From: Juliana Fajardini Date: Wed, 19 Jan 2022 18:29:39 +0000 (+0000) Subject: decode: make packet_alert_max configurable X-Git-Tag: suricata-7.0.0-beta1~662 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ace577d5426e2e1afd1cdf0736151022771226c;p=thirdparty%2Fsuricata.git decode: make packet_alert_max configurable The maximum of possible alerts triggered by a unique packet was hardcoded to 15. With usage of 'noalert' rules, that limit could be reached somewhat easily. Make that configurable via suricata.yaml. Conf Bug#4941 Task #4207 --- diff --git a/src/decode.c b/src/decode.c index 4c2a6fccd3..7fea156a10 100644 --- a/src/decode.c +++ b/src/decode.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2019 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -74,6 +74,26 @@ extern bool stats_decoder_events; extern const char *stats_decoder_events_prefix; extern bool stats_stream_events; uint8_t decoder_max_layers = PKT_DEFAULT_MAX_DECODED_LAYERS; +uint16_t packet_alert_max = PACKET_ALERT_MAX; + +/** + * \brief Initialize PacketAlerts with dynamic alerts array size + * + */ +PacketAlert *PacketAlertCreate(void) +{ + PacketAlert *pa_array = SCCalloc(packet_alert_max, sizeof(PacketAlert)); + BUG_ON(pa_array == NULL); + + return pa_array; +} + +void PacketAlertFree(PacketAlert *pa) +{ + if (pa != NULL) { + SCFree(pa); + } +} static int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, enum DecodeTunnelProto) WARN_UNUSED; @@ -781,6 +801,21 @@ void DecodeGlobalConfig(void) decoder_max_layers = value; } } + PacketAlertGetMaxConfig(); +} + +void PacketAlertGetMaxConfig(void) +{ + intmax_t max = 0; + if (ConfGetInt("packet-alert-max", &max) == 1) { + if (max <= 0 || max > UINT8_MAX) { + SCLogWarning(SC_ERR_INVALID_VALUE, + "Invalid value for packet-alert-max, default value set instead"); + } else { + packet_alert_max = max; + } + } + SCLogDebug("detect->packet_alert_max set to %d", packet_alert_max); } /** diff --git a/src/decode.h b/src/decode.h index dc1a528b65..57cef10eae 100644 --- a/src/decode.h +++ b/src/decode.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2020 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -299,16 +299,21 @@ typedef struct PacketAlert_ { /** alert is in a frame, frame_id set */ #define PACKET_ALERT_FLAG_FRAME 0x20 +extern uint16_t packet_alert_max; #define PACKET_ALERT_MAX 15 typedef struct PacketAlerts_ { uint16_t cnt; - PacketAlert alerts[PACKET_ALERT_MAX]; + PacketAlert *alerts; /* single pa used when we're dropping, * so we can log it out in the drop log. */ PacketAlert drop; } PacketAlerts; +PacketAlert *PacketAlertCreate(void); + +void PacketAlertFree(PacketAlert *pa); + /** number of decoder events we support per packet. Power of 2 minus 1 * for memory layout */ #define PACKET_ENGINE_EVENT_MAX 15 @@ -760,11 +765,13 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); /** * \brief Initialize a packet structure for use. */ -#define PACKET_INITIALIZE(p) { \ - SCMutexInit(&(p)->tunnel_mutex, NULL); \ - PACKET_RESET_CHECKSUMS((p)); \ - (p)->livedev = NULL; \ -} +#define PACKET_INITIALIZE(p) \ + { \ + SCMutexInit(&(p)->tunnel_mutex, NULL); \ + (p)->alerts.alerts = PacketAlertCreate(); \ + PACKET_RESET_CHECKSUMS((p)); \ + (p)->livedev = NULL; \ + } #define PACKET_RELEASE_REFS(p) do { \ FlowDeReference(&((p)->flow)); \ @@ -862,6 +869,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); if ((p)->pktvar != NULL) { \ PktVarFree((p)->pktvar); \ } \ + PacketAlertFree((p)->alerts.alerts); \ PACKET_FREE_EXTDATA((p)); \ SCMutexDestroy(&(p)->tunnel_mutex); \ AppLayerDecoderEventsFreeEvents(&(p)->app_layer_events); \ @@ -1017,6 +1025,7 @@ void AddressDebugPrint(Address *); typedef int (*DecoderFunc)(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len); void DecodeGlobalConfig(void); +void PacketAlertGetMaxConfig(void); void DecodeUnregisterCounters(void); /** \brief Set the No payload inspection Flag for the packet. diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index ff72724fca..6c2acf5e4b 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2021 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free diff --git a/suricata.yaml.in b/suricata.yaml.in index d50e5555c4..eb17f25524 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1180,6 +1180,10 @@ legacy: # - reject # - alert +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +#packet-alert-max: 15 + # IP Reputation #reputation-categories-file: @e_sysconfdir@iprep/categories.txt #default-reputation-path: @e_sysconfdir@iprep