From: Garima Sambyal (gsambyal) Date: Thu, 16 Nov 2023 05:56:32 +0000 (+0000) Subject: Pull request #4042: Suppression and Threshold on ips rule is impacting connection... X-Git-Tag: 3.1.75.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cec0d8e91dc324890cbe6a7d0b8800e65468d36;p=thirdparty%2Fsnort3.git Pull request #4042: Suppression and Threshold on ips rule is impacting connection events Merge in SNORT/snort3 from ~GSAMBYAL/snort3:CSCwc93243 to master Squashed commit of the following: commit 223175e54504057891c46a051a4d79c8ae518c2f Author: Garima Sambyal Date: Mon Oct 9 05:20:43 2023 +0000 detection: setting flag for flows with affected logging due to event filter --- diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index d0c0df7ee..b0d887b83 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -224,6 +224,11 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) */ IpsAction * act = get_ips_policy()->action[action]; act->exec(p); + if ( p->active && p->flow && + (p->active->get_action() >= Active::ACT_DROP) ) + { + p->flow->flags.ips_event_suppressed = true; + } fpLogOther(p, rtn, otn, action); pc.event_limit++; return 1; diff --git a/src/flow/flow.h b/src/flow/flow.h index 7c9c5f480..af03cb337 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -500,6 +500,7 @@ public: // FIXIT-M privatize if possible bool svc_event_generated : 1; // Set if FLOW_NO_SERVICE_EVENT was generated for this flow bool retry_queued : 1; // Set if a packet was queued for retry for this flow bool ha_flow : 1; // Set if this flow was created by an HA message + bool ips_event_suppressed : 1; // Set if event filters have suppressed ips event } flags = {}; FlowState flow_state = FlowState::SETUP;