Pull request #4042: Suppression and Threshold on ips rule is impacting connection...

Merge in SNORT/snort3 from ~GSAMBYAL/snort3:CSCwc93243 to master

Squashed commit of the following:

commit 223175e54504057891c46a051a4d79c8ae518c2f
Author: Garima Sambyal <gsambyal@cisco.com>
Date:   Mon Oct 9 05:20:43 2023 +0000

    detection: setting flag for flows with affected logging due to event filter

diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc
index d0c0df7ee33bab838441a5b2aa083571a252a762..b0d887b8354b7370bc740fff11e551363ef648f6 100644 (file)
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -224,6 +224,11 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p)
         */
         IpsAction * act = get_ips_policy()->action[action];
         act->exec(p);
+        if ( p->active && p->flow &&
+            (p->active->get_action() >= Active::ACT_DROP) )
+        {
+            p->flow->flags.ips_event_suppressed = true;
+        }
         fpLogOther(p, rtn, otn, action);
         pc.event_limit++;
         return 1;

diff --git a/src/flow/flow.h b/src/flow/flow.h
index 7c9c5f4808d79fe2f4335616bfff34c148dcfdc3..af03cb3378f541a8d7fc65bd50b77ba658cee90d 100644 (file)
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -500,6 +500,7 @@ public:  // FIXIT-M privatize if possible
         bool svc_event_generated : 1; // Set if FLOW_NO_SERVICE_EVENT was generated for this flow
         bool retry_queued : 1; // Set if a packet was queued for retry for this flow
         bool ha_flow : 1; // Set if this flow was created by an HA message
+        bool ips_event_suppressed : 1; // Set if event filters have suppressed ips event
     } flags = {};
 
     FlowState flow_state = FlowState::SETUP;