// The TRUST_DEFER_DO_TRUST state is checked at the end of packet processing. If the state
// is TRUST_DEFER_DO_TRUST and the action is ACT_ALLOW, the session is trusted.
// If a drop, block or reset action occurs while deferring, deferring is stopped and the
- // block or blacklist version is enforced.
+ // block or blocklist version is enforced.
// The module_id, a unique module identifier created by calling
// FlowData::create_flow_data_id(), is used to track the modules that are currently deferring.
- // This allows the module to use whitelist deferring without needing to track the deferring
+ // This allows the module to use trusted deferring without needing to track the deferring
// state of the module.
enum DeferredTrustState : uint8_t
{
bool app_direction_swapped : 1; // Packet direction swapped from application perspective
bool disable_inspect : 1;
bool reputation_src_dest : 1;
- bool reputation_blacklist : 1;
+ bool reputation_blocklist : 1;
bool reputation_monitor : 1;
- bool reputation_whitelist : 1;
+ bool reputation_allowlist : 1;
bool trigger_detained_packet_event : 1;
bool trigger_finalize_event : 1;
bool use_direct_inject : 1;
DECODE_ERR_CKSUM_UDP | DECODE_ERR_CKSUM_ICMP ),
DECODE_ERR_FLAGS = ( DECODE_ERR_CKSUM_ALL | DECODE_ERR_BAD_TTL ),
- DECODE_PKT_TRUST = 0x0020, // whitelist this packet
+ DECODE_PKT_TRUST = 0x0020, // trust this packet
DECODE_FRAG = 0x0040, // ip - fragmented packet
DECODE_MF = 0x0080, // ip - more fragments
This directory contains all files related to IP Reputation inspection.
-Reputation inspector provides basic IP blacklist/whitelist capabilities, to
+Reputation inspector provides basic IP blocklist/allowlist capabilities, to
block/drop/pass traffic from IP addresses listed. In the past, we use standard
Snort rules to implement Reputation-based IP blocking. This inspector will
address the performance issue and make the IP reputation management easier.
This inspector also supports interfaces through manifest files. You can specify an
-action (BLACK, WHITE, MONITOR) for an IP list with interfaces. The name of manifest
+action (BLOCK, ALLOW, MONITOR) for an IP list with interfaces. The name of manifest
file is interface.info. For each line of the manifest file, the format is:
- file_name, list_id, action (black, white, monitor), [interface information]
+ file_name, list_id, action (block, allow, monitor), [interface information]
If interface information is empty, this means all interfaces are applied
#define GID_REPUTATION 136
-#define REPUTATION_EVENT_BLACKLIST_SRC 1
-#define REPUTATION_EVENT_WHITELIST_SRC 2
+#define REPUTATION_EVENT_BLOCKLIST_SRC 1
+#define REPUTATION_EVENT_ALLOWLIST_SRC 2
#define REPUTATION_EVENT_MONITOR_SRC 3
-#define REPUTATION_EVENT_BLACKLIST_DST 4
-#define REPUTATION_EVENT_WHITELIST_DST 5
+#define REPUTATION_EVENT_BLOCKLIST_DST 4
+#define REPUTATION_EVENT_ALLOWLIST_DST 5
#define REPUTATION_EVENT_MONITOR_DST 6
#endif
ALL
};
-enum WhiteAction
+enum AllowAction
{
- UNBLACK,
+ DO_NOT_BLOCK,
TRUST
};
enum IPdecision
{
DECISION_NULL,
- BLACKLISTED,
- WHITELISTED_TRUST,
+ BLOCKED,
+ TRUSTED,
MONITORED,
- BLACKLISTED_SRC,
- BLACKLISTED_DST,
- WHITELISTED_TRUST_SRC,
- WHITELISTED_TRUST_DST,
- WHITELISTED_UNBLACK,
+ BLOCKED_SRC,
+ BLOCKED_DST,
+ TRUSTED_SRC,
+ TRUSTED_DST,
+ TRUSTED_DO_NOT_BLOCK,
MONITORED_SRC,
MONITORED_DST,
DECISION_MAX
uint32_t memcap = 500;
int num_entries = 0;
bool scanlocal = false;
- IPdecision priority = WHITELISTED_TRUST;
+ IPdecision priority = TRUSTED;
NestedIP nested_ip = INNER;
- WhiteAction white_action = UNBLACK;
- std::string blacklist_path;
- std::string whitelist_path;
+ AllowAction allow_action = DO_NOT_BLOCK;
+ std::string blocklist_path;
+ std::string allowlist_path;
bool memcap_reached = false;
uint8_t* reputation_segment = nullptr;
table_flat_t* ip_list = nullptr;
struct ReputationStats
{
PegCount packets;
- PegCount blacklisted;
- PegCount whitelisted;
+ PegCount blocked;
+ PegCount trusted;
PegCount monitored;
PegCount memory_allocated;
};
const PegInfo reputation_peg_names[] =
{
{ CountType::SUM, "packets", "total packets processed" },
-{ CountType::SUM, "blacklisted", "number of packets blacklisted" },
-{ CountType::SUM, "whitelisted", "number of packets whitelisted" },
+{ CountType::SUM, "blocked", "number of packets blocked" },
+{ CountType::SUM, "trusted", "number of packets trusted" },
{ CountType::SUM, "monitored", "number of packets monitored" },
{ CountType::SUM, "memory_allocated", "total memory allocated" },
nullptr
};
-const char* WhiteActionOption[] =
+const char* AllowActionOption[] =
{
- "unblack",
+ "do_not_block",
"trust",
nullptr
};
list_info[list_index]->intfs.count(ingress_intf) ||
list_info[list_index]->intfs.count(egress_intf))
{
- if (WHITELISTED_UNBLACK == (IPdecision)list_info[list_index]->list_type)
+ if (TRUSTED_DO_NOT_BLOCK == (IPdecision)list_info[list_index]->list_type)
return DECISION_NULL;
if (config->priority == (IPdecision)list_info[list_index]->list_type )
{
{
decision = get_reputation(config, result, &p->iplist_id, ingress_intf, egress_intf);
- if (decision == BLACKLISTED)
- *decision_final = BLACKLISTED_SRC;
+ if (decision == BLOCKED)
+ *decision_final = BLOCKED_SRC;
else if (decision == MONITORED)
*decision_final = MONITORED_SRC;
- else if (decision == WHITELISTED_TRUST)
- *decision_final = WHITELISTED_TRUST_SRC;
+ else if (decision == TRUSTED)
+ *decision_final = TRUSTED_SRC;
else
*decision_final = decision;
{
decision = get_reputation(config, result, &p->iplist_id, ingress_intf, egress_intf);
- if (decision == BLACKLISTED)
- *decision_final = BLACKLISTED_DST;
+ if (decision == BLOCKED)
+ *decision_final = BLOCKED_DST;
else if (decision == MONITORED)
*decision_final = MONITORED_DST;
- else if (decision == WHITELISTED_TRUST)
- *decision_final = WHITELISTED_TRUST_DST;
+ else if (decision == TRUSTED)
+ *decision_final = TRUSTED_DST;
else
*decision_final = decision;
&decision_current);
if (decision_current != DECISION_NULL)
{
- if (decision_current == BLACKLISTED_SRC or decision_current == BLACKLISTED_DST)
+ if (decision_current == BLOCKED_SRC or decision_current == BLOCKED_DST)
blocked_api = p->ptrs.ip_api;
decision_final = decision_current;
decision_current = DECISION_NULL;
else
assert(false); // Should never hit this
- if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST)
+ if (decision_final != BLOCKED_SRC and decision_final != BLOCKED_DST)
p->ptrs.ip_api = tmp_api;
else if (config->nested_ip == ALL and p->ptrs.ip_api != blocked_api)
p->ptrs.ip_api = blocked_api;
if (DECISION_NULL == decision)
return;
- else if (BLACKLISTED_SRC == decision or BLACKLISTED_DST == decision)
+ else if (BLOCKED_SRC == decision or BLOCKED_DST == decision)
{
- unsigned blacklist_event = (BLACKLISTED_SRC == decision) ?
- REPUTATION_EVENT_BLACKLIST_SRC : REPUTATION_EVENT_BLACKLIST_DST;
+ unsigned blocklist_event = (BLOCKED_SRC == decision) ?
+ REPUTATION_EVENT_BLOCKLIST_SRC : REPUTATION_EVENT_BLOCKLIST_DST;
if (p->flow)
{
- p->flow->flags.reputation_blacklist = true;
- p->flow->flags.reputation_src_dest = (BLACKLISTED_SRC == decision);
+ p->flow->flags.reputation_blocklist = true;
+ p->flow->flags.reputation_src_dest = (BLOCKED_SRC == decision);
}
- DetectionEngine::queue_event(GID_REPUTATION, blacklist_event);
+ DetectionEngine::queue_event(GID_REPUTATION, blocklist_event);
act->drop_packet(p, true);
// disable all preproc analysis and detection for this packet
DetectionEngine::disable_all(p);
act->block_session(p, true);
act->set_drop_reason("reputation");
- reputationstats.blacklisted++;
+ reputationstats.blocked++;
if (PacketTracer::is_active())
- PacketTracer::log("Reputation: packet blacklisted, drop\n");
+ PacketTracer::log("Reputation: packet blocked, drop\n");
}
else if (MONITORED_SRC == decision or MONITORED_DST == decision)
reputationstats.monitored++;
}
- else if (WHITELISTED_TRUST_SRC == decision or WHITELISTED_TRUST_DST == decision)
+ else if (TRUSTED_SRC == decision or TRUSTED_DST == decision)
{
- unsigned whitelist_event = (WHITELISTED_TRUST_SRC == decision) ?
- REPUTATION_EVENT_WHITELIST_SRC : REPUTATION_EVENT_WHITELIST_DST;
+ unsigned allowlist_event = (TRUSTED_SRC == decision) ?
+ REPUTATION_EVENT_ALLOWLIST_SRC : REPUTATION_EVENT_ALLOWLIST_DST;
if (p->flow)
{
- p->flow->flags.reputation_whitelist = true;
- p->flow->flags.reputation_src_dest = (WHITELISTED_TRUST_SRC == decision);
+ p->flow->flags.reputation_allowlist = true;
+ p->flow->flags.reputation_src_dest = (TRUSTED_SRC == decision);
}
- DetectionEngine::queue_event(GID_REPUTATION, whitelist_event);
+ DetectionEngine::queue_event(GID_REPUTATION, allowlist_event);
act->trust_session(p, true);
- reputationstats.whitelisted++;
+ reputationstats.trusted++;
}
}
return "";
}
-static const char* to_string(WhiteAction wa)
+static const char* to_string(AllowAction aa)
{
- switch (wa)
+ switch (aa)
{
- case UNBLACK:
- return "unblack";
+ case DO_NOT_BLOCK:
+ return "do_not_block";
case TRUST:
return "trust";
}
{
switch (ipd)
{
- case BLACKLISTED:
- return "blacklisted";
- case WHITELISTED_TRUST:
- return "whitelisted_trust";
+ case BLOCKED:
+ return "blocked";
+ case TRUSTED:
+ return "trusted";
case MONITORED:
return "monitored";
- case BLACKLISTED_SRC:
- return "blacklisted_src";
- case BLACKLISTED_DST:
- return "blacklisted_dst";
- case WHITELISTED_TRUST_SRC:
- return "whitelisted_trust_src";
- case WHITELISTED_TRUST_DST:
- return "whitelisted_trust_dst";
- case WHITELISTED_UNBLACK:
- return "whitelisted_unblack";
+ case BLOCKED_SRC:
+ return "blocked_src";
+ case BLOCKED_DST:
+ return "blocked_dst";
+ case TRUSTED_SRC:
+ return "trusted_src";
+ case TRUSTED_DST:
+ return "trusted_dst";
+ case TRUSTED_DO_NOT_BLOCK:
+ return "trusted_do_not_block";
case MONITORED_SRC:
return "monitored_src";
case MONITORED_DST:
if (!config.list_dir.empty())
read_manifest(MANIFEST_FILENAME, conf);
- add_black_white_List(conf);
+ add_block_allow_List(conf);
estimate_num_entries(conf);
if (conf->num_entries <= 0)
{
ParseWarning(WARN_CONF,
- "reputation: can't find any whitelist/blacklist entries; disabled.");
+ "reputation: can't find any allowlist/blocklist entries; disabled.");
return;
}
void Reputation::show(const SnortConfig*) const
{
- ConfigLogger::log_value("blacklist", config.blacklist_path.c_str());
+ ConfigLogger::log_value("blocklist", config.blocklist_path.c_str());
ConfigLogger::log_value("list_dir", config.list_dir.c_str());
ConfigLogger::log_value("memcap", config.memcap);
ConfigLogger::log_value("nested_ip", to_string(config.nested_ip));
ConfigLogger::log_value("priority", to_string(config.priority));
ConfigLogger::log_flag("scan_local", config.scanlocal);
- ConfigLogger::log_value("white (action)", to_string(config.white_action));
- ConfigLogger::log_value("whitelist", config.whitelist_path.c_str());
+ ConfigLogger::log_value("allow (action)", to_string(config.allow_action));
+ ConfigLogger::log_value("allowlist", config.allowlist_path.c_str());
}
void Reputation::eval(Packet* p)
using namespace snort;
using namespace std;
-#define REPUTATION_EVENT_BLACKLIST_SRC_STR \
- "packets blacklisted based on source"
-#define REPUTATION_EVENT_BLACKLIST_DST_STR \
- "packets blacklisted based on destination"
+#define REPUTATION_EVENT_BLOCKLIST_SRC_STR \
+ "packets blocked based on source"
+#define REPUTATION_EVENT_BLOCKLIST_DST_STR \
+ "packets blocked based on destination"
-#define REPUTATION_EVENT_WHITELIST_SRC_STR \
- "packets whitelisted based on source"
-#define REPUTATION_EVENT_WHITELIST_DST_STR \
- "packets whitelisted based on destination"
+#define REPUTATION_EVENT_ALLOWLIST_SRC_STR \
+ "packets trusted based on source"
+#define REPUTATION_EVENT_ALLOWLIST_DST_STR \
+ "packets trusted based on destination"
#define REPUTATION_EVENT_MONITOR_SRC_STR \
"packets monitored based on source"
static const Parameter s_params[] =
{
+ { "blocklist", Parameter::PT_STRING, nullptr, nullptr,
+ "blocklist file name with IP lists" },
+
{ "blacklist", Parameter::PT_STRING, nullptr, nullptr,
"blacklist file name with IP lists" },
{ "nested_ip", Parameter::PT_ENUM, "inner|outer|all", "inner",
"IP to use when there is IP encapsulation" },
- { "priority", Parameter::PT_ENUM, "blacklist|whitelist", "whitelist",
+ { "priority", Parameter::PT_ENUM, "blocklist|allowlist|blacklist|whitelist", "allowlist",
"defines priority when there is a decision conflict during run-time" },
{ "scan_local", Parameter::PT_BOOL, nullptr, "false",
"inspect local address defined in RFC 1918" },
- { "white", Parameter::PT_ENUM, "unblack|trust", "unblack",
+ { "allow", Parameter::PT_ENUM, "do_not_block|trust|unblack", "do_not_block",
+ "specify the meaning of allowlist" },
+
+ { "white", Parameter::PT_ENUM, "do_not_block|trust|unblack", "do_not_block",
"specify the meaning of whitelist" },
+ { "allowlist", Parameter::PT_STRING, nullptr, nullptr,
+ "allowlist file name with IP lists" },
+
{ "whitelist", Parameter::PT_STRING, nullptr, nullptr,
"whitelist file name with IP lists" },
static const RuleMap reputation_rules[] =
{
- { REPUTATION_EVENT_BLACKLIST_SRC, REPUTATION_EVENT_BLACKLIST_SRC_STR },
- { REPUTATION_EVENT_WHITELIST_SRC, REPUTATION_EVENT_WHITELIST_SRC_STR },
+ { REPUTATION_EVENT_BLOCKLIST_SRC, REPUTATION_EVENT_BLOCKLIST_SRC_STR },
+ { REPUTATION_EVENT_ALLOWLIST_SRC, REPUTATION_EVENT_ALLOWLIST_SRC_STR },
{ REPUTATION_EVENT_MONITOR_SRC, REPUTATION_EVENT_MONITOR_SRC_STR },
- { REPUTATION_EVENT_BLACKLIST_DST, REPUTATION_EVENT_BLACKLIST_DST_STR },
- { REPUTATION_EVENT_WHITELIST_DST, REPUTATION_EVENT_WHITELIST_DST_STR },
+ { REPUTATION_EVENT_BLOCKLIST_DST, REPUTATION_EVENT_BLOCKLIST_DST_STR },
+ { REPUTATION_EVENT_ALLOWLIST_DST, REPUTATION_EVENT_ALLOWLIST_DST_STR },
{ REPUTATION_EVENT_MONITOR_DST, REPUTATION_EVENT_MONITOR_DST_STR },
bool ReputationModule::set(const char*, Value& v, SnortConfig*)
{
- if ( v.is("blacklist") )
- conf->blacklist_path = v.get_string();
+ if ( v.is("blocklist") or v.is("blacklist") )
+ conf->blocklist_path = v.get_string();
else if ( v.is("list_dir") )
conf->list_dir = v.get_string();
conf->nested_ip = (NestedIP)v.get_uint8();
else if ( v.is("priority") )
- conf->priority = (IPdecision)(v.get_uint8() + 1);
+ {
+ int priority = v.get_uint8() + 1;
+
+ if (priority == 3) // blacklist
+ priority = 1;
+
+ else if (priority == 4) // whitelist
+ priority = 2;
+
+ conf->priority = (IPdecision)(priority);
+
+ }
else if ( v.is("scan_local") )
conf->scanlocal = v.get_bool();
- else if ( v.is("white") )
- conf->white_action = (WhiteAction)v.get_uint8();
+ else if ( v.is("allow") or v.is("white") )
+ {
+ int action = v.get_uint8();
+
+ if ( action == 2 ) // unblack
+ action = 0;
+
+ conf->allow_action = (AllowAction)action;
+
+ }
- else if ( v.is("whitelist") )
- conf->whitelist_path = v.get_string();
+ else if ( v.is("allowlist") or v.is("whitelist") )
+ conf->allowlist_path = v.get_string();
else
return false;
bool ReputationModule::end(const char*, int, SnortConfig*)
{
- if ( (conf->priority == WHITELISTED_TRUST) && (conf->white_action == UNBLACK) )
+ if ( (conf->priority == TRUSTED) && (conf->allow_action == DO_NOT_BLOCK) )
{
- ParseWarning(WARN_CONF, "Keyword \"whitelist\" for \"priority\" is "
- "not applied when white action is unblack.\n");
- conf->priority = WHITELISTED_UNBLACK;
+ ParseWarning(WARN_CONF, "Keyword \"allowlist\" for \"priority\" is "
+ "not applied when allow action is do_not_block.\n");
+ conf->priority = TRUSTED_DO_NOT_BLOCK;
}
return true;
#define MANIFEST_SEPARATORS ",\r\n"
#define MIN_MANIFEST_COLUMNS 3
-static char black_info[] = "blacklist";
-static char white_info[] = "whitelist";
+static char block_info[] = "blocklist";
+static char allow_info[] = "allowlist";
static char monitor_info[] = "monitorlist";
-#define WHITE_TYPE_KEYWORD "white"
-#define BLACK_TYPE_KEYWORD "block"
+#define ALLOW_TYPE_KEYWORD "allow"
+#define BLOCK_TYPE_KEYWORD "block"
#define MONITOR_TYPE_KEYWORD "monitor"
#define UNKNOWN_LIST 0
#define MONITOR_LIST 1
-#define BLACK_LIST 2
-#define WHITE_LIST 3
+#define BLOCK_LIST 2
+#define ALLOW_LIST 3
#define MAX_MSGS_TO_PRINT 20
for (size_t i = 0; i < config->list_files.size(); i++)
{
config->list_files[i]->list_index = (uint8_t)i + 1;
- if (config->list_files[i]->file_type == WHITE_LIST)
+ if (config->list_files[i]->file_type == ALLOW_LIST)
{
- if (config->white_action == UNBLACK)
- config->list_files[i]->list_type = WHITELISTED_UNBLACK;
+ if (config->allow_action == DO_NOT_BLOCK)
+ config->list_files[i]->list_type = TRUSTED_DO_NOT_BLOCK;
else
- config->list_files[i]->list_type = WHITELISTED_TRUST;
+ config->list_files[i]->list_type = TRUSTED;
}
- else if (config->list_files[i]->file_type == BLACK_LIST)
- config->list_files[i]->list_type = BLACKLISTED;
+ else if (config->list_files[i]->file_type == BLOCK_LIST)
+ config->list_files[i]->list_type = BLOCKED;
else if (config->list_files[i]->file_type == MONITOR_LIST)
config->list_files[i]->list_type = MONITORED;
{
case DECISION_NULL:
return nullptr;
- case BLACKLISTED:
- return black_info;
- case WHITELISTED_UNBLACK:
- return white_info;
+ case BLOCKED:
+ return block_info;
+ case TRUSTED_DO_NOT_BLOCK:
+ return allow_info;
case MONITORED:
return monitor_info;
- case WHITELISTED_TRUST:
- return white_info;
+ case TRUSTED:
+ return allow_info;
default:
return nullptr;
}
config->num_entries = total_lines;
}
-void add_black_white_List(ReputationConfig* config)
+void add_block_allow_List(ReputationConfig* config)
{
- if (config->blacklist_path.size())
+ if (config->blocklist_path.size())
{
ListFile* listItem = new ListFile;
listItem->all_intfs_enabled = true;
- listItem->file_name = config->blacklist_path;
- listItem->file_type = BLACK_LIST;
+ listItem->file_name = config->blocklist_path;
+ listItem->file_type = BLOCK_LIST;
listItem->list_id = 0;
config->list_files.emplace_back(listItem);
}
- if (config->whitelist_path.size())
+ if (config->allowlist_path.size())
{
ListFile* listItem = new ListFile;
listItem->all_intfs_enabled = true;
- listItem->file_name = config->whitelist_path;
- listItem->file_type = WHITE_LIST;
+ listItem->file_name = config->allowlist_path;
+ listItem->file_type = ALLOW_LIST;
listItem->list_id = 0;
config->list_files.emplace_back(listItem);
}
type_name = ignore_start_space(type_name);
- if (strncasecmp(type_name, WHITE_TYPE_KEYWORD, strlen(WHITE_TYPE_KEYWORD)) == 0)
+ if (strncasecmp(type_name, ALLOW_TYPE_KEYWORD, strlen(ALLOW_TYPE_KEYWORD)) == 0)
{
- type = WHITE_LIST;
- type_name += strlen(WHITE_TYPE_KEYWORD);
+ type = ALLOW_LIST;
+ type_name += strlen(ALLOW_TYPE_KEYWORD);
}
- else if (strncasecmp(type_name, BLACK_TYPE_KEYWORD, strlen(BLACK_TYPE_KEYWORD)) == 0)
+ else if (strncasecmp(type_name, BLOCK_TYPE_KEYWORD, strlen(BLOCK_TYPE_KEYWORD)) == 0)
{
- type = BLACK_LIST;
- type_name += strlen(BLACK_TYPE_KEYWORD);
+ type = BLOCK_LIST;
+ type_name += strlen(BLOCK_TYPE_KEYWORD);
}
else if (strncasecmp(type_name, MONITOR_TYPE_KEYWORD, strlen(MONITOR_TYPE_KEYWORD)) == 0)
{
}
//The format of manifest is:
-// file_name, list_id, action (black, white, monitor), interface information
+// file_name, list_id, action (block, allow, monitor), interface information
//If no interface information provided, this means all interfaces are applied.
static bool process_line_in_manifest(ListFile* list_item, const char* manifest, const char* line,
{
ErrorMessage(" %s(%d) => Unknown action specified (%s)."
" Please specify a value: %s | %s | %s.\n", manifest, line_number, token,
- WHITE_TYPE_KEYWORD, BLACK_TYPE_KEYWORD, MONITOR_TYPE_KEYWORD);
+ ALLOW_TYPE_KEYWORD, BLOCK_TYPE_KEYWORD, MONITOR_TYPE_KEYWORD);
return false;
}
break;
void ip_list_init(uint32_t,ReputationConfig *config);
void estimate_num_entries(ReputationConfig* config);
int read_manifest(const char* filename, ReputationConfig* config);
-void add_black_white_List(ReputationConfig* config);
+void add_block_allow_List(ReputationConfig* config);
#endif
{
flow->ha_state->add(FlowHAState::MODIFIED);
/* If we have started ignoring both directions, that means we'll probably
- * try to whitelist the session. This is a critical change since we
+ * try to trust the session. This is a critical change since we
* probably won't see another packet on the session if we're using
* a DAQ module that fully supports the WHITELIST verdict. */
if( cur_state->ignore_direction == SSN_DIR_BOTH )
"don't alert when rule matches" },
{ "fastpath", Parameter::PT_IMPLIED, nullptr, nullptr,
- "optionally whitelist the remainder of the session" },
+ "optionally trust the remainder of the session" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
else if (keyword == "shared_refresh")
table_api.add_deleted_comment("shared_refresh");
- else if (keyword == "blacklist")
+ else if (keyword == "blacklist" or keyword == "blocklist")
{
- tmpval = parse_path_option("blacklist", arg_stream);
+ tmpval = parse_path_option("blocklist", arg_stream);
}
else if (keyword == "memcap")
{
std::string val;
if (!(arg_stream >> val))
data_api.failed_conversion(arg_stream, "reputation: priority <missing_arg>");
- else if (val == "whitelist")
- table_api.add_option("priority", "whitelist");
- else if (val == "blacklist")
- table_api.add_option("priority", "blacklist");
+ else if (val == "whitelist" or val == "allowlist")
+ table_api.add_option("priority", "allowlist");
+ else if (val == "blacklist" or val == "blocklist")
+ table_api.add_option("priority", "blocklist");
else
{
data_api.failed_conversion(arg_stream, "reputation: priority " + val);
{
table_api.add_deleted_comment("shared_max_instances");
}
- else if (keyword == "white")
+ else if (keyword == "white" or keyword == "allow")
{
std::string val;
if (!(arg_stream >> val))
data_api.failed_conversion(arg_stream, "reputation: white <missing_arg>");
- else if (val == "unblack")
- table_api.add_option("white", "unblack");
+ else if (val == "unblack" or val == "do_not_block")
+ table_api.add_option("allow", "do_not_block");
else if (val == "trust")
- table_api.add_option("white", "trust");
+ table_api.add_option("allow", "trust");
else
{
data_api.failed_conversion(arg_stream, "reputation: white " + val);
}
}
- else if (keyword == "whitelist")
+ else if (keyword == "whitelist" or keyword == "allowlist")
{
- tmpval = parse_path_option("whitelist", arg_stream);
+ tmpval = parse_path_option("allowlist", arg_stream);
}
else
{
projects / thirdparty / snort3.git / commitdiff
