suppress: add track by_either mode

So far suppress rules would apply to src or dst addresses of a packet. This meant that if a ip would need to suppressed both as src and as dst, 2 suppress rules would be needed. This patch introduces track by_either, which means that the ip(s) in the suppress rule are tested against both the packets source and dest ip's. If either of them is on the suppress list, the alert is suppressed.
10 years ago · ebb42f831c
parent e85a44c383
commit ebb42f831c
3 changed files with 45 additions and 25 deletions
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2012 Open Information Security Foundation
+/* Copyright (C) 2007-2015 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
@ -209,6 +209,41 @@ static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h, uint32_t sid, uin
    return e;
 }

+int ThresholdHandlePacketSuppress(Packet *p, DetectThresholdData *td, uint32_t sid, uint32_t gid)
+{
+    int ret = 0;
+    DetectAddress *m = NULL;
+    switch (td->track) {
+        case TRACK_DST:
+            m = DetectAddressLookupInHead(&td->addrs, &p->dst);
+            SCLogInfo("TRACK_DST");
+            break;
+        case TRACK_SRC:
+            m = DetectAddressLookupInHead(&td->addrs, &p->src);
+            SCLogInfo("TRACK_SRC");
+            break;
+        /* suppress if either src or dst is a match on the suppress
+         * address list */
+        case TRACK_EITHER:
+            m = DetectAddressLookupInHead(&td->addrs, &p->src);
+            if (m == NULL) {
+                m = DetectAddressLookupInHead(&td->addrs, &p->dst);
+            }
+            break;
+        case TRACK_RULE:
+        default:
+            SCLogError(SC_ERR_INVALID_VALUE,
+                    "track mode %d is not supported", td->track);
+            break;
+    }
+    if (m == NULL)
+        ret = 1;
+    else
+        ret = 2; /* suppressed but still need actions */
+
+    return ret;
+}
+
 /**
 *  \retval 2 silent match (no alert but apply actions)
 *  \retval 1 normal match
@ -463,28 +498,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
            }
            break;
        }
-        case TYPE_SUPPRESS:
-        {
-            DetectAddress *m = NULL;
-            switch (td->track) {
-                case TRACK_DST:
-                    m = DetectAddressLookupInHead(&td->addrs, &p->dst);
-                    break;
-                case TRACK_SRC:
-                    m = DetectAddressLookupInHead(&td->addrs, &p->src);
-                    break;
-                case TRACK_RULE:
-                default:
-                    SCLogError(SC_ERR_INVALID_VALUE,
-                               "track mode %d is not supported", td->track);
-                    break;
-            }
-            if (m == NULL)
-                ret = 1;
-            else
-                ret = 2; /* suppressed but still need actions */
-            break;
-        }
+        /* case TYPE_SUPPRESS: is not handled here */
        default:
            SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
    }
@ -600,7 +614,9 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
        SCReturnInt(0);
    }

-    if (td->track == TRACK_SRC) {
+    if (td->type == TYPE_SUPPRESS) {
+        ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid);
+    } else if (td->track == TRACK_SRC) {
        Host *src = HostGetHostFromHash(&p->src);
        if (src) {
            ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid);
--- a/src/detect-threshold.h
+++ b/src/detect-threshold.h
@ -38,6 +38,7 @@
 #define TRACK_DST      1
 #define TRACK_SRC      2
 #define TRACK_RULE     3
+#define TRACK_EITHER   4 /**< either src or dst: only used by suppress */

 /* Get the new action to take */
 #define TH_ACTION_ALERT     0x01
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@ -73,7 +73,7 @@ typedef enum ThresholdRuleType {
 *  suppress gen_id 1, sig_id 2000328
 *  suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10
 */
-#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"
+#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"

 /* Default path for the threshold.config file */
 #if defined OS_WIN32 || defined __CYGWIN__
@ -935,6 +935,9 @@ static int ParseThresholdRule(DetectEngineCtx *de_ctx, char *rawstr,
                    parsed_track = TRACK_DST;
                else if (strcasecmp(th_track,"by_src") == 0)
                    parsed_track = TRACK_SRC;
+                else if (strcasecmp(th_track,"by_either") == 0) {
+                    parsed_track = TRACK_EITHER;
+                }
                else {
                    SCLogError(SC_ERR_INVALID_VALUE, "Invalid track parameter %s in %s", th_track, rule_extend);
                    goto error;