From: Yehor Velykozhon -X (yvelykoz - SOFTSERVE INC at Cisco) Date: Tue, 4 Feb 2025 21:30:12 +0000 (+0000) Subject: Pull request #4534: ips_options: allow to repeat same option in applicable cases X-Git-Tag: 3.7.0.0~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8b161d5646cca701c304f7157f6c4d2c065ebff;p=thirdparty%2Fsnort3.git Pull request #4534: ips_options: allow to repeat same option in applicable cases Merge in SNORT/snort3 from ~YVELYKOZ/snort3:max_use_ips_opts to master Squashed commit of the following: commit 1d8be1756fd38036f57da52f03da931d7540e3a3 Author: Yehor Velykozhon Date: Mon Jan 20 10:52:27 2025 +0200 framework: bump base API version commit c7df294a0bb9e5fae4f031569c4465ec112412f5 Author: Yehor Velykozhon Date: Wed Jan 15 16:39:07 2025 +0200 framework: bump ips option version commit 621ab44a5b237e5a08a47b69e19bab5ba33b5acf Author: Yehor Velykozhon Date: Mon Dec 2 12:04:08 2024 +0200 ips_options: warn about excessive detection options commit 96ebf9b723fcb6c15ab751f70d7d84ff33e5ca1a Author: Yehor Velykozhon Date: Fri Dec 13 18:24:17 2024 +0200 framework: add interface to warn about reaching limit of ips opt re-usage --- diff --git a/src/framework/base_api.h b/src/framework/base_api.h index 09be4cb20..581e98244 100644 --- a/src/framework/base_api.h +++ b/src/framework/base_api.h @@ -38,7 +38,7 @@ // depends on includes installed in framework/snort_api.h // see framework/plugins.h -#define BASE_API_VERSION 20 +#define BASE_API_VERSION 21 // set the reserved field to this to be future proof #define API_RESERVED 0 diff --git a/src/framework/ips_option.h b/src/framework/ips_option.h index 1a3dc445c..e8742ded5 100644 --- a/src/framework/ips_option.h +++ b/src/framework/ips_option.h @@ -53,7 +53,7 @@ struct SnortConfig; class Module; // this is the current version of the api -#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 2) +#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 3) enum CursorActionType { @@ -180,8 +180,8 @@ struct IpsApi BaseApi base; RuleOptType type; - unsigned max_per_rule; // max instances of this keyword per IPS rule - unsigned protos; // bitmask of PROTO_BIT_* from decode_data.h + int max_per_rule; // max instances of this keyword per IPS rule, 0 - no limits, negative - generate a warning + unsigned protos; // bitmask of PROTO_BIT_* from decode_data.h IpsOptFunc pinit; IpsOptFunc pterm; @@ -193,4 +193,3 @@ struct IpsApi }; } #endif - diff --git a/src/ips_options/ips_ack.cc b/src/ips_options/ips_ack.cc index 178d619f2..10ba1f21d 100644 --- a/src/ips_options/ips_ack.cc +++ b/src/ips_options/ips_ack.cc @@ -174,7 +174,7 @@ static const IpsApi ack_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP, + -1, PROTO_BIT__TCP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_base64.cc b/src/ips_options/ips_base64.cc index da3ea0f71..d4e1703b8 100644 --- a/src/ips_options/ips_base64.cc +++ b/src/ips_options/ips_base64.cc @@ -254,7 +254,7 @@ static const IpsApi base64_decode_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_bufferlen.cc b/src/ips_options/ips_bufferlen.cc index c408bb834..77cce34ed 100644 --- a/src/ips_options/ips_bufferlen.cc +++ b/src/ips_options/ips_bufferlen.cc @@ -190,7 +190,7 @@ static const IpsApi len_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -5, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_dsize.cc b/src/ips_options/ips_dsize.cc index 813d84f41..546d338f1 100644 --- a/src/ips_options/ips_dsize.cc +++ b/src/ips_options/ips_dsize.cc @@ -178,7 +178,7 @@ static const IpsApi dsize_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_flags.cc b/src/ips_options/ips_flags.cc index 4b75f2699..8c79d9486 100644 --- a/src/ips_options/ips_flags.cc +++ b/src/ips_options/ips_flags.cc @@ -413,7 +413,7 @@ static const IpsApi flags_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP, + -1, PROTO_BIT__TCP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_flow.cc b/src/ips_options/ips_flow.cc index 15986db8e..61fddc7ab 100644 --- a/src/ips_options/ips_flow.cc +++ b/src/ips_options/ips_flow.cc @@ -420,7 +420,7 @@ static const IpsApi flow_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_fragbits.cc b/src/ips_options/ips_fragbits.cc index 0679e05b0..d14f427a7 100644 --- a/src/ips_options/ips_fragbits.cc +++ b/src/ips_options/ips_fragbits.cc @@ -429,7 +429,7 @@ static const IpsApi fragbits_api = //IpsApi struct OPT_TYPE_DETECTION, //RuleOptType - 1, //max per rule + -1,//max per rule 0, //IpsOptFunc protos nullptr, //IpsOptFunc pinit nullptr, //IpsOptFunc pterm diff --git a/src/ips_options/ips_fragoffset.cc b/src/ips_options/ips_fragoffset.cc index 3ba31fd6c..34a1a91a0 100644 --- a/src/ips_options/ips_fragoffset.cc +++ b/src/ips_options/ips_fragoffset.cc @@ -175,7 +175,7 @@ static const IpsApi fragoffset_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_icmp_id.cc b/src/ips_options/ips_icmp_id.cc index 7608e562d..0fe9189c4 100644 --- a/src/ips_options/ips_icmp_id.cc +++ b/src/ips_options/ips_icmp_id.cc @@ -204,7 +204,7 @@ static const IpsApi icmp_id_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__ICMP, + -1, PROTO_BIT__ICMP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_icmp_seq.cc b/src/ips_options/ips_icmp_seq.cc index d9b3b78e2..27fec5eea 100644 --- a/src/ips_options/ips_icmp_seq.cc +++ b/src/ips_options/ips_icmp_seq.cc @@ -205,7 +205,7 @@ static const IpsApi icmp_seq_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__ICMP, + -1, PROTO_BIT__ICMP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_icode.cc b/src/ips_options/ips_icode.cc index c770bd932..142ce8a66 100644 --- a/src/ips_options/ips_icode.cc +++ b/src/ips_options/ips_icode.cc @@ -176,7 +176,7 @@ static const IpsApi icode_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__ICMP, + -1, PROTO_BIT__ICMP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_id.cc b/src/ips_options/ips_id.cc index d04fa4f91..bb2d9e682 100644 --- a/src/ips_options/ips_id.cc +++ b/src/ips_options/ips_id.cc @@ -178,7 +178,7 @@ static const IpsApi id_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_ipopts.cc b/src/ips_options/ips_ipopts.cc index 24e72bbee..91e55459c 100644 --- a/src/ips_options/ips_ipopts.cc +++ b/src/ips_options/ips_ipopts.cc @@ -262,7 +262,7 @@ static const IpsApi ipopts_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_itype.cc b/src/ips_options/ips_itype.cc index 42f76274a..ea0afe0b2 100644 --- a/src/ips_options/ips_itype.cc +++ b/src/ips_options/ips_itype.cc @@ -176,7 +176,7 @@ static const IpsApi itype_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__ICMP, + -1, PROTO_BIT__ICMP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_luajit.cc b/src/ips_options/ips_luajit.cc index 49afe0bf7..7ace4d33d 100644 --- a/src/ips_options/ips_luajit.cc +++ b/src/ips_options/ips_luajit.cc @@ -243,7 +243,7 @@ const IpsApi ips_lua_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP, + -1, PROTO_BIT__TCP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_rpc.cc b/src/ips_options/ips_rpc.cc index 5b26f0f2f..5813bf1ae 100644 --- a/src/ips_options/ips_rpc.cc +++ b/src/ips_options/ips_rpc.cc @@ -336,7 +336,7 @@ static const IpsApi rpc_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP|PROTO_BIT__UDP, + -1, PROTO_BIT__TCP|PROTO_BIT__UDP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_seq.cc b/src/ips_options/ips_seq.cc index 593e330f9..25d127b10 100644 --- a/src/ips_options/ips_seq.cc +++ b/src/ips_options/ips_seq.cc @@ -175,7 +175,7 @@ static const IpsApi seq_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP, + -1, PROTO_BIT__TCP, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_so.cc b/src/ips_options/ips_so.cc index 4f309d382..b5fb53439 100644 --- a/src/ips_options/ips_so.cc +++ b/src/ips_options/ips_so.cc @@ -229,7 +229,7 @@ static const IpsApi so_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0x0, + -1, 0x0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_tos.cc b/src/ips_options/ips_tos.cc index ccf0c3d61..09cf289f6 100644 --- a/src/ips_options/ips_tos.cc +++ b/src/ips_options/ips_tos.cc @@ -178,7 +178,7 @@ static const IpsApi tos_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_ttl.cc b/src/ips_options/ips_ttl.cc index 422c59e5e..817ba647d 100644 --- a/src/ips_options/ips_ttl.cc +++ b/src/ips_options/ips_ttl.cc @@ -175,7 +175,7 @@ static const IpsApi ttl_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, 0, + -1, 0, nullptr, nullptr, nullptr, diff --git a/src/ips_options/ips_window.cc b/src/ips_options/ips_window.cc index 7e391e294..f5c543098 100644 --- a/src/ips_options/ips_window.cc +++ b/src/ips_options/ips_window.cc @@ -175,7 +175,7 @@ static const IpsApi window_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP, + -1, PROTO_BIT__TCP, nullptr, nullptr, nullptr, diff --git a/src/managers/ips_manager.cc b/src/managers/ips_manager.cc index 80af347a1..bd68006d0 100644 --- a/src/managers/ips_manager.cc +++ b/src/managers/ips_manager.cc @@ -204,11 +204,19 @@ bool IpsManager::option_begin( opt->init = true; } - if ( opt->api->max_per_rule && (++opt->count > opt->api->max_per_rule) ) + unsigned max = std::abs(opt->api->max_per_rule); + if ( max && (++opt->count > max) ) { - ParseError("%s allowed only %u time(s) per rule", - opt->api->base.name, opt->api->max_per_rule); - return false; + if ( opt->api->max_per_rule > 0 ) + { + ParseError("%s allowed only %u time(s) per rule", opt->api->base.name, max); + return false; + } + + bool is_first_excessive_opt = (opt->count - max) == 1; + if ( is_first_excessive_opt ) + ParseWarning(WARN_RULES, "for best performance, all %s options could be consolidated", + opt->api->base.name); } // FIXIT-M allow service too diff --git a/src/stream/tcp/ips_stream_reassemble.cc b/src/stream/tcp/ips_stream_reassemble.cc index 3cb7c9543..152370344 100644 --- a/src/stream/tcp/ips_stream_reassemble.cc +++ b/src/stream/tcp/ips_stream_reassemble.cc @@ -249,7 +249,7 @@ static const IpsApi reassemble_api = mod_dtor }, OPT_TYPE_DETECTION, - 1, PROTO_BIT__TCP, + -1, PROTO_BIT__TCP, nullptr, nullptr, nullptr,