Merge pull request #1451 in SNORT/snort3 from ~MASHASAN/snort3:si_blacklist_event...

Squashed commit of the following:

commit e4e65594c38b3c1aec8e530037a89b1d1a2b896a
Author: Masud Hasan <mashasan@cisco.com>
Date:   Wed Nov 28 22:07:18 2018 -0500

    reputation: Fix iterations of layers for different nested_ip configs and show the blacklisted IP in events

diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc
index 2f33334df5f2a20faf10acca049eec97c1b70b74..8e2e53f94c12778a2987ba669e3a80508bbd7698 100644 (file)
--- a/src/network_inspectors/reputation/reputation_inspect.cc
+++ b/src/network_inspectors/reputation/reputation_inspect.cc
@@ -221,40 +221,52 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p)
             egress_zone = p->pkth->egress_group;
     }
 
+    if (config->nested_ip == INNER)
+    {
+        decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final);
+        return decision_final;
+    }
+
+    // For OUTER or ALL, save current layers, iterate, then restore layers as needed
     ip::IpApi tmp_api = p->ptrs.ip_api;
     int8_t num_layer = 0;
     IpProtocol tmp_next = p->get_ip_proto_next();
-    bool outer_layer_only = (config->nested_ip == OUTER) ? true : false;
-    bool outer_layer = false;
 
-    while (layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer) &&
-        tmp_api != p->ptrs.ip_api)
+    if (config->nested_ip == OUTER)
     {
-        outer_layer = true;
-
-        if (decision_per_layer(config, p, ingress_zone, egress_zone,p->ptrs.ip_api,
-                &decision_final))
-            return decision_final;
+        layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer);
+        decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final);
+        if (decision_final != BLACKLISTED)
+            p->ptrs.ip_api = tmp_api;
+    }
+    else if (config->nested_ip == ALL)
+    {
+        bool done = false;
+        ip::IpApi blocked_api;
+        IPdecision decision_current = DECISION_NULL;
 
-        if (outer_layer_only)
+        while (!done and layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer))
         {
-            p->ip_proto_next = tmp_next;
-            p->ptrs.ip_api = tmp_api;
-            return decision_final;
+            done = decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api,
+                &decision_current);
+            if (decision_current != DECISION_NULL)
+            {
+                if (decision_current == BLACKLISTED)
+                    blocked_api = p->ptrs.ip_api;
+                decision_final = decision_current;
+                decision_current = DECISION_NULL;
+            }
         }
+        if (decision_final != BLACKLISTED)
+            p->ptrs.ip_api = tmp_api;
+        else if (p->ptrs.ip_api != blocked_api)
+            p->ptrs.ip_api = blocked_api;
     }
+    else
+        assert(false); // Should never hit this
 
     p->ip_proto_next = tmp_next;
-    p->ptrs.ip_api = tmp_api;
-
-    /*Check INNER IP, when configured or only one layer*/
-    if (!outer_layer || (config->nested_ip == INNER) || (config->nested_ip == ALL))
-    {
-        decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api,
-            &decision_final);
-    }
-
-    return (decision_final);
+    return decision_final;
 }
 
 static void snort_reputation(ReputationConfig* config, Packet* p)