--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2003-2013 Sourcefire, Inc.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifndef REPUTATION_COMMON_H
+#define REPUTATION_COMMON_H
+
+#define REPUTATION_NAME "reputation"
+#define REPUTATION_HELP "reputation inspection"
+
+#define GID_REPUTATION 136
+
+#define REPUTATION_EVENT_BLACKLIST_SRC 1
+#define REPUTATION_EVENT_WHITELIST_SRC 2
+#define REPUTATION_EVENT_MONITOR_SRC 3
+#define REPUTATION_EVENT_BLACKLIST_DST 4
+#define REPUTATION_EVENT_WHITELIST_DST 5
+#define REPUTATION_EVENT_MONITOR_DST 6
+
+#endif
{
decision = get_reputation(config, result, &p->iplist_id, ingressZone, egressZone);
- *decision_final = decision;
+ if (decision == BLACKLISTED)
+ *decision_final = BLACKLISTED_SRC;
+ else if (decision == MONITORED)
+ *decision_final = MONITORED_SRC;
+ else if (decision == WHITELISTED_TRUST)
+ *decision_final = WHITELISTED_TRUST_SRC;
+ else
+ *decision_final = decision;
+
if ( config->priority == decision)
return true;
}
{
decision = get_reputation(config, result, &p->iplist_id, ingressZone, egressZone);
- *decision_final = decision;
+ if (decision == BLACKLISTED)
+ *decision_final = BLACKLISTED_DST;
+ else if (decision == MONITORED)
+ *decision_final = MONITORED_DST;
+ else if (decision == WHITELISTED_TRUST)
+ *decision_final = WHITELISTED_TRUST_DST;
+ else
+ *decision_final = decision;
+
if ( config->priority == decision)
return true;
}
{
layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer);
decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final);
- if (decision_final != BLACKLISTED)
+ if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST)
p->ptrs.ip_api = tmp_api;
}
else if (config->nested_ip == ALL)
&decision_current);
if (decision_current != DECISION_NULL)
{
- if (decision_current == BLACKLISTED)
+ if (decision_current == BLACKLISTED_SRC or decision_current == BLACKLISTED_DST)
blocked_api = p->ptrs.ip_api;
decision_final = decision_current;
decision_current = DECISION_NULL;
}
}
- if (decision_final != BLACKLISTED)
+ if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST)
p->ptrs.ip_api = tmp_api;
else if (p->ptrs.ip_api != blocked_api)
p->ptrs.ip_api = blocked_api;
if (DECISION_NULL == decision)
return;
- else if (BLACKLISTED == decision)
+ else if (BLACKLISTED_SRC == decision or BLACKLISTED_DST == decision)
{
- DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST);
+ unsigned blacklist_event = (BLACKLISTED_SRC == decision) ?
+ REPUTATION_EVENT_BLACKLIST_SRC : REPUTATION_EVENT_BLACKLIST_DST;
+
+ DetectionEngine::queue_event(GID_REPUTATION, blacklist_event);
act->drop_packet(p, true);
+
// disable all preproc analysis and detection for this packet
DetectionEngine::disable_all(p);
act->block_session(p, true);
PacketTracer::log("Reputation: packet blacklisted, drop\n");
}
}
- else if (MONITORED == decision)
+
+ else if (MONITORED_SRC == decision or MONITORED_DST == decision)
{
+ unsigned monitor_event = (MONITORED_SRC == decision) ?
+ REPUTATION_EVENT_MONITOR_SRC : REPUTATION_EVENT_MONITOR_DST;
+
p->packet_flags |= PKT_REP_MONITORED;
- DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR);
+ DetectionEngine::queue_event(GID_REPUTATION, monitor_event);
reputationstats.monitored++;
}
- else if (WHITELISTED_TRUST == decision)
+
+ else if (WHITELISTED_TRUST_SRC == decision or WHITELISTED_TRUST_DST == decision)
{
- DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_WHITELIST);
+ unsigned whitelist_event = (WHITELISTED_TRUST_SRC == decision) ?
+ REPUTATION_EVENT_WHITELIST_SRC : REPUTATION_EVENT_WHITELIST_DST;
+
+ DetectionEngine::queue_event(GID_REPUTATION, whitelist_event);
p->packet_flags |= PKT_IGNORE;
DetectionEngine::disable_all(p);
act->allow_session(p);
using namespace snort;
using namespace std;
-#define REPUTATION_EVENT_BLACKLIST_STR \
- "packets blacklisted"
-#define REPUTATION_EVENT_WHITELIST_STR \
- "packets whitelisted"
-#define REPUTATION_EVENT_MONITOR_STR \
- "packets monitored"
+#define REPUTATION_EVENT_BLACKLIST_SRC_STR \
+ "packets blacklisted based on source"
+#define REPUTATION_EVENT_BLACKLIST_DST_STR \
+ "packets blacklisted based on destination"
+
+#define REPUTATION_EVENT_WHITELIST_SRC_STR \
+ "packets whitelisted based on source"
+#define REPUTATION_EVENT_WHITELIST_DST_STR \
+ "packets whitelisted based on destination"
+
+#define REPUTATION_EVENT_MONITOR_SRC_STR \
+ "packets monitored based on source"
+#define REPUTATION_EVENT_MONITOR_DST_STR \
+ "packets monitored based on destination"
static const Parameter s_params[] =
{
static const RuleMap reputation_rules[] =
{
- { REPUTATION_EVENT_BLACKLIST, REPUTATION_EVENT_BLACKLIST_STR },
- { REPUTATION_EVENT_WHITELIST, REPUTATION_EVENT_WHITELIST_STR },
- { REPUTATION_EVENT_MONITOR, REPUTATION_EVENT_MONITOR_STR },
+ { REPUTATION_EVENT_BLACKLIST_SRC, REPUTATION_EVENT_BLACKLIST_SRC_STR },
+ { REPUTATION_EVENT_WHITELIST_SRC, REPUTATION_EVENT_WHITELIST_SRC_STR },
+ { REPUTATION_EVENT_MONITOR_SRC, REPUTATION_EVENT_MONITOR_SRC_STR },
+ { REPUTATION_EVENT_BLACKLIST_DST, REPUTATION_EVENT_BLACKLIST_DST_STR },
+ { REPUTATION_EVENT_WHITELIST_DST, REPUTATION_EVENT_WHITELIST_DST_STR },
+ { REPUTATION_EVENT_MONITOR_DST, REPUTATION_EVENT_MONITOR_DST_STR },
+
{ 0, nullptr }
};
projects / thirdparty / snort3.git / commitdiff
