// nothing to set in the packet
} else if (pa->action & (ACTION_ALERT | ACTION_CONFIG)) {
// nothing to set in the packet
- } else {
+ } else if (pa->action != 0) {
DEBUG_VALIDATE_BUG_ON(1); // should be unreachable
}
}
/* Thresholding removes this alert */
- if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
+ if (res == 0 || res == 2 || (s->action & (ACTION_ALERT | ACTION_PASS)) == 0) {
+ SCLogDebug("sid:%u: skipping alert because of thresholding (res=%d) or NOALERT (%02x)",
+ s->id, res, s->action);
/* we will not copy this to the AlertQueue */
p->alerts.suppressed++;
} else if (p->alerts.cnt < packet_alert_max) {
#include "suricata-common.h"
#include "suricata.h"
#include "rust.h"
+#include "action-globals.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
if (s->flags & SIG_FLAG_DP_ANY) {
jb_append_string(ctx.js, "dp_any");
}
- if (s->flags & SIG_FLAG_NOALERT) {
+ if ((s->action & ACTION_ALERT) == 0) {
jb_append_string(ctx.js, "noalert");
}
if (s->flags & SIG_FLAG_DSIZE) {
#include "suricata-common.h"
#include "decode.h"
+#include "action-globals.h"
#include "detect.h"
#include "threads.h"
#include "flow.h"
if (strcmp(fb_cmd_str,"noalert") == 0) {
if (strlen(fb_name) != 0)
goto error;
- s->flags |= SIG_FLAG_NOALERT;
+ s->action &= ~ACTION_ALERT;
return 0;
} else if (strcmp(fb_cmd_str,"isset") == 0) {
fb_cmd = DETECT_FLOWBITS_CMD_ISSET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
FAIL_IF_NULL(s);
- FAIL_IF((s->flags & SIG_FLAG_NOALERT) != SIG_FLAG_NOALERT);
+ FAIL_IF((s->action & ACTION_ALERT) != 0);
SigGroupBuild(de_ctx);
DetectEngineCtxFree(de_ctx);
#include "suricata-common.h"
#include "decode.h"
+#include "action-globals.h"
#include "detect.h"
#include "threads.h"
#include "flow.h"
case DETECT_XBITS_CMD_NOALERT:
if (strlen(fb_name) != 0)
goto error;
- s->flags |= SIG_FLAG_NOALERT;
+ s->action &= ~ACTION_ALERT;
return 0;
case DETECT_XBITS_CMD_ISNOTSET:
case DETECT_XBITS_CMD_ISSET:
*/
#include "suricata-common.h"
+#include "action-globals.h"
#include "detect.h"
#include "detect-noalert.h"
#include "util-debug.h"
{
DEBUG_VALIDATE_BUG_ON(nullstr != NULL);
- s->flags |= SIG_FLAG_NOALERT;
+ s->action &= ~ACTION_ALERT;
return 0;
}
if (strcasecmp(action, "alert") == 0) {
s->action = ACTION_ALERT;
} else if (strcasecmp(action, "drop") == 0) {
- s->action = ACTION_DROP;
+ s->action = ACTION_DROP | ACTION_ALERT;
} else if (strcasecmp(action, "pass") == 0) {
s->action = ACTION_PASS;
} else if (strcasecmp(action, "reject") == 0 ||
{
if (!(SigParseActionRejectValidate(action)))
return -1;
- s->action = ACTION_REJECT|ACTION_DROP;
+ s->action = ACTION_REJECT | ACTION_DROP | ACTION_ALERT;
} else if (strcasecmp(action, "rejectdst") == 0) {
if (!(SigParseActionRejectValidate(action)))
return -1;
- s->action = ACTION_REJECT_DST|ACTION_DROP;
+ s->action = ACTION_REJECT_DST | ACTION_DROP | ACTION_ALERT;
} else if (strcasecmp(action, "rejectboth") == 0) {
if (!(SigParseActionRejectValidate(action)))
return -1;
- s->action = ACTION_REJECT_BOTH|ACTION_DROP;
+ s->action = ACTION_REJECT_BOTH | ACTION_DROP | ACTION_ALERT;
} else if (strcasecmp(action, "config") == 0) {
s->action = ACTION_CONFIG;
- s->flags |= SIG_FLAG_NOALERT;
} else {
SCLogError("An invalid action \"%s\" was given", action);
return -1;
#include "suricata-common.h"
#include "decode.h"
+#include "action-globals.h"
#include "detect.h"
#include "threads.h"
#include "flow.h"
int result = DetectXbitParse(de_ctx, rawstr, &cd);
if (result < 0) {
return -1;
- /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
- } else if (result == 0 && cd == NULL) {
- s->flags |= SIG_FLAG_NOALERT;
+ } else if (cd == NULL) {
+ /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
+ s->action &= ~ACTION_ALERT;
return 0;
}
#define SIG_FLAG_SP_ANY BIT_U32(2) /**< source port is any */
#define SIG_FLAG_DP_ANY BIT_U32(3) /**< destination port is any */
-#define SIG_FLAG_NOALERT BIT_U32(4) /**< no alert flag is set */
+// vacancy
+
#define SIG_FLAG_DSIZE BIT_U32(5) /**< signature has a dsize setting */
#define SIG_FLAG_APPLAYER BIT_U32(6) /**< signature applies to app layer instead of packets */
*
* Set drop (+reject) flags in both current and root packet.
*
- * \param action action bit flags. Must be limited to ACTION_DROP_REJECT
+ * \param action action bit flags. Must be limited to ACTION_DROP_REJECT|ACTION_ALERT
*/
void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
{
- DEBUG_VALIDATE_BUG_ON((action & ~ACTION_DROP_REJECT) != 0);
+ DEBUG_VALIDATE_BUG_ON((action & ~(ACTION_DROP_REJECT | ACTION_ALERT)) != 0);
if (p->drop_reason == PKT_DROP_REASON_NOT_SET)
p->drop_reason = (uint8_t)r;
uint8_t ActionOrderVal(uint8_t action)
{
/* reject_both and reject_dst have the same prio as reject */
- if( (action & ACTION_REJECT) ||
- (action & ACTION_REJECT_BOTH) ||
- (action & ACTION_REJECT_DST)) {
+ if (action & ACTION_REJECT_ANY) {
action = ACTION_REJECT;
+ } else if (action & ACTION_DROP) {
+ action = ACTION_DROP;
+ } else if (action & ACTION_PASS) {
+ action = ACTION_PASS;
+ } else if (action & ACTION_ALERT) {
+ action = ACTION_ALERT;
+ } else if (action == 0) {
+ action = ACTION_ALERT;
}
- uint8_t i = 0;
- for (; i < 4; i++) {
- if (action_order_sigs[i] == action)
+
+ for (uint8_t i = 0; i < 4; i++) {
+ if (action_order_sigs[i] == action) {
return i;
+ }
}
/* Unknown action, set just a low prio (high val) */
return 10;
#include "suricata-common.h"
+#include "action-globals.h"
#include "host.h"
#include "ippair.h"
for (s = de_ctx->sig_list; s != NULL; s = s->next) {
/* tag the rule as noalert */
if (parsed_track == TRACK_RULE) {
- s->flags |= SIG_FLAG_NOALERT;
+ s->action &= ~ACTION_ALERT;
continue;
}
/* tag the rule as noalert */
if (parsed_track == TRACK_RULE) {
- s->flags |= SIG_FLAG_NOALERT;
+ s->action &= ~ACTION_ALERT;
continue;
}
id, gid);
} else {
if (parsed_track == TRACK_RULE) {
- s->flags |= SIG_FLAG_NOALERT;
+ s->action &= ~ACTION_ALERT;
goto end;
}
projects / thirdparty / suricata.git / commitdiff
