suppress: support ip-lists

Ticket: 1137

Support supplying a list of IP's to the suppress keyword. Variables from
the address-groups and negation is supported. The same logic (and code) is
used that is also used in parting the IP portions of regular detection
rules.

diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 1ebc3e4043841bc492d1677232b7c5d9e5e91d20..900e6b0a0000f4f252df2507e874d5d5f7b019e5 100644 (file)
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -465,13 +465,13 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
         }
         case TYPE_SUPPRESS:
         {
-            int res = 0;
+            DetectAddress *m = NULL;
             switch (td->track) {
                 case TRACK_DST:
-                    res = DetectAddressMatch(td->addr, &p->dst);
+                    m = DetectAddressLookupInHead(&td->addrs, &p->dst);
                     break;
                 case TRACK_SRC:
-                    res = DetectAddressMatch(td->addr, &p->src);
+                    m = DetectAddressLookupInHead(&td->addrs, &p->src);
                     break;
                 case TRACK_RULE:
                 default:
@@ -479,7 +479,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
                                "track mode %d is not supported", td->track);
                     break;
             }
-            if (res == 0)
+            if (m == NULL)
                 ret = 1;
             else
                 ret = 2; /* suppressed but still need actions */

diff --git a/src/detect-threshold.c b/src/detect-threshold.c
index 5c83ee4d473020ff21e5d7e188ae8d5e8549c94d..236b6bf627acaf56d13a18b6e15ed5cc060c84b4 100644 (file)
--- a/src/detect-threshold.c
+++ b/src/detect-threshold.c
@@ -286,7 +286,7 @@ static void DetectThresholdFree(void *de_ptr)
 {
     DetectThresholdData *de = (DetectThresholdData *)de_ptr;
     if (de) {
-        DetectAddressFree(de->addr);
+        DetectAddressHeadCleanup(&de->addrs);
         SCFree(de);
     }
 }

diff --git a/src/detect-threshold.h b/src/detect-threshold.h
index 3306094bee7482b3271d05a0d575475ded27de54..fd8c93117f51b7140f099e1e054782c4c6a12ce7 100644 (file)
--- a/src/detect-threshold.h
+++ b/src/detect-threshold.h
@@ -60,7 +60,7 @@ typedef struct DetectThresholdData_ {
     uint8_t new_action; /**< new_action alert|drop|pass|log|sdrop|reject */
     uint32_t timeout;   /**< timeout */
     uint32_t flags;     /**< flags used to set option */
-    DetectAddress* addr; /**< address group used by suppress keyword */
+    DetectAddressHead addrs;
 } DetectThresholdData;
 
 typedef struct DetectThresholdEntry_ {

diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index 25be3d79316b0f25cd01f860e57619d241e0be65..5ee84c55a32f739a14b645db173c349888d05c0f 100644 (file)
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -73,7 +73,7 @@ typedef enum ThresholdRuleType {
  *  suppress gen_id 1, sig_id 2000328
  *  suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10
 */
-#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-fA-F.:/]+)*\\s*$"
+#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"
 
 /* Default path for the threshold.config file */
 #if defined OS_WIN32 || defined __CYGWIN__
@@ -296,16 +296,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
             de->seconds = parsed_seconds;
             de->new_action = parsed_new_action;
             de->timeout = parsed_timeout;
-            de->addr = NULL;
 
             if (parsed_track != TRACK_RULE) {
-                de->addr = DetectAddressInit();
-                if (de->addr == NULL) {
-                    SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
-                    goto error;
-                }
-                if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
-                    SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
+                if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
+                    SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
                     goto error;
                 }
             }
@@ -347,16 +341,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
             de->seconds = parsed_seconds;
             de->new_action = parsed_new_action;
             de->timeout = parsed_timeout;
-            de->addr = NULL;
 
             if (parsed_track != TRACK_RULE) {
-                de->addr = DetectAddressInit();
-                if (de->addr == NULL) {
-                    SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
-                    goto error;
-                }
-                if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
-                    SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
+                if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
+                    SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
                     goto error;
                 }
             }
@@ -400,13 +388,8 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
             de->new_action = parsed_new_action;
             de->timeout = parsed_timeout;
 
-            de->addr = DetectAddressInit();
-            if (de->addr == NULL) {
-                SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress");
-                goto error;
-            }
-            if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) {
-                SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip);
+            if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) {
+                SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
                 goto error;
             }
 
@@ -427,8 +410,7 @@ end:
     return 0;
 error:
     if (de != NULL) {
-        if (de->addr != NULL)
-            DetectAddressFree(de->addr);
+        DetectAddressHeadCleanup(&de->addrs);
         SCFree(de);
     }
     return -1;
@@ -485,7 +467,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
             de->seconds = parsed_seconds;
             de->new_action = parsed_new_action;
             de->timeout = parsed_timeout;
-            de->addr = NULL;
 
             sm = SigMatchAlloc();
             if (sm == NULL) {
@@ -549,7 +530,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
                 de->seconds = parsed_seconds;
                 de->new_action = parsed_new_action;
                 de->timeout = parsed_timeout;
-                de->addr = NULL;
 
                 sm = SigMatchAlloc();
                 if (sm == NULL) {
@@ -640,7 +620,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid
             de->seconds = parsed_seconds;
             de->new_action = parsed_new_action;
             de->timeout = parsed_timeout;
-            de->addr = NULL;
 
             sm = SigMatchAlloc();
             if (sm == NULL) {
@@ -675,8 +654,7 @@ end:
     return 0;
 error:
     if (de != NULL) {
-        if (de->addr != NULL)
-            DetectAddressFree(de->addr);
+        DetectAddressHeadCleanup(&de->addrs);
         SCFree(de);
     }
     return -1;