From: Davis McPherson (davmcphe) <davmcphe@cisco.com>
Date: Thu, 15 Oct 2020 20:15:22 +0000 (+0000)
Subject: Merge pull request #2538 in SNORT/snort3 from ~DAVMCPHE/snort3:meta_morph to master
X-Git-Tag: 3.0.3-3~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ceff0123e4f2b4864444003254784c0c5714969;p=thirdparty%2Fsnort3.git

Merge pull request #2538 in SNORT/snort3 from ~DAVMCPHE/snort3:meta_morph to master

Squashed commit of the following:

commit 8e6a6017236ac10f430ff63943a55c49d0b03c9c
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Sep 22 19:38:00 2020 -0400

    meta: dump full rule field

commit f5b89821cac206abb95feea466be8fb39b5983a3
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Sep 22 17:43:44 2020 -0400

    meta: do not dump elided header fields or default message

commit 82e448aa2afe8dfe39acdc7177421b92c14a8066
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Sep 22 17:42:59 2020 -0400

    meta: dump missing port field
---

diff --git a/src/detection/signature.cc b/src/detection/signature.cc
index 5f8457785..eb4086177 100644
--- a/src/detection/signature.cc
+++ b/src/detection/signature.cc
@@ -295,12 +295,28 @@ static void dump_sid(JsonStream& j, const SigInfo& si)
 static void dump_header(JsonStream& j, const RuleHeader* h)
 {
     assert(h);
+
+    // all rules have actions
     j.put("action", h->action);
-    j.put("src_nets", h->src_nets);
-    j.put("src_ports", h->src_ports);
-    j.put("direction", h->dir);
-    j.put("dst_nets", h->dst_nets);
-    j.put("dst_ports", h->dst_ports);
+
+    // builtin stubs only have actions
+    if ( !h->proto.empty() )
+        j.put("proto", h->proto);
+
+    if ( !h->src_nets.empty() )
+        j.put("src_nets", h->src_nets);
+
+    if ( !h->src_ports.empty() )
+        j.put("src_ports", h->src_ports);
+
+    if ( !h->dir.empty() )
+        j.put("direction", h->dir);
+
+    if ( !h->dst_nets.empty() )
+        j.put("dst_nets", h->dst_nets);
+
+    if ( !h->dst_ports.empty() )
+        j.put("dst_ports", h->dst_ports);
 }
 
 static void dump_info(JsonStream& j, const SigInfo& si)
@@ -313,7 +329,9 @@ static void dump_info(JsonStream& j, const SigInfo& si)
     size_t n = si.message.length();
     assert(n > 2 and si.message[0] == '"' and si.message[n-1] == '"');
     std::string msg = si.message.substr(1, n-2);
-    j.put("msg", msg);
+
+    if ( msg != "no msg in rule" )
+        j.put("msg", msg);
 }
 
 static void dump_services(JsonStream& json, const SigInfo& si)
@@ -360,6 +378,34 @@ static void dump_refs(JsonStream& json, const SigInfo& si)
     json.close_array();
 }
 
+static void dump_rule(JsonStream& json, const RuleHeader* h, const SigInfo& si)
+{
+    json.put("body", *si.body);
+
+    std::string s = h->action;
+
+    if ( !h->proto.empty() )
+        s += " " + h->proto;
+
+    if ( !h->src_nets.empty() )
+        s += " " + h->src_nets;
+
+    if ( !h->src_ports.empty() )
+        s += " " + h->src_ports;
+
+    if ( !h->dir.empty() )
+        s += " " + h->dir;
+
+    if ( !h->dst_nets.empty() )
+        s += " " + h->dst_nets;
+
+    if ( !h->dst_ports.empty() )
+        s += " " + h->dst_ports;
+
+    s += " " + *si.body;
+    json.put("rule", s);
+}
+
 void dump_rule_meta(const SnortConfig* sc)
 {
     GHashNode* ghn = sc->otn_map->find_first();
@@ -384,11 +430,11 @@ void dump_rule_meta(const SnortConfig* sc)
 
         dump_bits(json, "sets", setters);
         dump_bits(json, "checks", checkers);
+
         dump_refs(json, si);
+        dump_rule(json, rtn->header, si);
 
-        json.put("body", *si.body);
         json.close();
-
         ghn = sc->otn_map->find_next();
     }
 }
diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index d87acbdfb..ef94c65c3 100644
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -979,12 +979,12 @@ void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn)
         ParseError("unconfigured rule action '%s'", s);
 }
 
-void parse_rule_proto(SnortConfig* sc, const char* s, RuleTreeNode& rtn)
+void parse_rule_proto(SnortConfig* sc, const char* s, RuleTreeNode& rtn, bool elided)
 {
     if ( s_ignore )
         return;
 
-    if ( !s_so_rule and rtn.header )
+    if ( !s_so_rule and !elided and rtn.header )
         rtn.header->proto = s;
 
     if ( !strcmp(s, "tcp") )
@@ -1015,7 +1015,7 @@ void parse_rule_proto(SnortConfig* sc, const char* s, RuleTreeNode& rtn)
 }
 
 void parse_rule_nets(
-    SnortConfig* sc, const char* s, bool src, RuleTreeNode& rtn)
+    SnortConfig* sc, const char* s, bool src, RuleTreeNode& rtn, bool elided)
 {
     if ( s_so_rule )
         return;
@@ -1023,7 +1023,7 @@ void parse_rule_nets(
     if ( s_ignore )
         return;
 
-    if ( rtn.header )
+    if ( !elided and rtn.header )
     {
         if ( src )
             rtn.header->src_nets = s;
@@ -1034,7 +1034,7 @@ void parse_rule_nets(
 }
 
 void parse_rule_ports(
-    SnortConfig*, const char* s, bool src, RuleTreeNode& rtn)
+    SnortConfig*, const char* s, bool src, RuleTreeNode& rtn, bool elided)
 {
     if ( s_so_rule )
         return;
@@ -1042,7 +1042,7 @@ void parse_rule_ports(
     if ( s_ignore )
         return;
 
-    if ( rtn.header )
+    if ( !elided and rtn.header )
     {
         if ( src )
             rtn.header->src_ports = s;
@@ -1056,7 +1056,7 @@ void parse_rule_ports(
         ParseError("bad ports: '%s'", s);
 }
 
-void parse_rule_dir(SnortConfig*, const char* s, RuleTreeNode& rtn)
+void parse_rule_dir(SnortConfig*, const char* s, RuleTreeNode& rtn, bool elided)
 {
     if ( s_so_rule )
         return;
@@ -1064,7 +1064,7 @@ void parse_rule_dir(SnortConfig*, const char* s, RuleTreeNode& rtn)
     if ( s_ignore )
         return;
 
-    if ( rtn.header )
+    if ( !elided and rtn.header )
         rtn.header->dir = s;
 
     if (strcmp(s, "<>") == 0)
@@ -1136,12 +1136,12 @@ OptTreeNode* parse_rule_open(SnortConfig* sc, RuleTreeNode& rtn, bool stub)
 
     if ( stub )
     {
-        parse_rule_proto(sc, "tcp", rtn);
-        parse_rule_nets(sc, "any", true, rtn);
-        parse_rule_ports(sc, "any", true, rtn);
-        parse_rule_dir(sc, "->", rtn);
-        parse_rule_nets(sc, "any", false, rtn);
-        parse_rule_ports(sc, "any", false, rtn);
+        parse_rule_proto(sc, "tcp", rtn, true);
+        parse_rule_nets(sc, "any", true, rtn, true);
+        parse_rule_ports(sc, "any", true, rtn, true);
+        parse_rule_dir(sc, "->", rtn, true);
+        parse_rule_nets(sc, "any", false, rtn, true);
+        parse_rule_ports(sc, "any", false, rtn, true);
     }
     OptTreeNode* otn = new OptTreeNode;
     otn->state = new OtnState[ThreadConfig::get_instance_max()];
diff --git a/src/parser/parse_rule.h b/src/parser/parse_rule.h
index e9e1b81bd..917845b3e 100644
--- a/src/parser/parse_rule.h
+++ b/src/parser/parse_rule.h
@@ -39,10 +39,10 @@ int get_policy_loaded_rule_count();
 int get_policy_shared_rule_count();
 
 void parse_rule_type(snort::SnortConfig*, const char*, RuleTreeNode&);
-void parse_rule_proto(snort::SnortConfig*, const char*, RuleTreeNode&);
-void parse_rule_nets(snort::SnortConfig*, const char*, bool src, RuleTreeNode&);
-void parse_rule_ports(snort::SnortConfig*, const char*, bool src, RuleTreeNode&);
-void parse_rule_dir(snort::SnortConfig*, const char*, RuleTreeNode&);
+void parse_rule_proto(snort::SnortConfig*, const char*, RuleTreeNode&, bool elided = false);
+void parse_rule_nets(snort::SnortConfig*, const char*, bool src, RuleTreeNode&, bool elided = false);
+void parse_rule_ports(snort::SnortConfig*, const char*, bool src, RuleTreeNode&, bool elided = false);
+void parse_rule_dir(snort::SnortConfig*, const char*, RuleTreeNode&, bool elided = false);
 void parse_rule_opt_begin(snort::SnortConfig*, const char* key);
 void parse_rule_opt_set(snort::SnortConfig*, const char* key, const char* opt, const char* val);
 void parse_rule_opt_end(snort::SnortConfig*, const char* key, OptTreeNode*);
diff --git a/src/parser/parse_stream.cc b/src/parser/parse_stream.cc
index 7328e3e43..e84a50e82 100644
--- a/src/parser/parse_stream.cc
+++ b/src/parser/parse_stream.cc
@@ -499,11 +499,11 @@ static bool exec(
         parse_rule_proto(sc, tok.c_str(), rps.rtn);
         break;
     case FSM_HDR:
-        parse_rule_nets(sc, "any", true, rps.rtn);
-        parse_rule_ports(sc, "any", true, rps.rtn);
-        parse_rule_dir(sc, "->", rps.rtn);
-        parse_rule_nets(sc, "any", false, rps.rtn);
-        parse_rule_ports(sc, "any", false, rps.rtn);
+        parse_rule_nets(sc, "any", true, rps.rtn, true);
+        parse_rule_ports(sc, "any", true, rps.rtn, true);
+        parse_rule_dir(sc, "->", rps.rtn, true);
+        parse_rule_nets(sc, "any", false, rps.rtn, true);
+        parse_rule_ports(sc, "any", false, rps.rtn, true);
         rps.otn = parse_rule_open(sc, rps.rtn);
         break;
     case FSM_SIP:
@@ -513,7 +513,7 @@ static bool exec(
         parse_rule_ports(sc, tok.c_str(), true, rps.rtn);
         break;
     case FSM_SPX:
-        parse_rule_ports(sc, "any", true, rps.rtn);
+        parse_rule_ports(sc, "any", true, rps.rtn, true);
         // fall thru ...
     case FSM_DIR:
         parse_rule_dir(sc, tok.c_str(), rps.rtn);
@@ -525,7 +525,7 @@ static bool exec(
         parse_rule_ports(sc, tok.c_str(), false, rps.rtn);
         break;
     case FSM_DPX:
-        parse_rule_ports(sc, "any", false, rps.rtn);
+        parse_rule_ports(sc, "any", false, rps.rtn, true);
         // fall thru ...
     case FSM_SOB:
         rps.otn = parse_rule_open(sc, rps.rtn);