suppress: add track by_either mode

author Victor Julien <victor@inliniac.net>

Wed, 10 Jun 2015 13:22:12 +0000 (15:22 +0200)

committer Victor Julien <victor@inliniac.net>

Mon, 15 Jun 2015 09:16:35 +0000 (11:16 +0200)
author Victor Julien <victor@inliniac.net>
Wed, 10 Jun 2015 13:22:12 +0000 (15:22 +0200)
committer Victor Julien <victor@inliniac.net>
Mon, 15 Jun 2015 09:16:35 +0000 (11:16 +0200)
diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c

index 900e6b0a0000f4f252df2507e874d5d5f7b019e5..6c6d1371a8d649c44eca412ab25d52914d5c992d 100644 (file)
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2012 Open Information Security Foundation
+/* Copyright (C) 2007-2015 Open Information Security Foundation
   *
   * You can copy, redistribute or modify this Program under the terms of
   * the GNU General Public License version 2 as published by the Free
@@ -209,6 +209,41 @@ static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h, uint32_t sid, uin
      return e;
  }
  
+int ThresholdHandlePacketSuppress(Packet *p, DetectThresholdData *td, uint32_t sid, uint32_t gid)
+{
+    int ret = 0;
+    DetectAddress *m = NULL;
+    switch (td->track) {
+        case TRACK_DST:
+            m = DetectAddressLookupInHead(&td->addrs, &p->dst);
+            SCLogInfo("TRACK_DST");
+            break;
+        case TRACK_SRC:
+            m = DetectAddressLookupInHead(&td->addrs, &p->src);
+            SCLogInfo("TRACK_SRC");
+            break;
+        /* suppress if either src or dst is a match on the suppress
+         * address list */
+        case TRACK_EITHER:
+            m = DetectAddressLookupInHead(&td->addrs, &p->src);
+            if (m == NULL) {
+                m = DetectAddressLookupInHead(&td->addrs, &p->dst);
+            }
+            break;
+        case TRACK_RULE:
+        default:
+            SCLogError(SC_ERR_INVALID_VALUE,
+                    "track mode %d is not supported", td->track);
+            break;
+    }
+    if (m == NULL)
+        ret = 1;
+    else
+        ret = 2; /* suppressed but still need actions */
+
+    return ret;
+}
+
  /**
   *  \retval 2 silent match (no alert but apply actions)
   *  \retval 1 normal match
@@ -463,28 +498,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
              }
              break;
          }
-        case TYPE_SUPPRESS:
-        {
-            DetectAddress *m = NULL;
-            switch (td->track) {
-                case TRACK_DST:
-                    m = DetectAddressLookupInHead(&td->addrs, &p->dst);
-                    break;
-                case TRACK_SRC:
-                    m = DetectAddressLookupInHead(&td->addrs, &p->src);
-                    break;
-                case TRACK_RULE:
-                default:
-                    SCLogError(SC_ERR_INVALID_VALUE,
-                               "track mode %d is not supported", td->track);
-                    break;
-            }
-            if (m == NULL)
-                ret = 1;
-            else
-                ret = 2; /* suppressed but still need actions */
-            break;
-        }
+        /* case TYPE_SUPPRESS: is not handled here */
          default:
              SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
      }
@@ -600,7 +614,9 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
          SCReturnInt(0);
      }
  
-    if (td->track == TRACK_SRC) {
+    if (td->type == TYPE_SUPPRESS) {
+        ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid);
+    } else if (td->track == TRACK_SRC) {
          Host *src = HostGetHostFromHash(&p->src);
          if (src) {
              ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid);
diff --git a/src/detect-threshold.h b/src/detect-threshold.h

index fd8c93117f51b7140f099e1e054782c4c6a12ce7..50e1d2704857178fa8a4069158057a5a6951a401 100644 (file)
--- a/src/detect-threshold.h
+++ b/src/detect-threshold.h
@@ -38,6 +38,7 @@
  #define TRACK_DST      1
  #define TRACK_SRC      2
  #define TRACK_RULE     3
+#define TRACK_EITHER   4 /**< either src or dst: only used by suppress */
  
  /* Get the new action to take */
  #define TH_ACTION_ALERT     0x01
diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c

index 5ee84c55a32f739a14b645db173c349888d05c0f..9f107a1e0f890f128d3dad49538c42cdd5dd87d4 100644 (file)
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -73,7 +73,7 @@ typedef enum ThresholdRuleType {
   *  suppress gen_id 1, sig_id 2000328
   *  suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10
  */
-#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"
+#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$"
  
  /* Default path for the threshold.config file */
  #if defined OS_WIN32 || defined __CYGWIN__
@@ -935,6 +935,9 @@ static int ParseThresholdRule(DetectEngineCtx *de_ctx, char *rawstr,
                      parsed_track = TRACK_DST;
                  else if (strcasecmp(th_track,"by_src") == 0)
                      parsed_track = TRACK_SRC;
+                else if (strcasecmp(th_track,"by_either") == 0) {
+                    parsed_track = TRACK_EITHER;
+                }
                  else {
                      SCLogError(SC_ERR_INVALID_VALUE, "Invalid track parameter %s in %s", th_track, rule_extend);
                      goto error;
author	Victor Julien <victor@inliniac.net>
	Wed, 10 Jun 2015 13:22:12 +0000 (15:22 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 15 Jun 2015 09:16:35 +0000 (11:16 +0200)
src/detect-engine-threshold.c		patch \| blob \| blame \| history
src/detect-threshold.h		patch \| blob \| blame \| history
src/util-threshold-config.c		patch \| blob \| blame \| history