#endif
}
+ DetectPortCleanupList(de_ctx->tcp_whitelist);
+ DetectPortCleanupList(de_ctx->udp_whitelist);
+
SCFree(de_ctx);
//DetectAddressGroupPrintMemory();
//DetectSigGroupPrintMemory();
SCLogDebug("de_ctx->inspection_recursion_limit: %d",
de_ctx->inspection_recursion_limit);
+ /* parse port grouping whitelisting settings */
+
+ char *ports = NULL;
+ (void)ConfGet("detect.grouping.tcp-whitelist", &ports);
+ if (ports) {
+ SCLogInfo("grouping: tcp-whitelist %s", ports);
+ } else {
+ ports = "53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080";
+ SCLogInfo("grouping: tcp-whitelist (default) %s", ports);
+
+ }
+ if (DetectPortParse(de_ctx, &de_ctx->tcp_whitelist, ports) != 0) {
+ SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
+ "for detect.grouping.tcp-whitelist", ports);
+ }
+ DetectPort *x = de_ctx->tcp_whitelist;
+ for ( ; x != NULL; x = x->next) {
+ if (x->port != x->port2) {
+ SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
+ "for detect.grouping.tcp-whitelist: only single ports allowed", ports);
+ DetectPortCleanupList(de_ctx->tcp_whitelist);
+ de_ctx->tcp_whitelist = NULL;
+ break;
+ }
+ }
+
+ ports = NULL;
+ (void)ConfGet("detect.grouping.udp-whitelist", &ports);
+ if (ports) {
+ SCLogInfo("grouping: udp-whitelist %s", ports);
+ } else {
+ ports = "53, 135, 5060";
+ SCLogInfo("grouping: udp-whitelist (default) %s", ports);
+
+ }
+ if (DetectPortParse(de_ctx, &de_ctx->udp_whitelist, ports) != 0) {
+ SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
+ "forr detect.grouping.udp-whitelist", ports);
+ }
+ for (x = de_ctx->udp_whitelist; x != NULL; x = x->next) {
+ if (x->port != x->port2) {
+ SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "'%s' is not a valid value "
+ "for detect.grouping.udp-whitelist: only single ports allowed", ports);
+ DetectPortCleanupList(de_ctx->udp_whitelist);
+ de_ctx->udp_whitelist = NULL;
+ break;
+ }
+ }
+
return 0;
error:
return -1;
return 0;
}
-int tcp_whitelisted[] = { 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080, -1 };
-int udp_whitelisted[] = { 53, 135, 5060, -1 };
-
-static int PortIsWhitelisted(const DetectPort *a, int ipproto)
+static int PortIsWhitelisted(const DetectEngineCtx *de_ctx,
+ const DetectPort *a, int ipproto)
{
- int *w = tcp_whitelisted;
+ DetectPort *w = de_ctx->tcp_whitelist;
if (ipproto == IPPROTO_UDP)
- w = udp_whitelisted;
- while (*w++ != -1) {
- if (a->port >= *w && a->port2 <= *w) {
- SCLogDebug("port group %u:%u whitelisted -> %d", a->port, a->port2, *w);
+ w = de_ctx->udp_whitelist;
+
+ while (w) {
+ if (a->port >= w->port && a->port2 <= w->port) {
+ SCLogDebug("port group %u:%u whitelisted -> %d", a->port, a->port2, w->port);
return 1;
}
+ w = w->next;
}
return 0;
int wl = s->whitelist;
while (p) {
- int pwl = PortIsWhitelisted(p, ipproto) ? 111 : 0;
+ int pwl = PortIsWhitelisted(de_ctx, p, ipproto) ? 111 : 0;
pwl = MAX(wl,pwl);
DetectPort *lookup = DetectPortHashLookup(de_ctx, p);
# is started. This will limit the downtime in IPS mode.
#delayed-detect: yes
+ # the grouping values above control how many groups are created per
+ # direction. Port whitelisting forces that port to get it's own group.
+ # Very common ports will benefit, as well as ports with many expensive
+ # rules.
+ grouping:
+ #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
+ #udp-whitelist: 53, 135, 5060
+
profiling:
# Log the rules that made it past the prefilter stage, per packet
# default is off. The threshold setting determines how many rules
projects / thirdparty / suricata.git / commitdiff
