From 49005feaf143aa58376410adbe89916743cae871 Mon Sep 17 00:00:00 2001 From: "Anna Norokh -X (anorokh - SOFTSERVE INC at Cisco)" Date: Mon, 23 Jun 2025 14:19:56 +0000 Subject: [PATCH] Pull request #4778: extractor: add context logging event for notice Merge in SNORT/snort3 from ~ANOROKH/snort3:extr_notice_event to master Squashed commit of the following: commit da9709af1b8edb7090a783471a78181ad880af28 Author: anorokh Date: Tue Jun 10 12:59:25 2025 +0300 extractor: add context logging event for notice --- doc/user/extractor.txt | 8 ++++++-- src/network_inspectors/extractor/extractor_detection.cc | 5 +++-- src/network_inspectors/extractor/extractor_detection.h | 2 +- src/network_inspectors/extractor/extractor_service.cc | 6 ++++-- src/pub_sub/detection_events.h | 5 +++-- 5 files changed, 17 insertions(+), 9 deletions(-) diff --git a/doc/user/extractor.txt b/doc/user/extractor.txt index 0ac8b4d6d..0e5db0529 100644 --- a/doc/user/extractor.txt +++ b/doc/user/extractor.txt @@ -67,6 +67,7 @@ Services and their events: ** 'builtin' (internally-detected infraction is queued for further processing) * triggered IPS rule, whether built-in or text or SO (notice) ** `ips_logging` (matched rules sent to IPS logging) + ** `context_logging` (matched rule in an IPS logger) Common fields available for every service: @@ -168,13 +169,16 @@ UDP Connection States: TCP Connection States: The TCP connection state tracks both client and server states, each prefixed with CLT_ (for the client) and SRV_ (for the server). -These states follow the TCP state machine as defined by the RFC, with the addition of TCP_MID_STREAM_SENT and TCP_MID_STREAM_REC to handle mid-stream traffic and TCP_STATE_NONE. +These states follow the TCP state machine as defined by the RFC, with the addition of TCP_MID_STREAM_SENT +and TCP_MID_STREAM_REC to handle mid-stream traffic and TCP_STATE_NONE. OTH (Other Traffic): The OTH state is used for all non-UDP and non-TCP traffic, as well as for error cases. -* `history` - a string that tracks the connection's history. It uses letters to represent events, with uppercase letters denoting client-side events and lowercase letters for server-side events. Each letter appears only once for each direction, regardless of how many times the event occurs. +* `history` - a string that tracks the connection's history. It uses letters to represent events, with +uppercase letters denoting client-side events and lowercase letters for server-side events. +Each letter appears only once for each direction, regardless of how many times the event occurs. UDP Events: d: Packet with payload. diff --git a/src/network_inspectors/extractor/extractor_detection.cc b/src/network_inspectors/extractor/extractor_detection.cc index a2798ccd5..2f7de21ba 100644 --- a/src/network_inspectors/extractor/extractor_detection.cc +++ b/src/network_inspectors/extractor/extractor_detection.cc @@ -196,7 +196,7 @@ static const map vec_getters = THREAD_LOCAL const snort::Connector::ID* IpsUserExtractor::log_id = nullptr; -IpsUserExtractor::IpsUserExtractor(Extractor& i, uint32_t t, const vector& fields) +IpsUserExtractor::IpsUserExtractor(Extractor& i, uint32_t t, const vector& fields, bool contextual) : ExtractorEvent(ServiceType::IPS_USER, i, t) { for (const auto& f : fields) @@ -215,7 +215,8 @@ IpsUserExtractor::IpsUserExtractor(Extractor& i, uint32_t t, const vector& (*) (const DataEvent*, const Flow*); using VecField = DataField&, const DataEvent*, const Flow*>; - IpsUserExtractor(Extractor&, uint32_t tenant, const std::vector& fields); + IpsUserExtractor(Extractor&, uint32_t tenant, const std::vector& fields, bool contextual); std::vector get_field_names() const override; void handle(DataEvent&, Flow*); diff --git a/src/network_inspectors/extractor/extractor_service.cc b/src/network_inspectors/extractor/extractor_service.cc index 15fd67ab3..e153f3d5d 100644 --- a/src/network_inspectors/extractor/extractor_service.cc +++ b/src/network_inspectors/extractor/extractor_service.cc @@ -459,6 +459,7 @@ const ServiceBlueprint IpsUserExtractorService::blueprint = // events { "ips_logging", + "context_logging", }, // fields { @@ -481,8 +482,9 @@ IpsUserExtractorService::IpsUserExtractorService(uint32_t tenant, const std::vec { for (const auto& event : get_events()) { - if (!strcmp("ips_logging", event.c_str())) - handlers.push_back(new IpsUserExtractor(ins, tenant_id, get_fields())); + bool contextual = !strcmp("context_logging", event.c_str()); + if (contextual or !strcmp("ips_logging", event.c_str())) + handlers.push_back(new IpsUserExtractor(ins, tenant_id, get_fields(), contextual)); } } diff --git a/src/pub_sub/detection_events.h b/src/pub_sub/detection_events.h index 33dadb897..ec9a74537 100644 --- a/src/pub_sub/detection_events.h +++ b/src/pub_sub/detection_events.h @@ -31,8 +31,9 @@ struct DetectionEventIds { enum : unsigned { - IPS_LOGGING, - BUILTIN, + IPS_LOGGING, // before IPS loggers invoked + CONTEXT_LOGGING, // in an IPS logger + BUILTIN, // built-in event added in the event queue MAX }; }; -- 2.47.3