mod_ctor,
mod_dtor
},
- RULE_TYPE__DROP,
+ Actions::DROP,
nullptr, // pinit
nullptr, // pterm
nullptr, // tinit
mod_ctor,
mod_dtor
},
- RULE_TYPE__RESET,
+ Actions::RESET,
nullptr,
nullptr,
nullptr,
mod_ctor,
mod_dtor
},
- RULE_TYPE__ALERT,
+ Actions::ALERT,
nullptr,
nullptr,
rep_tinit,
CallLogFuncs(p, otn, rtn->listhead);
}
-static const char* const rule_type[RULE_TYPE__MAX] =
+static const char* const type[Actions::MAX] =
{
"none", "log", "pass", "alert", "drop", "block", "reset"
};
-const char* get_action_string(RuleType action)
+const char* Actions::get_string(Actions::Type action)
{
- if ( action < RULE_TYPE__MAX )
- return rule_type[action];
+ if ( action < Actions::MAX )
+ return type[action];
return "ERROR";
}
-RuleType get_action_type(const char* s)
+Actions::Type Actions::get_type(const char* s)
{
if ( !s )
- return RULE_TYPE__NONE;
+ return Actions::NONE;
- else if ( !strcasecmp(s, ACTION_LOG) )
- return RULE_TYPE__LOG;
+ else if ( !strcasecmp(s, Actions::get_string(Actions::LOG)) )
+ return Actions::LOG;
- else if ( !strcasecmp(s, ACTION_PASS) )
- return RULE_TYPE__PASS;
+ else if ( !strcasecmp(s, Actions::get_string(Actions::PASS)) )
+ return Actions::PASS;
- else if ( !strcasecmp(s, ACTION_ALERT) )
- return RULE_TYPE__ALERT;
+ else if ( !strcasecmp(s, Actions::get_string(Actions::ALERT)) )
+ return Actions::ALERT;
- else if ( !strcasecmp(s, ACTION_DROP) )
- return RULE_TYPE__DROP;
+ else if ( !strcasecmp(s, Actions::get_string(Actions::DROP)) )
+ return Actions::DROP;
- else if ( !strcasecmp(s, ACTION_BLOCK) )
- return RULE_TYPE__BLOCK;
+ else if ( !strcasecmp(s, Actions::get_string(Actions::BLOCK)) )
+ return Actions::BLOCK;
- else if ( !strcasecmp(s, ACTION_RESET) )
- return RULE_TYPE__RESET;
+ else if ( !strcasecmp(s, Actions::get_string(Actions::RESET)) )
+ return Actions::RESET;
- return RULE_TYPE__NONE;
+ return Actions::NONE;
}
-void action_execute(RuleType action, Packet* p, const OptTreeNode* otn,
+void Actions::execute(Actions::Type action, Packet* p, const OptTreeNode* otn,
uint16_t event_id)
{
switch (action)
{
- case RULE_TYPE__PASS:
+ case Actions::PASS:
pass();
SetTags(p, otn, event_id);
break;
- case RULE_TYPE__ALERT:
+ case Actions::ALERT:
alert(p, otn);
SetTags(p, otn, event_id);
break;
- case RULE_TYPE__LOG:
+ case Actions::LOG:
log(p, otn);
SetTags(p, otn, event_id);
break;
- case RULE_TYPE__DROP:
+ case Actions::DROP:
Active::drop_packet(p);
alert(p, otn);
SetTags(p, otn, event_id);
break;
- case RULE_TYPE__BLOCK:
+ case Actions::BLOCK:
Active::block_session(p);
alert(p, otn);
SetTags(p, otn, event_id);
break;
- case RULE_TYPE__RESET:
+ case Actions::RESET:
Active::reset_session(p);
alert(p, otn);
SetTags(p, otn, event_id);
}
}
-void action_apply(RuleType action, Packet* p)
+void Actions::apply(Actions::Type action, Packet* p)
{
switch ( action )
{
- case RULE_TYPE__DROP:
+ case Actions::DROP:
Active::drop_packet(p);
break;
- case RULE_TYPE__BLOCK:
+ case Actions::BLOCK:
Active::block_session(p);
break;
- case RULE_TYPE__RESET:
+ case Actions::RESET:
Active::reset_session(p);
break;
#include <cstdint>
-#define ACTION_LOG "log"
-#define ACTION_PASS "pass"
-#define ACTION_ALERT "alert"
-#define ACTION_DROP "drop"
-#define ACTION_BLOCK "block"
-#define ACTION_RESET "reset"
+#include "main/snort_types.h"
struct Packet;
struct OptTreeNode;
-// FIXIT-L if RuleType is changed, RateFilterModule must be updated
-enum RuleType // FIXIT-L convert to a scoped enum
+class SO_PUBLIC Actions
{
- RULE_TYPE__NONE = 0,
- RULE_TYPE__LOG,
- RULE_TYPE__PASS,
- RULE_TYPE__ALERT,
- RULE_TYPE__DROP,
- RULE_TYPE__BLOCK,
- RULE_TYPE__RESET,
- RULE_TYPE__MAX
-};
-
-// FIXIT-L these functions could be static methods of class enclosing RuleType enum
-const char* get_action_string(RuleType);
-RuleType get_action_type(const char*);
+public:
+ // FIXIT-L if Type is changed, RateFilterModule and type in actions.cc must be updated
+ enum Type
+ { NONE = 0, LOG, PASS, ALERT, DROP, BLOCK, RESET, MAX };
-void action_execute(RuleType, struct Packet*, const struct OptTreeNode*,
- uint16_t event_id);
+ static const char* get_string(Type);
+ static Type get_type(const char*);
-void action_apply(RuleType, struct Packet*);
+ static void execute(Type, struct Packet*, const struct OptTreeNode*,
+ uint16_t event_id);
-inline bool pass_action(RuleType a)
-{ return ( a == RULE_TYPE__PASS ); }
+ static void apply(Type, struct Packet*);
+ static inline bool is_pass(Type a)
+ { return ( a == PASS ); }
+};
#endif
return 0;
}
-int DetectionEngine::queue_event(unsigned gid, unsigned sid, RuleType type)
+int DetectionEngine::queue_event(unsigned gid, unsigned sid, Actions::Type type)
{
OptTreeNode* otn = GetOTN(gid, sid);
static void inspect(Packet*);
static int queue_event(const struct OptTreeNode*);
- static int queue_event(unsigned gid, unsigned sid, RuleType = RULE_TYPE__NONE);
-
+ static int queue_event(unsigned gid, unsigned sid, Actions::Type = Actions::NONE);
+
static void disable_all(Packet*);
static bool all_disabled(Packet*);
void EventTrace_Log(const Packet* p, const OptTreeNode* otn, int action)
{
- const char* acts = get_action_string((RuleType)action);
+ const char* acts = Actions::get_string((Actions::Type)action);
if ( !tlog )
return;
PacketTracer::log("Event: %u:%u:%u, Action %s\n",
otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev,
- get_action_string((RuleType)action));
+ Actions::get_string((Actions::Type)action));
// rule option actions are queued here (eg replace)
otn_trigger_actions(otn, p);
int action = -1, rateAction = -1;
int override, filterEvent = 0;
- if ( pass_action(rtn->type) )
+ if ( Actions::is_pass(rtn->type) )
p->packet_flags |= PKT_PASS_RULE;
if ( otn->stateless )
{
// We still want to drop packets that are drop rules.
// We just don't want to see the alert.
- action_apply(rtn->type, p);
+ Actions::apply(rtn->type, p);
fpLogOther(p, rtn, otn, rtn->type);
return 1;
}
// perform rate filtering tests - impacts action taken
rateAction = RateFilter_Test(otn, p);
- override = ( rateAction >= RULE_TYPE__MAX );
+ override = ( rateAction >= Actions::MAX );
if ( override )
- rateAction -= RULE_TYPE__MAX;
+ rateAction -= Actions::MAX;
// internal events are no-ops
if ( (rateAction < 0) && EventIsInternal(otn->sigInfo.gid) )
** If InlineMode is on, then we still want to drop packets
** that are drop rules. We just don't want to see the alert.
*/
- action_apply((RuleType)action, p);
+ Actions::apply((Actions::Type)action, p);
fpLogOther(p, rtn, otn, action);
pc.event_limit++;
return 1;
* If its order is lower than 'pass', it should have been passed.
* This is consistent with other detection rules */
if ( (p->packet_flags & PKT_PASS_RULE)
- &&(SnortConfig::get_eval_index(rtn->type) > SnortConfig::get_eval_index(RULE_TYPE__PASS)))
+ &&(SnortConfig::get_eval_index(rtn->type) > SnortConfig::get_eval_index(Actions::PASS)))
{
fpLogOther(p, rtn, otn, rtn->type);
return 1;
otn->state[get_instance_id()].alerts++;
event_id++;
- action_execute((RuleType)action, p, otn, event_id);
+ Actions::execute((Actions::Type)action, p, otn, event_id);
fpLogOther(p, rtn, otn, action);
return 0;
otn = o->matchInfo[i].MatchArray[j];
rtn = getRtnFromOtn(otn);
- if (otn && rtn && pass_action(rtn->type))
+ if (otn && rtn && Actions::is_pass(rtn->type))
{
/* Already acted on rules, so just don't act on anymore */
if ( tcnt > 0 )
}
/* only log/count one pass */
- if ( otn && rtn && pass_action(rtn->type))
+ if ( otn && rtn && Actions::is_pass(rtn->type))
{
p->packet_flags |= PKT_PASS_RULE;
return 1;
struct RuleListNode
{
ListHead* RuleList; /* The rule list associated with this node */
- RuleType mode; /* the rule mode */
+ Actions::Type mode; /* the rule mode */
int evalIndex; /* eval index for this rule set */
char* name; /* name of this rule list */
RuleListNode* next; /* the next RuleListNode */
uint32_t flags; /* control flags */
- RuleType type;
+ Actions::Type type;
// reference count from otn.
// Multiple OTNs can reference this RTN with the same policy.
{
const struct OptTreeNode* otn;
const struct RuleTreeNode* rtn;
- RuleType type;
+ Actions::Type type;
};
EventQueueConfig* EventQueueConfigNew();
// if the count were not incremented in such cases, the
// threshold would never be exceeded.
if ( !cfgNode->seconds && dynNode->count > cfgNode->count )
- if ( cfgNode->newAction == RULE_TYPE__DROP )
+ if ( cfgNode->newAction == Actions::DROP )
dynNode->count--;
#ifdef SFRF_DEBUG
fflush(stdout);
#endif
- return RULE_TYPE__MAX + cfgNode->newAction;
+ return Actions::MAX + cfgNode->newAction;
}
static void _updateDependentThresholds(
unsigned seconds;
// Action that replaces original rule action on reaching threshold
- RuleType newAction;
+ Actions::Type newAction;
// Threshold action duration in seconds before reverting to original rule action
unsigned timeout;
cfg.tracking = p->track;
cfg.count = p->count;
cfg.seconds = p->seconds;
- cfg.newAction = (RuleType)RULE_NEW;
+ cfg.newAction = (Actions::Type)RULE_NEW;
cfg.timeout = p->timeout;
cfg.applyTo = p->ip ? sfip_var_from_string(p->ip) : nullptr;
status = SFRF_TestThreshold(
rfc, p->gid, p->sid, &sip, &dip, curtime, op);
- if ( status >= RULE_TYPE__MAX )
- status -= RULE_TYPE__MAX;
+ if ( status >= Actions::MAX )
+ status -= Actions::MAX;
return status;
}
struct ActionApi
{
BaseApi base;
- RuleType type;
+ Actions::Type type;
IpsActFunc pinit;
IpsActFunc pterm;
"count interval" },
{ "new_action", Parameter::PT_ENUM,
- // FIXIT-L new_action options must match RuleType and
+ // FIXIT-L new_action options must match Actions::Type and
// should include pluggable actions as well
"log | pass | alert | drop | block | reset", "alert",
"take this action on future hits until timeout" },
thdx.applyTo = sfip_var_from_string(v.get_string());
else if ( v.is("new_action") )
- thdx.newAction = (RuleType)(v.get_long() + 1);
+ thdx.newAction = (Actions::Type)(v.get_long() + 1);
else
return false;
int num_rule_types = 0;
struct RuleListNode* rule_lists = nullptr;
- int evalOrder[RULE_TYPE__MAX + 1];
+ int evalOrder[Actions::MAX + 1];
struct FrameworkConfig* framework_config = nullptr;
static bool process_all_events()
{ return get_conf()->event_queue_config->process_all_events; }
- static int get_eval_index(RuleType type)
+ static int get_eval_index(Actions::Type type)
{ return get_conf()->evalOrder[type]; }
static int get_default_rule_state()
//-------------------------------------------------------------------------
-RuleType ActionManager::get_action_type(const char* s)
+Actions::Type ActionManager::get_action_type(const char* s)
{
for ( auto& p : s_actors )
{
if ( !strcmp(p.api->base.name, s) )
return p.api->type;
}
- return RULE_TYPE__NONE;
+ return Actions::NONE;
}
void ActionManager::instantiate(
static void release_plugins();
static void dump_plugins();
- static RuleType get_action_type(const char*);
+ static Actions::Type get_action_type(const char*);
static void instantiate(const ActionApi*, Module*, SnortConfig*);
return ( SnortConfig::inline_test_mode() || SnortConfig::adaptor_inline_test_mode() );
}
-RuleType get_rule_type(const char* s)
+Actions::Type get_rule_type(const char* s)
{
- RuleType rt = get_action_type(s);
+ Actions::Type rt = Actions::get_type(s);
- if ( rt == RULE_TYPE__NONE )
+ if ( rt == Actions::NONE )
rt = ActionManager::get_action_type(s);
switch ( rt )
{
- case RULE_TYPE__DROP:
- case RULE_TYPE__BLOCK:
- case RULE_TYPE__RESET:
+ case Actions::DROP:
+ case Actions::BLOCK:
+ case Actions::RESET:
if ( SnortConfig::treat_drop_as_alert() )
- return RULE_TYPE__ALERT;
+ return Actions::ALERT;
if ( ScKeepDropRules() || ScLoadAsDropRules() )
return rt;
- return RULE_TYPE__NONE;
+ return Actions::NONE;
- case RULE_TYPE__NONE:
+ case Actions::NONE:
ParseError("unknown rule type '%s'", s);
break;
void AddRuleState(SnortConfig*, const RuleState&);
void add_service_to_otn(SnortConfig*, OptTreeNode*, const char*);
-RuleType get_rule_type(const char*);
+Actions::Type get_rule_type(const char*);
ListHead* get_rule_list(SnortConfig*, const char*);
#endif
memset(&rtn, 0, sizeof(rtn));
rtn.type = get_rule_type(s);
- if ( rtn.type == RULE_TYPE__NONE )
+ if ( rtn.type == Actions::NONE )
{
s_ignore = true;
return;
static void CreateDefaultRules(SnortConfig* sc)
{
- CreateRuleType(sc, ACTION_LOG, RULE_TYPE__LOG);
- CreateRuleType(sc, ACTION_PASS, RULE_TYPE__PASS);
- CreateRuleType(sc, ACTION_ALERT, RULE_TYPE__ALERT);
- CreateRuleType(sc, ACTION_DROP, RULE_TYPE__DROP);
- CreateRuleType(sc, ACTION_BLOCK, RULE_TYPE__BLOCK);
- CreateRuleType(sc, ACTION_RESET, RULE_TYPE__RESET);
+ CreateRuleType(sc, Actions::get_string(Actions::LOG), Actions::LOG);
+ CreateRuleType(sc, Actions::get_string(Actions::PASS), Actions::PASS);
+ CreateRuleType(sc, Actions::get_string(Actions::ALERT), Actions::ALERT);
+ CreateRuleType(sc, Actions::get_string(Actions::DROP), Actions::DROP);
+ CreateRuleType(sc, Actions::get_string(Actions::BLOCK), Actions::BLOCK);
+ CreateRuleType(sc, Actions::get_string(Actions::RESET), Actions::RESET);
}
static void FreeRuleTreeNodes(SnortConfig* sc)
* Returns: the ListHead for the rule type
*
***************************************************************************/
-ListHead* CreateRuleType(SnortConfig* sc, const char* name, RuleType mode)
+ListHead* CreateRuleType(SnortConfig* sc, const char* name, Actions::Type mode)
{
RuleListNode* node;
int evalIndex = 0;
return getRtnFromOtn(otn);
}
-ListHead* CreateRuleType(SnortConfig* sc, const char* name, RuleType);
+ListHead* CreateRuleType(SnortConfig* sc, const char* name, Actions::Type);
void FreeRuleTreeNode(RuleTreeNode*);
void DestroyRuleTreeNode(RuleTreeNode*);
void show_stats(SimpleStats*, const char*) { }
void Value::get_bits(std::bitset<256ul>&) const {}
-int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; }
+int DetectionEngine::queue_event(unsigned int, unsigned int, Actions::Type) { return 0; }
int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
int32_t substr_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
unsigned FlowData::flow_data_id = 0;
FlowData::FlowData(unsigned, Inspector*) {}
FlowData::~FlowData() {}
-int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; }
+int DetectionEngine::queue_event(unsigned int, unsigned int, Actions::Type) { return 0; }
THREAD_LOCAL PegCount HttpModule::peg_counts[1];
fd_status_t File_Decomp_StopFree(fd_session_t*) { return File_Decomp_OK; }
void show_stats(SimpleStats*, const char*) { }
void Value::get_bits(std::bitset<256ul>&) const {}
-int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; }
+int DetectionEngine::queue_event(unsigned int, unsigned int, Actions::Type) { return 0; }
HttpJsNorm::HttpJsNorm(int, const HttpParaList::UriParam& uri_param_) :
max_javascript_whitespaces(0), uri_param(uri_param_), javascript_search_mpse(nullptr),
projects / thirdparty / snort3.git / commitdiff
