* IPS rules may also have a wild card parameter, which is indicated by a
*. Used for unquoted, comma-separated lists such as service and metadata.
* The snort module has command line options starting with a -.
+* $ denotes variable names, eg rule_state.$gid_sid which would be used
+ like rule_state["1:23456"] = { }.
Some additional details to note:
* interval takes the form [operator]i, j<>k, or j<=>k where i,j,k are
integers and operator is one of =, !, != (same as !), <, <=, >, >=.
j<>k means j < int < k and j<=>k means j <= int <= k.
+* Ranges may use maxXX like { 1:max32 } since max32 is easier to read
+ than 4294967295. To get the values of maxXX, use snort --help-limits.
OptTreeNode* otn = OtnLookup(sc->otn_map, gid, sid);
if ( otn == nullptr )
- ParseError("Rule state specified for invalid SID: %u GID: %u", sid, gid);
+ ParseError("Rule state specified for invalid rule %u:%u", gid, sid);
else
{
if ( sc->global_rule_state )
virtual bool set(const char*, Value&, SnortConfig*);
+ // used to match parameters with $var names like <gid:sid> for rule_state
+ virtual bool matches(const char* /*param_name*/, std::string& /*lua_name*/)
+ { return false; }
+
// ips events:
virtual unsigned get_gid() const
{ return 0; }
const void* range; // nullptr|const char*|RangeQuery*|const Parameter*
const char* deflt;
const char* help;
- bool regex = false; // for name resolution
-
- Parameter(const char* n, Type t, const void* r, const char* d, const char* h, bool re) :
- name(n), type(t), range(r), deflt(d), help(h), regex(re) { }
Parameter(const char* n, Type t, const void* r, const char* d, const char* h) :
name(n), type(t), range(r), deflt(d), help(h) { }
#include "modules.h"
-#include <regex>
#include <sys/resource.h>
#include "codecs/codec_module.h"
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-static const char* rule_state_gid_sid_regex = "([0-9]+):([0-9]+)";
static const Parameter rule_state_params[] =
{
- { rule_state_gid_sid_regex, Parameter::PT_LIST, single_rule_state_params, nullptr,
- "defines rule state parameters for gid:sid", true },
+ { "$gid_sid", Parameter::PT_LIST, single_rule_state_params, nullptr,
+ "defines rule state parameters for gid:sid" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ bool matches(const char*, std::string&) override;
+
Usage get_usage() const override
{ return DETECT; }
IpsPolicy::Enable enable;
};
-bool RuleStateModule::set(const char* fqn, Value& v, SnortConfig*)
+bool RuleStateModule::matches(const char* param, std::string& name)
{
- static regex gid_sid(rule_state_gid_sid_regex);
+ if ( strcmp(param, "$gid_sid") )
+ return false;
+
+ std::stringstream ss(name);
+ char sep;
- // the regex itself is passed as the fqn when declaring rule_state = { }
- if ( strstr(fqn, rule_state_gid_sid_regex) )
+ ss >> gid >> sep >> sid;
+
+ if ( gid and sid and sep == ':' )
return true;
- cmatch match;
+ return false;
+}
- if ( regex_search(fqn, match, gid_sid) )
- {
- gid = strtoul(match[1].str().c_str(), nullptr, 10);
- sid = strtoul(match[2].str().c_str(), nullptr, 10);
+bool RuleStateModule::set(const char* fqn, Value& v, SnortConfig*)
+{
+ // the name itself is passed as the fqn when declaring rule_state = { }
+ if ( !strcmp(fqn, "$gid_sid") )
+ return true;
+ if ( gid and sid )
+ {
if ( v.is("action") )
action = IpsPolicy::Action(v.get_uint8());
bool RuleStateModule::end(const char*, int, SnortConfig* sc)
{
- if ( gid )
+ if ( gid and sid )
sc->rule_states.emplace_back(new RuleState(gid, sid, action, enable));
- gid = 0;
+ gid = sid = 0;
return true;
}
#include <cassert>
#include <iostream>
#include <mutex>
-#include <regex>
#include <string>
#include "framework/base_api.h"
//-------------------------------------------------------------------------
static const Parameter* get_params(
- const string& sfx, const Parameter* p, int idx = 1)
+ const string& sfx, Module* m, const Parameter* p, int idx = 1)
{
size_t pos = sfx.find_first_of('.');
std::string new_fqn;
}
string name = new_fqn.substr(0, new_fqn.find_first_of('.'));
+
while ( p->name )
{
- if ( p->regex && regex_match(name, regex(p->name)) )
+ if ( *p->name == '$' and m->matches(p->name, name) )
break;
else if ( name == p->name )
}
p = (const Parameter*)p->range;
- return get_params(new_fqn, p, idx);
+ return get_params(new_fqn, m, p, idx);
}
// FIXIT-M vars may have been defined on command line. that mechanism will
// now we must traverse the mod params to get the leaf
string s = fqn;
- const Parameter* p = get_params(s, mod->get_parameters());
+ const Parameter* p = get_params(s, mod, mod->get_parameters());
if ( !p )
- p = get_params(s, mod->get_default_parameters());
+ p = get_params(s, mod, mod->get_default_parameters());
if ( !p )
{
if ( strcmp(m->get_name(), s) )
{
std::string sfqn = s;
- p = get_params(sfqn, m->get_parameters(), idx);
+ p = get_params(sfqn, m, m->get_parameters(), idx);
if ( !p )
- p = get_params(sfqn, m->get_default_parameters(), idx);
+ p = get_params(sfqn, m, m->get_default_parameters(), idx);
if ( !p )
{
projects / thirdparty / snort3.git / commitdiff
