From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Wed, 25 Aug 2021 23:17:02 +0000 (+0000)
Subject: Merge pull request #3021 in SNORT/snort3 from ~RUCOMBS/snort3:action_map to master
X-Git-Tag: 3.1.11.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3453f8a259dd3d9ada6bd7106970424eda30cc81;p=thirdparty%2Fsnort3.git

Merge pull request #3021 in SNORT/snort3 from ~RUCOMBS/snort3:action_map to master

Squashed commit of the following:

commit 98cbf75ac6c2c93835df7cee33a2914c4e88ee92
Author: russ <rucombs@cisco.com>
Date:   Wed Aug 25 17:27:50 2021 -0400

    framework: update base API version to 8

commit 63354f132bde27324718640042aed840650db512
Author: russ <rucombs@cisco.com>
Date:   Thu Aug 5 10:55:20 2021 -0400

    ips: add action_override which applies to all rules

commit 16f24b55aefc2fb995a2f0dd3e842f6645d14b48
Author: russ <rucombs@cisco.com>
Date:   Wed Aug 4 15:23:18 2021 -0400

    ips: add action_map table to map rule types, eg block -> alert
---

diff --git a/src/framework/base_api.h b/src/framework/base_api.h
index 6de163f5c..42c3ebdc8 100644
--- a/src/framework/base_api.h
+++ b/src/framework/base_api.h
@@ -29,7 +29,7 @@
 
 // this is the current version of the base api
 // must be prefixed to subtype version
-#define BASE_API_VERSION 7
+#define BASE_API_VERSION 8
 
 // set options to API_OPTIONS to ensure compatibility
 #ifndef API_OPTIONS
diff --git a/src/main/modules.cc b/src/main/modules.cc
index db8b8fe4e..d3d8abb82 100644
--- a/src/main/modules.cc
+++ b/src/main/modules.cc
@@ -1207,8 +1207,25 @@ static const Parameter variable_params[] =
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
 
+static const Parameter action_map_params[] =
+{
+    { "replace" , Parameter::PT_STRING, nullptr, nullptr,
+      "action you want to change" },
+
+    { "with" , Parameter::PT_STRING, nullptr, nullptr,
+      "action you want to use instead" },
+
+    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
 static const Parameter ips_params[] =
 {
+    { "action_map", Parameter::PT_LIST, action_map_params, nullptr,
+      "change actions like block to alert (applied after action_override)" },
+
+    { "action_override", Parameter::PT_STRING, nullptr, nullptr,
+      "use this action for all rules (applied before action_map)" },
+
     { "default_rule_state", Parameter::PT_ENUM, "no | yes | inherit", "inherit",
       "enable or disable ips rules" },
 
@@ -1256,10 +1273,15 @@ class IpsModule : public Module
 public:
     IpsModule() : Module("ips", ips_help, ips_params) { }
     bool set(const char*, Value&, SnortConfig*) override;
+    bool end(const char*, int, SnortConfig*) override;
     bool matches(const char*, std::string&) override;
 
     Usage get_usage() const override
     { return DETECT; }
+
+private:
+    std::string replace;
+    std::string with;
 };
 
 bool IpsModule::matches(const char*, std::string&)
@@ -1269,7 +1291,10 @@ bool IpsModule::set(const char* fqn, Value& v, SnortConfig* sc)
 {
     IpsPolicy* p = get_ips_policy();
 
-    if ( v.is("default_rule_state") )
+    if ( v.is("action_override") )
+        p->action_override = v.get_string();
+
+    else if ( v.is("default_rule_state") )
         p->default_rule_state = (IpsPolicy::Enable)v.get_uint8();
 
     else if ( v.is("enable_builtin_rules") )
@@ -1293,6 +1318,9 @@ bool IpsModule::set(const char* fqn, Value& v, SnortConfig* sc)
     else if ( v.is("obfuscate_pii") )
         p->obfuscate_pii = v.get_bool();
 
+    else if ( v.is("replace") )
+        replace = v.get_string();
+
     else if ( v.is("rules") )
         p->rules += v.get_string();
 
@@ -1320,12 +1348,34 @@ bool IpsModule::set(const char* fqn, Value& v, SnortConfig* sc)
     else if ( strstr(fqn, "variables.ports.") )
         ParsePortVar(get_var_name(fqn), v.get_string());
 
+    else if ( v.is("with") )
+        with = v.get_string();
+
     else
         return false;
 
     return true;
 }
 
+bool IpsModule::end(const char* fqn, int idx, SnortConfig*)
+{
+    if ( idx and !strcmp(fqn, "ips.action_map") )
+    {
+        if ( replace.empty() or with.empty() )
+        {
+            ParseError("%s - must set both replace and with", fqn);
+            return false;
+        }
+
+        IpsPolicy* p = get_ips_policy();
+        p->action_map[replace] = with;
+
+        replace.clear();
+        with.clear();
+    }
+    return true;
+}
+
 //-------------------------------------------------------------------------
 // process module
 //-------------------------------------------------------------------------
diff --git a/src/main/policy.h b/src/main/policy.h
index bb32a0614..38d57b16a 100644
--- a/src/main/policy.h
+++ b/src/main/policy.h
@@ -33,6 +33,7 @@ typedef unsigned char uuid_t[16];
 #endif
 
 #include <algorithm>
+#include <map>
 #include <memory>
 #include <unordered_map>
 #include <vector>
@@ -184,6 +185,9 @@ public:
 
     bool obfuscate_pii;
 
+    std::string action_override;
+    std::map<std::string, std::string> action_map;
+
     // Holds all plugin actions associated with this policy
     std::vector<snort::IpsAction*> action;
 };
diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index eeae9715d..d45b6d825 100644
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -746,6 +746,16 @@ void parse_rule_print()
 
 void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn)
 {
+    IpsPolicy* p = get_ips_policy();
+
+    if ( !p->action_override.empty() )
+        s = p->action_override.c_str();
+
+    auto it = p->action_map.find(s);
+
+    if ( it != p->action_map.end() )
+        s = it->second.c_str();
+
     s_type = s;
     rtn = RuleTreeNode();