]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2ce03fb)
detect grouping: warn on and fix up bad sigs
authorVictor Julien <victor@inliniac.net>
Wed, 7 Oct 2015 05:08:02 +0000 (07:08 +0200)
committerVictor Julien <victor@inliniac.net>
Tue, 5 Apr 2016 07:30:09 +0000 (09:30 +0200)
Only inspect directionless SYN scan sigs toserver. Issue a warning for
those rules.

src/detect.c patch | blob | blame | history
src/util-error.c patch | blob | blame | history
src/util-error.h patch | blob | blame | history

diff --git a/src/detect.c b/src/detect.c
index 107d0e4f2690dcb1ca735839ee4f628c76400b3d..f50dd4855f3fe50bdeeb948d048315ee4eca34a4 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -3008,6 +3008,20 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3
         else
             BUG_ON(1);
 
+        /* see if we want to exclude directionless sigs that really care only for
+         * to_server syn scans/floods */
+        if ((direction == SIG_FLAG_TOCLIENT) &&
+             DetectFlagsSignatureNeedsSynPackets(s) &&
+             DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
+            ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) &&
+            (!(s->dp->port == 0 && s->dp->port2 == 65535)))
+        {
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: SYN-only to port(s) %u:%u "
+                    "w/o direction specified, disabling for toclient direction",
+                    s->id, s->dp->port, s->dp->port2);
+            goto next;
+        }
+
         while (p) {
             DetectPort *tmp = DetectPortCopySingle(de_ctx, p);
             BUG_ON(tmp == NULL);
diff --git a/src/util-error.c b/src/util-error.c
index 3bf695504a692f0ac330113cd06d62c9de65b97a..3706789b2bfa5aacd91394ba14ea5c0739cb2ec8 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -316,6 +316,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_JSON_STATS_LOG_NEGATED);
         CASE_CODE (SC_ERR_DEPRECATED_CONF);
         CASE_CODE (SC_WARN_FASTER_CAPTURE_AVAILABLE);
+        CASE_CODE (SC_WARN_POOR_RULE);
     }
 
     return "UNKNOWN_ERROR";
diff --git a/src/util-error.h b/src/util-error.h
index 42fd74f9638e538160d0a6f52e0778b65e7dfa91..1e9ef4f0260c469cbe2d16209c23c5fb204f54aa 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -306,6 +306,7 @@ typedef enum {
     SC_ERR_JSON_STATS_LOG_NEGATED, /** When totals and threads are both NO in yaml **/
     SC_ERR_DEPRECATED_CONF, /**< Deprecated configuration parameter. */
     SC_WARN_FASTER_CAPTURE_AVAILABLE,
+    SC_WARN_POOR_RULE,
 } SCError;
 
 const char *SCErrorToString(SCError);
Mirror of https://github.com/OISF/suricata.git