From: Victor Julien Date: Wed, 30 Sep 2015 16:26:00 +0000 (+0200) Subject: detect grouping: port based group whitelisting X-Git-Tag: suricata-3.1RC1~357 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c184c19cd56be39974463b3d4f2e43ceee9a837;p=thirdparty%2Fsuricata.git detect grouping: port based group whitelisting Whitelist some ports in grouping to make sure they get their own group. --- diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c index 87cfe4b1b0..86afa4e796 100644 --- a/src/detect-engine-siggroup.c +++ b/src/detect-engine-siggroup.c @@ -629,6 +629,9 @@ int SigGroupHeadCopySigs(DetectEngineCtx *de_ctx, SigGroupHead *src, SigGroupHea for (idx = 0; idx < src->init->sig_size; idx++) (*dst)->init->sig_array[idx] = (*dst)->init->sig_array[idx] | src->init->sig_array[idx]; + if (src->init->whitelist) + (*dst)->init->whitelist = 1; + if (src->mpm_content_minlen != 0) { if ((*dst)->mpm_content_minlen == 0) (*dst)->mpm_content_minlen = src->mpm_content_minlen; diff --git a/src/detect.c b/src/detect.c index f50dd4855f..681fc08216 100644 --- a/src/detect.c +++ b/src/detect.c @@ -2980,6 +2980,24 @@ int RulesGroupByProto(DetectEngineCtx *de_ctx) return 0; } +int tcp_whitelisted[] = { 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080, -1 }; +int udp_whitelisted[] = { 53, 135, 5060, -1 }; + +static int PortIsWhitelisted(const DetectPort *a, int ipproto) +{ + int *w = tcp_whitelisted; + if (ipproto == IPPROTO_UDP) + w = udp_whitelisted; + while (*w++ != -1) { + if (a->port >= *w && a->port2 <= *w) { + SCLogDebug("port group %u:%u whitelisted -> %d", a->port, a->port2, *w); + return 1; + } + } + + return 0; +} + int CreateGroupedPortList(DetectEngineCtx *de_ctx, DetectPort *port_list, DetectPort **newhead, uint32_t unique_groups, int (*CompareFunc)(DetectPort *, DetectPort *), uint32_t max_idx); int CreateGroupedPortListCmpCnt(DetectPort *a, DetectPort *b); @@ -3026,6 +3044,13 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3 DetectPort *tmp = DetectPortCopySingle(de_ctx, p); BUG_ON(tmp == NULL); SigGroupHeadAppendSig(de_ctx, &tmp->sh, s); + tmp->sh->init->whitelist = PortIsWhitelisted(tmp, ipproto); + if (tmp->sh->init->whitelist) { + SCLogDebug("%s/%s Rule %u whitelisted port group %u:%u", + direction == SIG_FLAG_TOSERVER ? "toserver" : "toclient", + ipproto == 6 ? "TCP" : "UDP", + s->id, p->port, p->port2); + } int r = DetectPortInsert(de_ctx, &list , tmp); BUG_ON(r == -1); @@ -3082,7 +3107,10 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3 } #if 0 for (iter = list ; iter != NULL; iter = iter->next) { - SCLogInfo("PORT %u-%u %p (sgh=%s)", iter->port, iter->port2, iter->sh, iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own"); + SCLogInfo("PORT %u-%u %p (sgh=%s, whitelisted=%s)", + iter->port, iter->port2, iter->sh, + iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own", + iter->sh->init->whitelist ? "true" : "false"); } #endif SCLogInfo("%s %s: %u port groups, %u unique SGH's, %u copies", @@ -3218,8 +3246,17 @@ error: return -1; } +static int PortGroupIsWhitelisted(const DetectPort *a) +{ + return a->sh->init->whitelist; +} + int CreateGroupedPortListCmpCnt(DetectPort *a, DetectPort *b) { + if (PortGroupIsWhitelisted(a) && !PortGroupIsWhitelisted(b)) + return 1; + if (!PortGroupIsWhitelisted(a) && PortGroupIsWhitelisted(b)) + return 0; if (a->sh->sig_cnt > b->sh->sig_cnt) { SCLogDebug("pg %u:%u %u > %u:%u %u", a->port, a->port2, a->sh->sig_cnt, diff --git a/src/detect.h b/src/detect.h index 9d83a793a6..11c2c19339 100644 --- a/src/detect.h +++ b/src/detect.h @@ -987,6 +987,7 @@ typedef struct SigGroupHeadInitData_ { uint8_t protos[256]; /**< proto(s) this sgh is for */ uint32_t direction; /**< set to SIG_FLAG_TOSERVER, SIG_FLAG_TOCLIENT or both */ + int whitelist; /**< try to make this group a unique one */ /* port ptr */ struct DetectPort_ *port;