From: Victor Julien Date: Tue, 16 Apr 2024 16:55:32 +0000 (+0200) Subject: capture: block IDS + IPS combination X-Git-Tag: suricata-8.0.0-beta1~1452 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d625cd78e59976907981bb029bf63752acdf5d0;p=thirdparty%2Fsuricata.git capture: block IDS + IPS combination In general, improve IPS setup error checking. Ticket: #5588. --- diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 742d96855b..2521327ddf 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2011-2020 Open Information Security Foundation +/* Copyright (C) 2011-2024 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -88,14 +88,14 @@ static int AFPRunModeIsIPS(void) const char *live_dev = LiveGetDeviceName(ldev); if (live_dev == NULL) { SCLogError("Problem with config file"); - return 0; + return -1; } if_root = ConfFindDeviceConfig(af_packet_node, live_dev); if (if_root == NULL) { if (if_default == NULL) { SCLogError("Problem with config file"); - return 0; + return -1; } if_root = if_default; } @@ -115,44 +115,22 @@ static int AFPRunModeIsIPS(void) } if (has_ids && has_ips) { - SCLogWarning("AF_PACKET using both IPS and TAP/IDS mode, this will not " - "be allowed in Suricata 8 due to undefined behavior. See ticket #5588."); - for (ldev = 0; ldev < nlive; ldev++) { - const char *live_dev = LiveGetDeviceName(ldev); - if (live_dev == NULL) { - SCLogError("Problem with config file"); - return 0; - } - if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev); - const char *copymodestr = NULL; - - if (if_root == NULL) { - if (if_default == NULL) { - SCLogError("Problem with config file"); - return 0; - } - if_root = if_default; - } - - if (!((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", ©modestr) == - 1) && - (strcmp(copymodestr, "ips") == 0))) { - SCLogError("AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. " - "Sniffing '%s' but expect bad result as stream-inline is activated.", - live_dev, live_dev); - } - } + SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See " + "ticket #5588."); + return -1; } return has_ips; } -static void AFPRunModeEnableIPS(void) +static int AFPRunModeEnableIPS(void) { - if (AFPRunModeIsIPS()) { + int r = AFPRunModeIsIPS(); + if (r == 1) { SCLogInfo("Setting IPS mode"); EngineModeSetIPS(); } + return r; } void RunModeIdsAFPRegister(void) diff --git a/src/runmode-dpdk.c b/src/runmode-dpdk.c index d5f9536d25..0e814cbec9 100644 --- a/src/runmode-dpdk.c +++ b/src/runmode-dpdk.c @@ -1685,12 +1685,14 @@ static int DPDKRunModeIsIPS(void) return has_ips; } -static void DPDKRunModeEnableIPS(void) +static int DPDKRunModeEnableIPS(void) { - if (DPDKRunModeIsIPS()) { + int r = DPDKRunModeIsIPS(); + if (r == 1) { SCLogInfo("Setting IPS mode"); EngineModeSetIPS(); } + return r; } const char *RunModeDpdkGetDefaultMode(void) diff --git a/src/runmode-netmap.c b/src/runmode-netmap.c index 947b381229..bb91475d67 100644 --- a/src/runmode-netmap.c +++ b/src/runmode-netmap.c @@ -79,14 +79,14 @@ static int NetmapRunModeIsIPS(void) const char *live_dev = LiveGetDeviceName(ldev); if (live_dev == NULL) { SCLogError("Problem with config file"); - return 0; + return -1; } if_root = ConfNodeLookupKeyValue(netmap_node, "interface", live_dev); if (if_root == NULL) { if (if_default == NULL) { SCLogError("Problem with config file"); - return 0; + return -1; } if_root = if_default; } @@ -106,44 +106,22 @@ static int NetmapRunModeIsIPS(void) } if (has_ids && has_ips) { - SCLogWarning("Netmap using both IPS and TAP/IDS mode, this will not be " - "allowed in Suricata 8 due to undefined behavior. See ticket #5588."); - for (ldev = 0; ldev < nlive; ldev++) { - const char *live_dev = LiveGetDeviceName(ldev); - if (live_dev == NULL) { - SCLogError("Problem with config file"); - return 0; - } - if_root = ConfNodeLookupKeyValue(netmap_node, "interface", live_dev); - const char *copymodestr = NULL; - - if (if_root == NULL) { - if (if_default == NULL) { - SCLogError("Problem with config file"); - return 0; - } - if_root = if_default; - } - - if (!((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", ©modestr) == - 1) && - (strcmp(copymodestr, "ips") == 0))) { - SCLogError("Netmap IPS mode used and interface '%s' is in IDS or TAP mode. " - "Sniffing '%s' but expect bad result as stream-inline is activated.", - live_dev, live_dev); - } - } + SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See " + "ticket #5588."); + return -1; } return has_ips; } -static void NetmapRunModeEnableIPS(void) +static int NetmapRunModeEnableIPS(void) { - if (NetmapRunModeIsIPS()) { + int r = NetmapRunModeIsIPS(); + if (r == 1) { SCLogInfo("Netmap: Setting IPS mode"); EngineModeSetIPS(); } + return r; } void RunModeIdsNetmapRegister(void) diff --git a/src/runmodes.c b/src/runmodes.c index c6e5f77351..ee5d77957f 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -98,7 +98,7 @@ typedef struct RunMode_ { const char *description; /* runmode function */ int (*RunModeFunc)(void); - void (*RunModeIsIPSEnabled)(void); + int (*RunModeIsIPSEnabled)(void); } RunMode; typedef struct RunModes_ { @@ -393,22 +393,23 @@ static const char *RunModeGetConfOrDefault(int capture_mode, const char *capture return custom_mode; } -void RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name) +int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name) { if (runmode == NULL) { runmode = RunModeGetConfOrDefault(capture_mode, capture_plugin_name); if (runmode == NULL) // non-standard runmode - return; + return 0; } RunMode *mode = RunModeGetCustomMode(capture_mode, runmode); if (mode == NULL) { - return; + return 0; } if (mode->RunModeIsIPSEnabled != NULL) { - mode->RunModeIsIPSEnabled(); + return mode->RunModeIsIPSEnabled(); } + return 0; } /** @@ -489,7 +490,7 @@ int RunModeNeedsBypassManager(void) * \param RunModeFunc The function to be run for this runmode. */ void RunModeRegisterNewRunMode(enum RunModes runmode, const char *name, const char *description, - int (*RunModeFunc)(void), void (*RunModeIsIPSEnabled)(void)) + int (*RunModeFunc)(void), int (*RunModeIsIPSEnabled)(void)) { if (RunModeGetCustomMode(runmode, name) != NULL) { FatalError("runmode '%s' has already " diff --git a/src/runmodes.h b/src/runmodes.h index ee156db0c6..7d486121e7 100644 --- a/src/runmodes.h +++ b/src/runmodes.h @@ -80,11 +80,11 @@ char *RunmodeGetActive(void); const char *RunModeGetMainMode(void); void RunModeListRunmodes(void); -void RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name); +int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name); void RunModeDispatch(int, const char *, const char *capture_plugin_name, const char *capture_plugin_args); void RunModeRegisterRunModes(void); void RunModeRegisterNewRunMode(enum RunModes, const char *, const char *, int (*RunModeFunc)(void), - void (*RunModeIsIPSEnabled)(void)); + int (*RunModeIsIPSEnabled)(void)); void RunModeInitializeThreadSettings(void); void RunModeInitializeOutputs(void); void RunModeShutDown(void); diff --git a/src/suricata.c b/src/suricata.c index 4ea325f7a8..b1af2a5d6b 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -2697,8 +2697,10 @@ int PostConfLoadedSetup(SCInstance *suri) LiveDeviceFinalize(); // must be after EBPF extension registration - RunModeEngineIsIPS( - suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name); + if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode, + suricata.capture_plugin_name) < 0) { + FatalError("IPS mode setup failed"); + } if (EngineModeIsUnknown()) { // if still uninitialized, set the default SCLogInfo("Setting engine mode to IDS mode by default");