Merge in SNORT/snort3 from ~ABHRAWAT/snort3:conn_event_ips_suppression to master
Squashed commit of the following:
commit
4790cd489d98de6f2759d5bd875e23f04f561940
Author: abhrawat <abhrawat@cisco.com>
Date: Mon Jan 29 19:33:39 2024 +0000
flow: added ips event suppression flags
*/
IpsAction * act = get_ips_policy()->action[action];
act->exec(p);
+
if ( p->active && p->flow &&
(p->active->get_action() >= Active::ACT_DROP) )
{
- p->flow->flags.ips_event_suppressed = true;
+ if ( p->active->can_partial_block_session() )
+ p->flow->flags.ips_pblock_event_suppressed = true;
+ else if (p->active->packet_would_be_dropped())
+ p->flow->flags.ips_wblock_event_suppressed = true;
+ else
+ p->flow->flags.ips_block_event_suppressed = true;
}
fpLogOther(p, rtn, otn, action);
pc.event_limit++;
bool svc_event_generated : 1; // Set if FLOW_NO_SERVICE_EVENT was generated for this flow
bool retry_queued : 1; // Set if a packet was queued for retry for this flow
bool ha_flow : 1; // Set if this flow was created by an HA message
- bool ips_event_suppressed : 1; // Set if event filters have suppressed ips event
bool disable_reassembly_by_ips : 1; // Set if IPS has disabled reassembly for this flow
+ bool ips_block_event_suppressed : 1; // Set if event filters have suppressed a block ips event
+ bool ips_wblock_event_suppressed : 1; // set if event filters have suppressed a would block/drop ips event
+ bool ips_pblock_event_suppressed : 1; // set if event filters have suppressed a partial block ips event
} flags = {};
FlowState flow_state = FlowState::SETUP;
projects / thirdparty / snort3.git / commitdiff
