From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Tue, 23 Oct 2018 20:16:36 +0000 (-0400)
Subject: Merge pull request #1382 in SNORT/snort3 from config_address_anomaly to master
X-Git-Tag: 3.0.0-249~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a9336707f0bb0ef22d352c5b64c3007d54ae107;p=thirdparty%2Fsnort3.git

Merge pull request #1382 in SNORT/snort3 from config_address_anomaly to master

Squashed commit of the following:

commit e3885a1d1e15a5b8d5749067f0f2201223c50ed1
Author: Pratik Shinde <pshinde2@cisco.com>
Date:   Fri Oct 5 15:44:51 2018 -0400

    snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string sanity checks
---

diff --git a/tools/snort2lua/data/data_types/dt_var.cc b/tools/snort2lua/data/data_types/dt_var.cc
index a8ad7e45a..7e9ab839c 100644
--- a/tools/snort2lua/data/data_types/dt_var.cc
+++ b/tools/snort2lua/data/data_types/dt_var.cc
@@ -89,7 +89,7 @@ bool Variable::add_value(std::string elem)
         }
     }
 
-    if (s.front() == '$')
+    if (!s.empty() and s.front() == '$')
     {
         // add a space between strings
         if (!vars.empty())
diff --git a/tools/snort2lua/data/dt_rule_api.cc b/tools/snort2lua/data/dt_rule_api.cc
index 67966f10e..8a06afba5 100644
--- a/tools/snort2lua/data/dt_rule_api.cc
+++ b/tools/snort2lua/data/dt_rule_api.cc
@@ -32,6 +32,14 @@
 std::size_t RuleApi::error_count = 0;
 std::string RuleApi::remark;
 
+std::set<GidSid> RuleApi::address_anomaly_rules = {
+                                            {"116", "403"},
+                                            {"116", "411"},
+                                            {"116", "412"},
+                                            {"129", "9"},
+                                            {"129", "10"},
+                                        };
+
 RuleApi::RuleApi()
     :   curr_rule(nullptr),
     curr_data_bad(false)
@@ -95,6 +103,15 @@ void RuleApi::make_rule_a_comment()
     curr_rule->make_comment();
 }
 
+bool RuleApi::enable_addr_anomaly_detection()
+{
+    if (curr_rule != nullptr)
+        return address_anomaly_rules.count({curr_rule->get_option("gid"),
+                                          curr_rule->get_option("sid")}) != 0;
+
+    return false;
+}
+
 void RuleApi::bad_rule(std::istringstream& stream, const std::string& bad_option)
 {
     if (!curr_rule)
diff --git a/tools/snort2lua/data/dt_rule_api.h b/tools/snort2lua/data/dt_rule_api.h
index 5206677cf..c69e7ebfe 100644
--- a/tools/snort2lua/data/dt_rule_api.h
+++ b/tools/snort2lua/data/dt_rule_api.h
@@ -20,16 +20,19 @@
 #ifndef DATA_DT_RULE_API_H
 #define DATA_DT_RULE_API_H
 
-#include <string>
 #include <iostream>
-#include <vector>
+#include <set>
 #include <stack>
+#include <string>
+#include <vector>
 
 class Rule;
 class RuleOption;
 class Comments;
 class RuleApi;
 
+using GidSid = std::pair<std::string, std::string>;
+
 // FIXIT-L simplify this API. Several options functions are no longer necessary
 
 class RuleApi
@@ -74,6 +77,7 @@ public:
 
     void add_comment(const std::string& comment);
     void make_rule_a_comment();
+    bool enable_addr_anomaly_detection();
     void bad_rule(std::istringstream& stream, const std::string& bad_option);
     void old_http_rule();
     bool is_old_http_rule();
@@ -86,6 +90,7 @@ private:
     Comments* bad_rules;
     Rule* curr_rule;
     bool curr_data_bad;
+    static std::set<GidSid> address_anomaly_rules;
 
     // Create a new rule object.
     void begin_rule();
diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc
index 98066667d..cc4c0eee1 100644
--- a/tools/snort2lua/helpers/converter.cc
+++ b/tools/snort2lua/helpers/converter.cc
@@ -42,9 +42,10 @@
 TableDelegation table_delegation = 
 {
     { "binder", true },
+    { "detection", true },
     { "ips", true },
     { "network", true },
-    { "normalizer", true},
+    { "normalizer", true },
     { "stream_tcp", true},
     { "suppress", true},
 };
@@ -283,6 +284,13 @@ int Converter::parse_file(
                     table_api.close_table();
                 }
 
+                if (rule_api.enable_addr_anomaly_detection())
+                {
+                    table_api.open_table("detection");
+                    table_api.add_option("enable_address_anomaly_checks", true);
+                    table_api.close_table();
+                }
+
                 if (commented_rule)
                     rule_api.make_rule_a_comment();
 
diff --git a/tools/snort2lua/helpers/s2l_util.cc b/tools/snort2lua/helpers/s2l_util.cc
index 590f0d251..4d7e20cbb 100644
--- a/tools/snort2lua/helpers/s2l_util.cc
+++ b/tools/snort2lua/helpers/s2l_util.cc
@@ -248,12 +248,18 @@ std::string get_rule_option_args(std::istringstream& stream)
     do
     {
         std::getline(stream, tmp, ';');
+
+        if (tmp.empty())
+            break;
+
         args += tmp + ";";
     }
     while (tmp.back() == '\\');
 
     // semicolon will be added when printing
-    args.pop_back();
+    if (!args.empty())
+        args.pop_back();
+
     trim(args);
     return args;
 }