From: Mike Stepanek (mstepane) Date: Mon, 23 Sep 2019 17:38:12 +0000 (-0400) Subject: Merge pull request #1747 in SNORT/snort3 from ~MMATIRKO/snort3:reputation_blacklist_f... X-Git-Tag: 3.0.0-262~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=430c6b2c8ea8f8e10af9445c10d9027104081df7;p=thirdparty%2Fsnort3.git Merge pull request #1747 in SNORT/snort3 from ~MMATIRKO/snort3:reputation_blacklist_fix to master Squashed commit of the following: commit 3f5f03db34f988fee415252cf6fd50b383799ec3 Author: Michael Matirko Date: Wed Sep 11 14:32:25 2019 -0400 reputation: SIDs for source and destination-triggered events added --- diff --git a/src/network_inspectors/reputation/CMakeLists.txt b/src/network_inspectors/reputation/CMakeLists.txt index 13b9244a2..c4c225f15 100644 --- a/src/network_inspectors/reputation/CMakeLists.txt +++ b/src/network_inspectors/reputation/CMakeLists.txt @@ -1,3 +1,6 @@ +set (REPUTATION_INCLUDES + reputation_common.h +) add_library( reputation OBJECT reputation_config.h @@ -9,3 +12,7 @@ add_library( reputation OBJECT reputation_parse.h ) +install(FILES ${REPUTATION_INCLUDES} + DESTINATION "${INCLUDE_INSTALL_PATH}/network_inspectors/reputation" +) + diff --git a/src/network_inspectors/reputation/reputation_common.h b/src/network_inspectors/reputation/reputation_common.h new file mode 100644 index 000000000..fef1d3e23 --- /dev/null +++ b/src/network_inspectors/reputation/reputation_common.h @@ -0,0 +1,35 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2003-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifndef REPUTATION_COMMON_H +#define REPUTATION_COMMON_H + +#define REPUTATION_NAME "reputation" +#define REPUTATION_HELP "reputation inspection" + +#define GID_REPUTATION 136 + +#define REPUTATION_EVENT_BLACKLIST_SRC 1 +#define REPUTATION_EVENT_WHITELIST_SRC 2 +#define REPUTATION_EVENT_MONITOR_SRC 3 +#define REPUTATION_EVENT_BLACKLIST_DST 4 +#define REPUTATION_EVENT_WHITELIST_DST 5 +#define REPUTATION_EVENT_MONITOR_DST 6 + +#endif diff --git a/src/network_inspectors/reputation/reputation_config.h b/src/network_inspectors/reputation/reputation_config.h index eb1597c5e..29726fa9b 100644 --- a/src/network_inspectors/reputation/reputation_config.h +++ b/src/network_inspectors/reputation/reputation_config.h @@ -51,7 +51,13 @@ enum IPdecision BLACKLISTED, WHITELISTED_TRUST, MONITORED, + BLACKLISTED_SRC, + BLACKLISTED_DST, + WHITELISTED_TRUST_SRC, + WHITELISTED_TRUST_DST, WHITELISTED_UNBLACK, + MONITORED_SRC, + MONITORED_DST, DECISION_MAX }; diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index e1cf7a3db..b4419a8bf 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -189,7 +189,15 @@ static bool decision_per_layer(ReputationConfig* config, Packet* p, { decision = get_reputation(config, result, &p->iplist_id, ingressZone, egressZone); - *decision_final = decision; + if (decision == BLACKLISTED) + *decision_final = BLACKLISTED_SRC; + else if (decision == MONITORED) + *decision_final = MONITORED_SRC; + else if (decision == WHITELISTED_TRUST) + *decision_final = WHITELISTED_TRUST_SRC; + else + *decision_final = decision; + if ( config->priority == decision) return true; } @@ -200,7 +208,15 @@ static bool decision_per_layer(ReputationConfig* config, Packet* p, { decision = get_reputation(config, result, &p->iplist_id, ingressZone, egressZone); - *decision_final = decision; + if (decision == BLACKLISTED) + *decision_final = BLACKLISTED_DST; + else if (decision == MONITORED) + *decision_final = MONITORED_DST; + else if (decision == WHITELISTED_TRUST) + *decision_final = WHITELISTED_TRUST_DST; + else + *decision_final = decision; + if ( config->priority == decision) return true; } @@ -238,7 +254,7 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) { layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer); decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final); - if (decision_final != BLACKLISTED) + if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST) p->ptrs.ip_api = tmp_api; } else if (config->nested_ip == ALL) @@ -253,13 +269,13 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) &decision_current); if (decision_current != DECISION_NULL) { - if (decision_current == BLACKLISTED) + if (decision_current == BLACKLISTED_SRC or decision_current == BLACKLISTED_DST) blocked_api = p->ptrs.ip_api; decision_final = decision_current; decision_current = DECISION_NULL; } } - if (decision_final != BLACKLISTED) + if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST) p->ptrs.ip_api = tmp_api; else if (p->ptrs.ip_api != blocked_api) p->ptrs.ip_api = blocked_api; @@ -284,10 +300,14 @@ static void snort_reputation(ReputationConfig* config, Packet* p) if (DECISION_NULL == decision) return; - else if (BLACKLISTED == decision) + else if (BLACKLISTED_SRC == decision or BLACKLISTED_DST == decision) { - DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST); + unsigned blacklist_event = (BLACKLISTED_SRC == decision) ? + REPUTATION_EVENT_BLACKLIST_SRC : REPUTATION_EVENT_BLACKLIST_DST; + + DetectionEngine::queue_event(GID_REPUTATION, blacklist_event); act->drop_packet(p, true); + // disable all preproc analysis and detection for this packet DetectionEngine::disable_all(p); act->block_session(p, true); @@ -298,15 +318,23 @@ static void snort_reputation(ReputationConfig* config, Packet* p) PacketTracer::log("Reputation: packet blacklisted, drop\n"); } } - else if (MONITORED == decision) + + else if (MONITORED_SRC == decision or MONITORED_DST == decision) { + unsigned monitor_event = (MONITORED_SRC == decision) ? + REPUTATION_EVENT_MONITOR_SRC : REPUTATION_EVENT_MONITOR_DST; + p->packet_flags |= PKT_REP_MONITORED; - DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR); + DetectionEngine::queue_event(GID_REPUTATION, monitor_event); reputationstats.monitored++; } - else if (WHITELISTED_TRUST == decision) + + else if (WHITELISTED_TRUST_SRC == decision or WHITELISTED_TRUST_DST == decision) { - DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_WHITELIST); + unsigned whitelist_event = (WHITELISTED_TRUST_SRC == decision) ? + REPUTATION_EVENT_WHITELIST_SRC : REPUTATION_EVENT_WHITELIST_DST; + + DetectionEngine::queue_event(GID_REPUTATION, whitelist_event); p->packet_flags |= PKT_IGNORE; DetectionEngine::disable_all(p); act->allow_session(p); diff --git a/src/network_inspectors/reputation/reputation_module.cc b/src/network_inspectors/reputation/reputation_module.cc index 266992849..6b80e4539 100644 --- a/src/network_inspectors/reputation/reputation_module.cc +++ b/src/network_inspectors/reputation/reputation_module.cc @@ -34,12 +34,20 @@ using namespace snort; using namespace std; -#define REPUTATION_EVENT_BLACKLIST_STR \ - "packets blacklisted" -#define REPUTATION_EVENT_WHITELIST_STR \ - "packets whitelisted" -#define REPUTATION_EVENT_MONITOR_STR \ - "packets monitored" +#define REPUTATION_EVENT_BLACKLIST_SRC_STR \ + "packets blacklisted based on source" +#define REPUTATION_EVENT_BLACKLIST_DST_STR \ + "packets blacklisted based on destination" + +#define REPUTATION_EVENT_WHITELIST_SRC_STR \ + "packets whitelisted based on source" +#define REPUTATION_EVENT_WHITELIST_DST_STR \ + "packets whitelisted based on destination" + +#define REPUTATION_EVENT_MONITOR_SRC_STR \ + "packets monitored based on source" +#define REPUTATION_EVENT_MONITOR_DST_STR \ + "packets monitored based on destination" static const Parameter s_params[] = { @@ -72,9 +80,13 @@ static const Parameter s_params[] = static const RuleMap reputation_rules[] = { - { REPUTATION_EVENT_BLACKLIST, REPUTATION_EVENT_BLACKLIST_STR }, - { REPUTATION_EVENT_WHITELIST, REPUTATION_EVENT_WHITELIST_STR }, - { REPUTATION_EVENT_MONITOR, REPUTATION_EVENT_MONITOR_STR }, + { REPUTATION_EVENT_BLACKLIST_SRC, REPUTATION_EVENT_BLACKLIST_SRC_STR }, + { REPUTATION_EVENT_WHITELIST_SRC, REPUTATION_EVENT_WHITELIST_SRC_STR }, + { REPUTATION_EVENT_MONITOR_SRC, REPUTATION_EVENT_MONITOR_SRC_STR }, + { REPUTATION_EVENT_BLACKLIST_DST, REPUTATION_EVENT_BLACKLIST_DST_STR }, + { REPUTATION_EVENT_WHITELIST_DST, REPUTATION_EVENT_WHITELIST_DST_STR }, + { REPUTATION_EVENT_MONITOR_DST, REPUTATION_EVENT_MONITOR_DST_STR }, + { 0, nullptr } }; diff --git a/src/network_inspectors/reputation/reputation_module.h b/src/network_inspectors/reputation/reputation_module.h index 5c16a9bac..7a767174e 100644 --- a/src/network_inspectors/reputation/reputation_module.h +++ b/src/network_inspectors/reputation/reputation_module.h @@ -25,15 +25,7 @@ #include "framework/module.h" #include "reputation_config.h" - -#define GID_REPUTATION 136 - -#define REPUTATION_EVENT_BLACKLIST 1 -#define REPUTATION_EVENT_WHITELIST 2 -#define REPUTATION_EVENT_MONITOR 3 - -#define REPUTATION_NAME "reputation" -#define REPUTATION_HELP "reputation inspection" +#include "reputation_common.h" namespace snort {