Merge pull request #2909 in SNORT/snort3 from ~MASHASAN/snort3:filter_dhcp to master

Squashed commit of the following:

commit e98fe541ff4d5972373d2a8c5124fb1b727fa3a3
Author: Masud Hasan <mashasan@cisco.com>
Date:   Tue May 25 17:10:00 2021 -0400

    rna: Filtering DHCP events and some refactoring

diff --git a/src/network_inspectors/rna/rna_module.cc b/src/network_inspectors/rna/rna_module.cc
index c0e172e4def1cb8e41eb5c5f3734109f2337a83f..808f15d3ed7275dbe8b981b3a05602abba4db7a1 100644 (file)
--- a/src/network_inspectors/rna/rna_module.cc
+++ b/src/network_inspectors/rna/rna_module.cc
@@ -92,12 +92,13 @@ static int purge_data(lua_State* L)
     if ( rna )
     {
         HostCacheMac* mac_cache = new HostCacheMac(MAC_CACHE_INITIAL_SIZE);
-        main_broadcast_command(new DataPurgeAC(mac_cache), (L != nullptr));
+        bool from_shell = ( L != nullptr );
+        main_broadcast_command(new DataPurgeAC(mac_cache), from_shell);
 
         host_cache.invalidate();
 
         SharedRequest request = get_dispatched_request();
-        request->respond("data purge done\n", false, true);
+        request->respond("data purge done\n", from_shell, true);
         LogMessage("data purge done\n");
     }
 

diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc
index c1b89cc0837df370e06ffa196763d2aa41dd104f..b8f6ab028b9c979fa530d481a485d6ba8b84c2d2 100644 (file)
--- a/src/network_inspectors/rna/rna_pnd.cc
+++ b/src/network_inspectors/rna/rna_pnd.cc
@@ -273,11 +273,14 @@ void RnaPnd::discover_network(const Packet* p, uint8_t ttl)
 void RnaPnd::analyze_dhcp_fingerprint(DataEvent& event)
 {
     const Packet* p = event.get_packet();
+    const auto& src_ip = p->ptrs.ip_api.get_src();
+    if ( !filter.is_host_monitored(p, nullptr, src_ip) )
+        return;
+
     const DHCPDataEvent& dhcp_data_event = static_cast<DHCPDataEvent&>(event);
     const uint8_t* src_mac = dhcp_data_event.get_eth_addr();
     bool new_host = false;
     bool new_mac = false;
-    const auto& src_ip = p->ptrs.ip_api.get_src();
     auto ht = find_or_create_host_tracker(*src_ip, new_host);
     if (!new_host)
         ht->update_last_seen();
@@ -316,14 +319,17 @@ void RnaPnd::analyze_dhcp_fingerprint(DataEvent& event)
 void RnaPnd::add_dhcp_info(DataEvent& event)
 {
     const DHCPInfoEvent& dhcp_info_event = static_cast<DHCPInfoEvent&>(event);
-    const uint8_t* src_mac = dhcp_info_event.get_eth_addr();
     uint32_t ip_address = dhcp_info_event.get_ip_address();
+    SfIp leased_ip = {(void*)&ip_address, AF_INET};
+    const Packet* p = event.get_packet();
+    if ( !filter.is_host_monitored(p, nullptr, &leased_ip) )
+        return;
+
+    const uint8_t* src_mac = dhcp_info_event.get_eth_addr();
     uint32_t net_mask = dhcp_info_event.get_subnet_mask();
     uint32_t lease = dhcp_info_event.get_lease_secs();
     uint32_t router = dhcp_info_event.get_router();
-    const Packet* p = event.get_packet();
 
-    SfIp leased_ip = {(void*)&ip_address, AF_INET};
     SfIp router_ip = {(void*)&router, AF_INET};
     bool new_host = false;
     bool new_mac = false;
@@ -957,10 +963,14 @@ int RnaPnd::discover_host_types_icmpv6_ndp(RnaTracker& ht, const Packet* p, uint
     if ( memcmp(src_mac, neighbor_src_mac, MAC_SIZE) )
         return 1;
 
-    if ( is_router and ((ht->get_host_type() != HOST_TYPE_ROUTER) and (ht->get_host_type() != HOST_TYPE_BRIDGE)) )
+    if ( is_router )
     {
-        ht->set_host_type(HOST_TYPE_ROUTER);
-        logger.log(RNA_EVENT_CHANGE, CHANGE_HOST_TYPE, p, &ht, src_ip, neighbor_src_mac);
+        auto host_type = ht->get_host_type();
+        if ( host_type != HOST_TYPE_ROUTER and host_type != HOST_TYPE_BRIDGE )
+        {
+            ht->set_host_type(HOST_TYPE_ROUTER);
+            logger.log(RNA_EVENT_CHANGE, CHANGE_HOST_TYPE, p, &ht, src_ip, neighbor_src_mac);
+        }
     }
 
     if ( ht->make_primary(src_mac) )