Merge pull request #1986 in SNORT/snort3 from ~APOORAJ/snort3:ftp_whitelist to master

Squashed commit of the following:

commit cd28ecf05fbe5379661772cdd6704ea2d7f8c253
Author: Apoorv Raj <apooraj@cisco.com>
Date:   Thu Feb 6 02:57:58 2020 -0500

    ftp: Whitelist ftp session after max sig depth reached

diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc
index 1d7621d5c736d68f6dc48733284c3f0e0d919f1a..00e025ef0081cf1ebbe9b63dcfb048e054d9d7e5 100644 (file)
--- a/src/file_api/file_lib.cc
+++ b/src/file_api/file_lib.cc
@@ -477,6 +477,10 @@ bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size,
 
                 log_file_event(flow, policy);
             }
+            else
+            {
+                return false;
+            }
         }
     }
     else

diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index e23a5d342422e79b0a6638df224a225adf43da7d..daadfdf1be7f7136dd40b7fa6aab60455beef0f7 100644 (file)
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -855,8 +855,11 @@ static int mergeDuplicateOtn(
     return false;
 }
 
+namespace snort
+{
 int get_rule_count()
 { return rule_count; }
+}
 
 void parse_rule_init()
 {

diff --git a/src/parser/parse_rule.h b/src/parser/parse_rule.h
index 7c855d33346e55fec89ec83854f82a9d416066e4..8c0480d2544df93d96137e11a0ee8b0a86ebf647 100644 (file)
--- a/src/parser/parse_rule.h
+++ b/src/parser/parse_rule.h
@@ -26,6 +26,7 @@
 namespace snort
 {
 struct SnortConfig;
+SO_PUBLIC int get_rule_count();
 }
 struct OptFpList;
 struct OptTreeNode;
@@ -47,7 +48,5 @@ void parse_rule_opt_end(snort::SnortConfig*, const char* key, OptTreeNode*);
 OptTreeNode* parse_rule_open(snort::SnortConfig*, RuleTreeNode&, bool stub = false);
 void parse_rule_close(snort::SnortConfig*, RuleTreeNode&, OptTreeNode*);
 
-int get_rule_count();
-
 #endif
 

diff --git a/src/service_inspectors/ftp_telnet/ftp_data.cc b/src/service_inspectors/ftp_telnet/ftp_data.cc
index 6fcdaeb7e8d35281a1c3b0f44bfdd94101c2dec2..5b0848605d06d502ea7cd29dfec9307f15b03c62 100644 (file)
--- a/src/service_inspectors/ftp_telnet/ftp_data.cc
+++ b/src/service_inspectors/ftp_telnet/ftp_data.cc
@@ -27,6 +27,8 @@
 #include "file_api/file_flows.h"
 #include "file_api/file_service.h"
 #include "packet_io/active.h"
+#include "packet_tracer/packet_tracer.h"
+#include "parser/parse_rule.h"
 #include "profiler/profiler.h"
 #include "stream/stream.h"
 #include "utils/util.h"
@@ -96,10 +98,19 @@ static void FTPDataProcess(
         data_ssn->packet_flags |= FTPDATA_FLG_FILENAME_SET;
     }
 
-    /* Ignore the rest of this transfer if file processing is complete
-     * and preprocessor was configured to ignore ftp-data sessions. */
-    if (!status && data_ssn->data_chan)
-        p->flow->set_ignore_direction(SSN_DIR_BOTH);
+    // Ignore the rest of this transfer if file processing is complete
+    // and status is returned false (eg sig not enabled, sig depth exceeded etc)
+    // and no IPS rules are configured.
+    if ( !status )
+    {
+        IpsPolicy* empty_policy = snort::get_empty_ips_policy(SnortConfig::get_conf());
+        if ( !get_rule_count() || (empty_policy->policy_id == p->flow->ips_policy_id) )
+        {
+            if ( PacketTracer::is_active() )
+                PacketTracer::log("Whitelisting Flow: FTP sig depth exceeded\n");
+            p->flow->set_ignore_direction(SSN_DIR_BOTH);
+        }
+    }
 }
 
 static int SnortFTPData(Packet* p)