git.ipfire.org Git - thirdparty/suricata.git/commit

author	Shivani Bhardwaj <shivanib134@gmail.com>
	Wed, 29 Jan 2020 14:50:24 +0000 (20:20 +0530)
committer	Shivani Bhardwaj <shivanib134@gmail.com>
	Tue, 21 Apr 2020 20:03:17 +0000 (01:33 +0530)
commit	cf4e4e4ac31c11fd743969d0108d6e41fee66219
tree	63e29be4113f9f84542a82d4d696d6c803a423db	tree
parent	a611ae2102b5a100a120bb7fcc037cadbede9e28	commit \| diff

flowbits: Allow support for flowbit ORing

This patch allows to OR multiple flowbits on isset and isnotset flowbit
actions.

e.g.
Earlier in order to check if either fb1 or fb2 was set, it was required
to write two rules,
```
alert ip any any -> any any (msg:\"Flowbit fb1 isset\"; flowbits:isset,fb1; sid:1;)
alert ip any any -> any any (msg:\"Flowbit fb2 isset\"; flowbits:isset,fb2; sid:2;)
```

now, the same can be achieved with
```
alert ip any any -> any any (msg:\"Flowbit fb2 isset\"; flowbits:isset,fb1|fb2; sid:23;)
```

This operator can be used to check if one of the many flowbits is set
and also if one of the many flowbits is not set.

src/detect-flowbits.c		diff \| blob \| blame \| history
src/detect-flowbits.h		diff \| blob \| blame \| history