diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 900e6b0a00..6c6d1371a8 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2012 Open Information Security Foundation +/* Copyright (C) 2007-2015 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -209,6 +209,41 @@ static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h, uint32_t sid, uin return e; } +int ThresholdHandlePacketSuppress(Packet *p, DetectThresholdData *td, uint32_t sid, uint32_t gid) +{ + int ret = 0; + DetectAddress *m = NULL; + switch (td->track) { + case TRACK_DST: + m = DetectAddressLookupInHead(&td->addrs, &p->dst); + SCLogInfo("TRACK_DST"); + break; + case TRACK_SRC: + m = DetectAddressLookupInHead(&td->addrs, &p->src); + SCLogInfo("TRACK_SRC"); + break; + /* suppress if either src or dst is a match on the suppress + * address list */ + case TRACK_EITHER: + m = DetectAddressLookupInHead(&td->addrs, &p->src); + if (m == NULL) { + m = DetectAddressLookupInHead(&td->addrs, &p->dst); + } + break; + case TRACK_RULE: + default: + SCLogError(SC_ERR_INVALID_VALUE, + "track mode %d is not supported", td->track); + break; + } + if (m == NULL) + ret = 1; + else + ret = 2; /* suppressed but still need actions */ + + return ret; +} + /** * \retval 2 silent match (no alert but apply actions) * \retval 1 normal match @@ -463,28 +498,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3 } break; } - case TYPE_SUPPRESS: - { - DetectAddress *m = NULL; - switch (td->track) { - case TRACK_DST: - m = DetectAddressLookupInHead(&td->addrs, &p->dst); - break; - case TRACK_SRC: - m = DetectAddressLookupInHead(&td->addrs, &p->src); - break; - case TRACK_RULE: - default: - SCLogError(SC_ERR_INVALID_VALUE, - "track mode %d is not supported", td->track); - break; - } - if (m == NULL) - ret = 1; - else - ret = 2; /* suppressed but still need actions */ - break; - } + /* case TYPE_SUPPRESS: is not handled here */ default: SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type); } @@ -600,7 +614,9 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx SCReturnInt(0); } - if (td->track == TRACK_SRC) { + if (td->type == TYPE_SUPPRESS) { + ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid); + } else if (td->track == TRACK_SRC) { Host *src = HostGetHostFromHash(&p->src); if (src) { ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid); diff --git a/src/detect-threshold.h b/src/detect-threshold.h index fd8c93117f..50e1d27048 100644 --- a/src/detect-threshold.h +++ b/src/detect-threshold.h @@ -38,6 +38,7 @@ #define TRACK_DST 1 #define TRACK_SRC 2 #define TRACK_RULE 3 +#define TRACK_EITHER 4 /**< either src or dst: only used by suppress */ /* Get the new action to take */ #define TH_ACTION_ALERT 0x01 diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c index 5ee84c55a3..9f107a1e0f 100644 --- a/src/util-threshold-config.c +++ b/src/util-threshold-config.c @@ -73,7 +73,7 @@ typedef enum ThresholdRuleType { * suppress gen_id 1, sig_id 2000328 * suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10 */ -#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$" +#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$" /* Default path for the threshold.config file */ #if defined OS_WIN32 || defined __CYGWIN__ @@ -935,6 +935,9 @@ static int ParseThresholdRule(DetectEngineCtx *de_ctx, char *rawstr, parsed_track = TRACK_DST; else if (strcasecmp(th_track,"by_src") == 0) parsed_track = TRACK_SRC; + else if (strcasecmp(th_track,"by_either") == 0) { + parsed_track = TRACK_EITHER; + } else { SCLogError(SC_ERR_INVALID_VALUE, "Invalid track parameter %s in %s", th_track, rule_extend); goto error;