
(p)->payload_len = 0; \ (p)->payload_len = 0; \
(p)->pktlen = 0; \ (p)->pktlen = 0; \
(p)->alerts.cnt = 0; \ (p)->alerts.cnt = 0; \
(p)->alerts.drop.action = 0; \
(p)->pcap_cnt = 0; \ (p)->pcap_cnt = 0; \
(p)->tunnel_rtv_cnt = 0; \ (p)->tunnel_rtv_cnt = 0; \
(p)->tunnel_tpr_cnt = 0; \ (p)->tunnel_tpr_cnt = 0; \

4
src/detect-engine-alert.c
Unescape Escape View File

@ -286,8 +286,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
} }
} }
/* set verdict on packet */ /* set actions on packet */
PACKET_UPDATE_ACTION(p, p->alerts.alerts[i].action); DetectSignatureApplyActions(p, p->alerts.alerts[i].s);
if (PACKET_TEST_ACTION(p, ACTION_PASS)) { if (PACKET_TEST_ACTION(p, ACTION_PASS)) {
/* Ok, reset the alert cnt to end in the previous of pass /* Ok, reset the alert cnt to end in the previous of pass

2
src/detect-engine-iponly.c
Unescape Escape View File

@ -1086,7 +1086,7 @@ void IPOnlyMatchPacket(ThreadVars *tv,
PacketAlertAppend(det_ctx, s, p, 0, 0); PacketAlertAppend(det_ctx, s, p, 0, 0);
} else { } else {
/* apply actions for noalert/rule suppressed as well */ /* apply actions for noalert/rule suppressed as well */
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
} }
} }

10
src/detect-engine-state.c
Unescape Escape View File

@ -331,7 +331,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
PacketAlertAppend(det_ctx, s, p, tx_id, PacketAlertAppend(det_ctx, s, p, tx_id,
PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX); PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX);
} else { } else {
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
alert_cnt = 1; alert_cnt = 1;
@ -373,7 +373,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
PacketAlertAppend(det_ctx, s, p, 0, PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH); PACKET_ALERT_FLAG_STATE_MATCH);
} else { } else {
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
alert_cnt = 1; alert_cnt = 1;
@ -387,7 +387,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
PacketAlertAppend(det_ctx, s, p, 0, PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH); PACKET_ALERT_FLAG_STATE_MATCH);
} else { } else {
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
} }
@ -442,7 +442,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
PacketAlertAppend(det_ctx, s, p, 0, PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH); PACKET_ALERT_FLAG_STATE_MATCH);
} else { } else {
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
alert_cnt = 1; alert_cnt = 1;
} }
@ -736,7 +736,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
PacketAlertAppend(det_ctx, s, p, 0, PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH); PACKET_ALERT_FLAG_STATE_MATCH);
} else { } else {
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
} }

17
src/detect.c
Unescape Escape View File

@ -1688,7 +1688,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
PacketAlertAppend(det_ctx, s, p, 0, alert_flags); PacketAlertAppend(det_ctx, s, p, 0, alert_flags);
} else { } else {
/* apply actions even if not alerting */ /* apply actions even if not alerting */
PACKET_UPDATE_ACTION(p, s->action); DetectSignatureApplyActions(p, s);
} }
alerts++; alerts++;
next: next:
@ -1826,6 +1826,21 @@ end:
SCReturnInt((int)(alerts > 0)); SCReturnInt((int)(alerts > 0));
} }
/** \brief Apply action(s) and Set 'drop' sig info,
* if applicable */
void DetectSignatureApplyActions(Packet *p, const Signature *s)
{
PACKET_UPDATE_ACTION(p, s->action);
if (s->action & ACTION_DROP) {
if (p->alerts.drop.action == 0) {
p->alerts.drop.num = s->num;
p->alerts.drop.action = s->action;
p->alerts.drop.s = (Signature *)s;
}
}
}
/* tm module api functions */ /* tm module api functions */
/** \brief Detection engine thread wrapper. /** \brief Detection engine thread wrapper.

1
src/detect.h
Unescape Escape View File

@ -1207,6 +1207,7 @@ void *DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *, int);
int SigMatchSignaturesRunPostMatch(ThreadVars *tv, int SigMatchSignaturesRunPostMatch(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,
Signature *s); Signature *s);
void DetectSignatureApplyActions(Packet *p, const Signature *s);
#endif /* __DETECT_H__ */ #endif /* __DETECT_H__ */

Write Preview
Loading…
Cancel
Save