Pull request #3141: detection: add allow_missing_so_rules

Merge in SNORT/snort3 from ~RUCOMBS/snort3:allow_missing_so_rules to master

Squashed commit of the following:

commit 2ad1178e988cef483957cc27644ec6e7f70a1253
Author: russ <rucombs@cisco.com>
Date:   Wed Nov 3 10:14:11 2021 -0400

    build: remove HAVE_HYPERSCAN conditional from installed header

    Installed headers can't have conditional struct members since plugins
    don't have config.h. In this case the hyperscan-related variables are
    now always present.

commit 4d5aa95485dfd13ebad9cec518b92dfedf0b89dd
Author: russ <rucombs@cisco.com>
Date:   Thu Oct 28 09:39:33 2021 -0400

    detection: add allow_missing_so_rules

    By default, missing SO rules cause an error. Set this to true to report
    warnings instead. This is helpful when your rule package is out of date.
    This should not be enabled in a production environment.

diff --git a/src/detection/detection_module.cc b/src/detection/detection_module.cc
index 169e2012a034a411aef7923796d05a6dd07f3b49..29c7d3119c5f5d5de2c2a9a5a24f47c470bfc677 100644 (file)
--- a/src/detection/detection_module.cc
+++ b/src/detection/detection_module.cc
@@ -55,6 +55,9 @@ static const TraceOption detection_trace_options[] =
 
 static const Parameter detection_params[] =
 {
+    { "allow_missing_so_rules", Parameter::PT_BOOL, nullptr, "false",
+      "warn (true) or error (false) when an SO rule stub refers to an SO rule that isn't loaded" },
+
     { "asn1", Parameter::PT_INT, "0:65535", "0",
       "maximum decode nodes" },
 
@@ -129,7 +132,10 @@ bool DetectionModule::end(const char*, int, SnortConfig* sc)
 
 bool DetectionModule::set(const char*, Value& v, SnortConfig* sc)
 {
-    if ( v.is("asn1") )
+    if ( v.is("allow_missing_so_rules") )
+        sc->allow_missing_so_rules = v.get_bool();
+
+    else if ( v.is("asn1") )
         sc->asn1_mem = v.get_uint16();
 
     else if ( v.is("global_default_rule_state") )

diff --git a/src/main/snort_config.h b/src/main/snort_config.h
index eaf01791b60e10e81299a26aeaa444cb40d737b8..8f7d85681c6a39f09e38cd9a24db83eb4315b72d 100644 (file)
--- a/src/main/snort_config.h
+++ b/src/main/snort_config.h
@@ -254,13 +254,12 @@ public:
     unsigned offload_limit = 99999;  // disabled
     unsigned offload_threads = 0;    // disabled
 
-#ifdef HAVE_HYPERSCAN
     bool hyperscan_literals = false;
     bool pcre_to_regex = false;
-#endif
 
     bool global_rule_state = false;
     bool global_default_rule_state = true;
+    bool allow_missing_so_rules = false;
 
     //------------------------------------------------------
     // process stuff

diff --git a/src/managers/plugin_manager.cc b/src/managers/plugin_manager.cc
index 3e44ed6f0b2d8c411e6eec7734b2ff944b35aa56..5cafa4c046268ff2d0e7cf6fbe70f93986dc62f0 100644 (file)
--- a/src/managers/plugin_manager.cc
+++ b/src/managers/plugin_manager.cc
@@ -196,8 +196,8 @@ static bool register_plugin(
 
     if ( api->api_version != sym->version )
     {
-        ParseWarning(WARN_PLUGINS, "%s: version mismatch; expected %u, got %u",
-            api->name, sym->version, api->version);
+        ParseWarning(WARN_PLUGINS, "%s: version mismatch; expected 0x%x, got 0x%x",
+            api->name, sym->version, api->api_version);
         return false;
     }
 

diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index d45b6d825b69a28373fed0115fe6578718b35bbe..33df6c67c64cde44bd883b7c0c0b368b75a4cbc8 100644 (file)
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -1103,7 +1103,11 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn)
 
         if ( !rule )
         {
-            ParseError("SO rule %s not loaded.", otn->soid);
+            if ( sc->allow_missing_so_rules )
+                ParseWarning(WARN_RULES, "SO rule %s not loaded.", otn->soid);
+            else
+                ParseError("SO rule %s not loaded.", otn->soid);
+
             FreeRuleTreeNode(&rtn);
         }
         else