From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Date: Tue, 18 Jun 2024 06:55:08 +0000 (+0000)
Subject: Pull request #4342: Sub-selected buffer and fast-pattern options
X-Git-Tag: 3.3.0.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=020a547d7ace0ea5f5c4de7c2ee9666acc2e020a;p=thirdparty%2Fsnort3.git

Pull request #4342: Sub-selected buffer and fast-pattern options

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:fp_sub_buffer to master

Squashed commit of the following:

commit 212506d4e8f65f62cf042585af0e89f8fcbdda4f
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Tue Jun 4 22:05:51 2024 +0300

    build: bump version to 3.2.0

    IPS option API has changed.

commit 0a1a7e16acc3117f46b3aba467fe552b4de9f256
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Tue Jun 4 17:38:49 2024 +0300

    http_inspect: set CAT_SET_SUB_SECTION for buffer with a sub-selector configured

commit a036904c1751e21dcd8c75553e4e5e9978b553c8
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Tue Jun 4 17:34:29 2024 +0300

    framework: add new Cursor Action Type

    Buffer-setter IPS option can be of sub-section type, picking just a part of
    the targeted IPS buffer. Such buffer setter cannot make a fast-pattern-only option.
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index e28e79f76..810122098 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,8 +2,8 @@ cmake_minimum_required (VERSION 3.4.3)
 project (snort CXX C)
 
 set (VERSION_MAJOR 3)
-set (VERSION_MINOR 2)
-set (VERSION_PATCH 2)
+set (VERSION_MINOR 3)
+set (VERSION_PATCH 0)
 set (VERSION_SUBLEVEL 0)
 set (VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_SUBLEVEL}")
 
diff --git a/src/detection/fp_utils.cc b/src/detection/fp_utils.cc
index 4cfa1683f..37cabefa6 100644
--- a/src/detection/fp_utils.cc
+++ b/src/detection/fp_utils.cc
@@ -574,7 +574,7 @@ PatternMatchVector get_fp_content(
 
         if ( cat > CAT_ADJUST )
         {
-            if ( cat == CAT_SET_FAST_PATTERN or cat == CAT_SET_RAW )
+            if ( cat >= CAT_SET_RAW )
                 curr_opt = ofl->ips_opt;
 
             curr_cat = cat;
@@ -586,6 +586,9 @@ PatternMatchVector get_fp_content(
         if ( !tmp )
             continue;
 
+        if (curr_cat == CAT_SET_SUB_SECTION)
+            tmp->set_sub_section();
+
         content = true;
 
         FpSelector curr(curr_cat, ofl->ips_opt, tmp);
@@ -621,14 +624,16 @@ bool make_fast_pattern_only(const OptFpList* ofp, const PatternMatchData* pmd)
         return false;
 
     // FIXIT-L no_case consideration is mpse specific, delegate
-    if ( !pmd->is_relative() and !pmd->is_negated() and
-         !pmd->offset and !pmd->depth and pmd->is_no_case() )
-    {
-        ofp = ofp->next;
-        if ( !ofp || !ofp->ips_opt || !ofp->ips_opt->is_relative() )
-            return true;
-    }
-    return false;
+    if ( pmd->is_relative() or pmd->is_negated() or pmd->offset or pmd->depth or !pmd->is_no_case() or
+         pmd->is_sub_section())
+        return false;
+
+    ofp = ofp->next;
+
+    if ( ofp and ofp->ips_opt and ofp->ips_opt->is_relative() )
+        return false;
+
+    return true;
 }
 
 bool is_fast_pattern_only(const OptTreeNode* otn, const OptFpList* ofp, Mpse::MpseType mpse_type)
diff --git a/src/detection/pattern_match_data.h b/src/detection/pattern_match_data.h
index ed7240d6e..e676fad2d 100644
--- a/src/detection/pattern_match_data.h
+++ b/src/detection/pattern_match_data.h
@@ -67,6 +67,7 @@ struct PatternMatchData
         LITERAL  = 0x08,
         FAST_PAT = 0x10,
         NO_FP    = 0x20,
+        SUB_SECT  = 0x40,
     };
 
     uint16_t flags = 0;          // from above enum
@@ -93,6 +94,9 @@ struct PatternMatchData
     void set_literal()
     { flags |= LITERAL; }
 
+    void set_sub_section()
+    { flags |= SUB_SECT; }
+
     bool is_fast_pattern() const
     { return (flags & FAST_PAT) != 0; }
 
@@ -108,6 +112,9 @@ struct PatternMatchData
     bool is_literal() const
     { return (flags & LITERAL) != 0; }
 
+    bool is_sub_section() const
+    { return (flags & SUB_SECT) != 0; }
+
     bool can_be_fp() const;
 
     bool has_alpha() const;
diff --git a/src/framework/ips_option.h b/src/framework/ips_option.h
index 1543f0ecf..a693a6352 100644
--- a/src/framework/ips_option.h
+++ b/src/framework/ips_option.h
@@ -53,7 +53,7 @@ struct SnortConfig;
 class Module;
 
 // this is the current version of the api
-#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 1)
+#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 2)
 
 enum CursorActionType
 {
@@ -63,6 +63,7 @@ enum CursorActionType
     CAT_SET_OTHER,
     CAT_SET_RAW,
     CAT_SET_FAST_PATTERN,
+    CAT_SET_SUB_SECTION,
 };
 
 enum RuleDirection
diff --git a/src/service_inspectors/http_inspect/ips_http.h b/src/service_inspectors/http_inspect/ips_http.h
index 25b56a435..dd16bb81a 100644
--- a/src/service_inspectors/http_inspect/ips_http.h
+++ b/src/service_inspectors/http_inspect/ips_http.h
@@ -71,7 +71,8 @@ public:
     HttpIpsOption(const HttpRuleOptModule* cm) :
         snort::IpsOption(cm->key),
         buffer_info(cm->rule_opt_index, cm->sub_id, cm->form),
-        cat(cm->cat), pdu_section(cm->pdu_section) {}
+        cat(cm->sub_id and cm->cat == snort::CAT_SET_FAST_PATTERN ? snort::CAT_SET_SUB_SECTION : cm->cat),
+        pdu_section(cm->pdu_section) {}
     snort::CursorActionType get_cursor_type() const override { return cat; }
     EvalStatus eval(Cursor&, snort::Packet*) override = 0;
     uint32_t hash() const override;