Pull request #4534: ips_options: allow to repeat same option in applicable cases

Merge in SNORT/snort3 from ~YVELYKOZ/snort3:max_use_ips_opts to master

Squashed commit of the following:

commit 1d8be1756fd38036f57da52f03da931d7540e3a3
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Mon Jan 20 10:52:27 2025 +0200

    framework: bump base API version

commit c7df294a0bb9e5fae4f031569c4465ec112412f5
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Wed Jan 15 16:39:07 2025 +0200

    framework: bump ips option version

commit 621ab44a5b237e5a08a47b69e19bab5ba33b5acf
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Mon Dec 2 12:04:08 2024 +0200

    ips_options: warn about excessive detection options

commit 96ebf9b723fcb6c15ab751f70d7d84ff33e5ca1a
Author: Yehor Velykozhon <yvelykoz@cisco.com>
Date:   Fri Dec 13 18:24:17 2024 +0200

    framework: add interface to warn about reaching limit of ips opt re-usage

diff --git a/src/framework/base_api.h b/src/framework/base_api.h
index 09be4cb201cf7dde911eac319df888bce1d9516d..581e982449fa85a5263c32e092a6c4583c90bc81 100644 (file)
--- a/src/framework/base_api.h
+++ b/src/framework/base_api.h
@@ -38,7 +38,7 @@
 // depends on includes installed in framework/snort_api.h
 // see framework/plugins.h
 
-#define BASE_API_VERSION 20
+#define BASE_API_VERSION 21
 
 // set the reserved field to this to be future proof
 #define API_RESERVED 0

diff --git a/src/framework/ips_option.h b/src/framework/ips_option.h
index 1a3dc445cd023c712f7a30a8380ad3ce1fa2f1f8..e8742ded532e3a65f70d6fddc069bc75806e73ba 100644 (file)
--- a/src/framework/ips_option.h
+++ b/src/framework/ips_option.h
@@ -53,7 +53,7 @@ struct SnortConfig;
 class Module;
 
 // this is the current version of the api
-#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 2)
+#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 3)
 
 enum CursorActionType
 {
@@ -180,8 +180,8 @@ struct IpsApi
     BaseApi base;
     RuleOptType type;
 
-    unsigned max_per_rule;  // max instances of this keyword per IPS rule
-    unsigned protos;        // bitmask of PROTO_BIT_* from decode_data.h
+    int max_per_rule;   // max instances of this keyword per IPS rule, 0 - no limits, negative - generate a warning
+    unsigned protos;    // bitmask of PROTO_BIT_* from decode_data.h
 
     IpsOptFunc pinit;
     IpsOptFunc pterm;
@@ -193,4 +193,3 @@ struct IpsApi
 };
 }
 #endif
-

diff --git a/src/ips_options/ips_ack.cc b/src/ips_options/ips_ack.cc
index 178d619f28d5a8ca56a2a8c27d7919ef3fe50f3f..10ba1f21d63bb8b11acb2d389f64c02697534315 100644 (file)
--- a/src/ips_options/ips_ack.cc
+++ b/src/ips_options/ips_ack.cc
@@ -174,7 +174,7 @@ static const IpsApi ack_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP,
+    -1, PROTO_BIT__TCP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_base64.cc b/src/ips_options/ips_base64.cc
index da3ea0f7196e1a0fa9f9cdc3a0f9819d78b6cc2f..d4e1703b894598314e030bd5468c6b111d17b190 100644 (file)
--- a/src/ips_options/ips_base64.cc
+++ b/src/ips_options/ips_base64.cc
@@ -254,7 +254,7 @@ static const IpsApi base64_decode_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_bufferlen.cc b/src/ips_options/ips_bufferlen.cc
index c408bb83493b559917f0b35baab6ff5c2fb4d2ff..77cce34ed53b6bebe65227921b6fac4f42c792b2 100644 (file)
--- a/src/ips_options/ips_bufferlen.cc
+++ b/src/ips_options/ips_bufferlen.cc
@@ -190,7 +190,7 @@ static const IpsApi len_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -5, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_dsize.cc b/src/ips_options/ips_dsize.cc
index 813d84f41694dcb7a816435d6a057dbe27f338f7..546d338f15e34c8e4bce6e7778605529fd92da82 100644 (file)
--- a/src/ips_options/ips_dsize.cc
+++ b/src/ips_options/ips_dsize.cc
@@ -178,7 +178,7 @@ static const IpsApi dsize_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_flags.cc b/src/ips_options/ips_flags.cc
index 4b75f26991a612f0ecce78dd36142c6a9ab585a3..8c79d94865332b2b8fea3289a7cbbf258f5ac5f8 100644 (file)
--- a/src/ips_options/ips_flags.cc
+++ b/src/ips_options/ips_flags.cc
@@ -413,7 +413,7 @@ static const IpsApi flags_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP,
+    -1, PROTO_BIT__TCP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_flow.cc b/src/ips_options/ips_flow.cc
index 15986db8e7a5ce099f5628af087c42a820134e45..61fddc7ab1216f0e3cd3bcde9405f7e114350a21 100644 (file)
--- a/src/ips_options/ips_flow.cc
+++ b/src/ips_options/ips_flow.cc
@@ -420,7 +420,7 @@ static const IpsApi flow_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_fragbits.cc b/src/ips_options/ips_fragbits.cc
index 0679e05b091d6004eb1a20dcf43bac7b6fa51919..d14f427a76d8e457a386c017ae5be93df844030b 100644 (file)
--- a/src/ips_options/ips_fragbits.cc
+++ b/src/ips_options/ips_fragbits.cc
@@ -429,7 +429,7 @@ static const IpsApi fragbits_api =
 
     //IpsApi struct
     OPT_TYPE_DETECTION, //RuleOptType
-    1,                  //max per rule
+    -1,//max per rule
     0,                  //IpsOptFunc protos
     nullptr,            //IpsOptFunc pinit
     nullptr,            //IpsOptFunc pterm

diff --git a/src/ips_options/ips_fragoffset.cc b/src/ips_options/ips_fragoffset.cc
index 3ba31fd6c719f97bbc3629d23f202944d804542a..34a1a91a098d59c4e58371f323946839c98791c3 100644 (file)
--- a/src/ips_options/ips_fragoffset.cc
+++ b/src/ips_options/ips_fragoffset.cc
@@ -175,7 +175,7 @@ static const IpsApi fragoffset_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_icmp_id.cc b/src/ips_options/ips_icmp_id.cc
index 7608e562d083a1988f5fa56daae69a7bd97d4aa4..0fe9189c477496f5de41ba5745116a1effbb4ec1 100644 (file)
--- a/src/ips_options/ips_icmp_id.cc
+++ b/src/ips_options/ips_icmp_id.cc
@@ -204,7 +204,7 @@ static const IpsApi icmp_id_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__ICMP,
+    -1, PROTO_BIT__ICMP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_icmp_seq.cc b/src/ips_options/ips_icmp_seq.cc
index d9b3b78e27cee7220ccfaaa395f08c09bdbb8203..27fec5eead3c79e16e2544cebe4215d88c514860 100644 (file)
--- a/src/ips_options/ips_icmp_seq.cc
+++ b/src/ips_options/ips_icmp_seq.cc
@@ -205,7 +205,7 @@ static const IpsApi icmp_seq_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__ICMP,
+    -1, PROTO_BIT__ICMP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_icode.cc b/src/ips_options/ips_icode.cc
index c770bd9329bbcbbd7d11ec364544e2c3f3da9e72..142ce8a66f73d8866b7a05c1ee7058820474a5e2 100644 (file)
--- a/src/ips_options/ips_icode.cc
+++ b/src/ips_options/ips_icode.cc
@@ -176,7 +176,7 @@ static const IpsApi icode_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__ICMP,
+    -1, PROTO_BIT__ICMP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_id.cc b/src/ips_options/ips_id.cc
index d04fa4f91f9a9a4415361c942da0601accb38720..bb2d9e6820800ab7950a77c422f62381c6bbead6 100644 (file)
--- a/src/ips_options/ips_id.cc
+++ b/src/ips_options/ips_id.cc
@@ -178,7 +178,7 @@ static const IpsApi id_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_ipopts.cc b/src/ips_options/ips_ipopts.cc
index 24e72bbeedce9eba4d4187cf564a4e4f60c6d268..91e55459c86c530dd7ddc58bd23a5cd0206e657e 100644 (file)
--- a/src/ips_options/ips_ipopts.cc
+++ b/src/ips_options/ips_ipopts.cc
@@ -262,7 +262,7 @@ static const IpsApi ipopts_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_itype.cc b/src/ips_options/ips_itype.cc
index 42f76274ad7f9d2b482ac1667e64793118366309..ea0afe0b249fe608fdcfd03035c7f86b2fca37ff 100644 (file)
--- a/src/ips_options/ips_itype.cc
+++ b/src/ips_options/ips_itype.cc
@@ -176,7 +176,7 @@ static const IpsApi itype_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__ICMP,
+    -1, PROTO_BIT__ICMP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_luajit.cc b/src/ips_options/ips_luajit.cc
index 49afe0bf7e2dbc547e704cb3a4245c6b0881d3be..7ace4d33d52063ba42947216ff810678ef4f6e02 100644 (file)
--- a/src/ips_options/ips_luajit.cc
+++ b/src/ips_options/ips_luajit.cc
@@ -243,7 +243,7 @@ const IpsApi ips_lua_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP,
+    -1, PROTO_BIT__TCP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_rpc.cc b/src/ips_options/ips_rpc.cc
index 5b26f0f2fd23d4ee4cd311d203369e31b1f3719b..5813bf1ae643ab75293e88036ed934b4789646cf 100644 (file)
--- a/src/ips_options/ips_rpc.cc
+++ b/src/ips_options/ips_rpc.cc
@@ -336,7 +336,7 @@ static const IpsApi rpc_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP|PROTO_BIT__UDP,
+    -1, PROTO_BIT__TCP|PROTO_BIT__UDP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_seq.cc b/src/ips_options/ips_seq.cc
index 593e330f9db7faf5e69342c990497d9e37d48216..25d127b10fd6e67d7799742a6d0065e9c3d86084 100644 (file)
--- a/src/ips_options/ips_seq.cc
+++ b/src/ips_options/ips_seq.cc
@@ -175,7 +175,7 @@ static const IpsApi seq_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP,
+    -1, PROTO_BIT__TCP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_so.cc b/src/ips_options/ips_so.cc
index 4f309d3825b73acbdca6e18f407843990f6a6f16..b5fb53439f013e58d82f064ecbb44354673ed243 100644 (file)
--- a/src/ips_options/ips_so.cc
+++ b/src/ips_options/ips_so.cc
@@ -229,7 +229,7 @@ static const IpsApi so_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0x0,
+    -1, 0x0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_tos.cc b/src/ips_options/ips_tos.cc
index ccf0c3d610a6a607c0b9561e17558e4345899802..09cf289f68feeed126a05d93b557ac98c5406105 100644 (file)
--- a/src/ips_options/ips_tos.cc
+++ b/src/ips_options/ips_tos.cc
@@ -178,7 +178,7 @@ static const IpsApi tos_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_ttl.cc b/src/ips_options/ips_ttl.cc
index 422c59e5ecdf84f21cf5dfdc1728776b7a0adfb4..817ba647de3ee04e3752a75f8da7ab784920b271 100644 (file)
--- a/src/ips_options/ips_ttl.cc
+++ b/src/ips_options/ips_ttl.cc
@@ -175,7 +175,7 @@ static const IpsApi ttl_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, 0,
+    -1, 0,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/ips_options/ips_window.cc b/src/ips_options/ips_window.cc
index 7e391e29448154122c6c8384e78f04d0948f94c7..f5c5430983c360a634611ed33ed102fa672a35e9 100644 (file)
--- a/src/ips_options/ips_window.cc
+++ b/src/ips_options/ips_window.cc
@@ -175,7 +175,7 @@ static const IpsApi window_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP,
+    -1, PROTO_BIT__TCP,
     nullptr,
     nullptr,
     nullptr,

diff --git a/src/managers/ips_manager.cc b/src/managers/ips_manager.cc
index 80af347a1be7f9b15933a9ec84732a92f4c873ac..bd68006d0e6d54d6be9fda9d6c4b9fa37c4a594b 100644 (file)
--- a/src/managers/ips_manager.cc
+++ b/src/managers/ips_manager.cc
@@ -204,11 +204,19 @@ bool IpsManager::option_begin(
         opt->init = true;
     }
 
-    if ( opt->api->max_per_rule && (++opt->count > opt->api->max_per_rule) )
+    unsigned max = std::abs(opt->api->max_per_rule);
+    if ( max && (++opt->count > max) )
     {
-        ParseError("%s allowed only %u time(s) per rule",
-            opt->api->base.name, opt->api->max_per_rule);
-        return false;
+        if ( opt->api->max_per_rule > 0 )
+        {
+            ParseError("%s allowed only %u time(s) per rule", opt->api->base.name, max);
+            return false;
+        }
+
+        bool is_first_excessive_opt = (opt->count - max) == 1;
+        if ( is_first_excessive_opt )
+            ParseWarning(WARN_RULES, "for best performance, all %s options could be consolidated",
+                opt->api->base.name);
     }
 
     // FIXIT-M allow service too

diff --git a/src/stream/tcp/ips_stream_reassemble.cc b/src/stream/tcp/ips_stream_reassemble.cc
index 3cb7c9543568219a9f307a25b39eb4dbfc7766a1..1523703441e0f665b1f10cd0802250d5013a68ba 100644 (file)
--- a/src/stream/tcp/ips_stream_reassemble.cc
+++ b/src/stream/tcp/ips_stream_reassemble.cc
@@ -249,7 +249,7 @@ static const IpsApi reassemble_api =
         mod_dtor
     },
     OPT_TYPE_DETECTION,
-    1, PROTO_BIT__TCP,
+    -1, PROTO_BIT__TCP,
     nullptr,
     nullptr,
     nullptr,