From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Tue, 15 Jan 2019 18:36:30 +0000 (-0500)
Subject: Merge pull request #1478 in SNORT/snort3 from ~SMINUT/snort3:sd_obfuscate to master
X-Git-Tag: 3.0.0-251~65
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=436004b27be0fb6d3c6c1a72fd42d413fcdf501f;p=thirdparty%2Fsnort3.git

Merge pull request #1478 in SNORT/snort3 from ~SMINUT/snort3:sd_obfuscate to master

Squashed commit of the following:

commit 06ea21618014ce4b352ace310b1efeeabbc16129
Author: Silviu Minut <sminut@cisco.com>
Date:   Mon Jan 7 00:11:48 2019 -0500

    main: move obfuscate_pii from OutputModule to IpsModule.

    main: move the obfuscate parameter from IpsModule back to OutputModule, per reviewers' comments.

    snort2lua: move obfuscate_pii to the ips table from the output table.
---

diff --git a/src/ips_options/ips_sd_pattern.cc b/src/ips_options/ips_sd_pattern.cc
index b574c0d44..b34a0b0d6 100644
--- a/src/ips_options/ips_sd_pattern.cc
+++ b/src/ips_options/ips_sd_pattern.cc
@@ -352,23 +352,24 @@ bool SdPatternModule::set(const char*, Value& v, SnortConfig* sc)
         return false;
 
     // Check if built-in pattern should be used.
+    IpsPolicy* p = snort::get_ips_policy();
     if (config.pii == "credit_card")
     {
         config.pii = SD_CREDIT_PATTERN_ALL;
         config.validate = SdLuhnAlgorithm;
-        config.obfuscate_pii = sc->obfuscate_pii;
+        config.obfuscate_pii = p->obfuscate_pii;
         config.forced_boundary = true;
     }
     else if (config.pii == "us_social")
     {
         config.pii = SD_SOCIAL_PATTERN;
-        config.obfuscate_pii = sc->obfuscate_pii;
+        config.obfuscate_pii = p->obfuscate_pii;
         config.forced_boundary = true;
     }
     else if (config.pii == "us_social_nodashes")
     {
         config.pii = SD_SOCIAL_NODASHES_PATTERN;
-        config.obfuscate_pii = sc->obfuscate_pii;
+        config.obfuscate_pii = p->obfuscate_pii;
         config.forced_boundary = true;
     }
 
@@ -488,4 +489,3 @@ const BaseApi* ips_sd_pattern[] =
     &sd_pattern_api.base,
     nullptr
 };
-
diff --git a/src/main/modules.cc b/src/main/modules.cc
index 7099ed77a..ce5b2ca71 100755
--- a/src/main/modules.cc
+++ b/src/main/modules.cc
@@ -761,12 +761,6 @@ static const Parameter output_params[] =
     { "logdir", Parameter::PT_STRING, nullptr, ".",
       "where to put log files (same as -l)" },
 
-    { "obfuscate", Parameter::PT_BOOL, nullptr, "false",
-      "obfuscate the logged IP addresses (same as -O)" },
-
-    { "obfuscate_pii", Parameter::PT_BOOL, nullptr, "false",
-      "mask all but the last 4 characters of credit card and social security numbers" },
-
     { "show_year", Parameter::PT_BOOL, nullptr, "false",
       "include year in timestamp in the alert and log files (same as -y)" },
 
@@ -776,6 +770,9 @@ static const Parameter output_params[] =
     { "verbose", Parameter::PT_BOOL, nullptr, "false",
       "be verbose (same as -v)" },
 
+    { "obfuscate", Parameter::PT_BOOL, nullptr, "false",
+      "obfuscate the logged IP addresses (same as -O)" },
+
 #ifdef REG_TEST
     { "wide_hex_dump", Parameter::PT_BOOL, nullptr, "true",
 #else
@@ -819,12 +816,6 @@ bool OutputModule::set(const char*, Value& v, SnortConfig* sc)
     else if ( v.is("max_data") )
         sc->event_trace_max = v.get_uint16();
 
-    else if ( v.is("obfuscate") )
-        v.update_mask(sc->output_flags, OUTPUT_FLAG__OBFUSCATE);
-
-    else if ( v.is("obfuscate_pii") )
-        sc->obfuscate_pii = v.get_bool();
-
     else if ( v.is("show_year") )
         v.update_mask(sc->output_flags, OUTPUT_FLAG__INCLUDE_YEAR);
 
@@ -837,6 +828,9 @@ bool OutputModule::set(const char*, Value& v, SnortConfig* sc)
     else if ( v.is("wide_hex_dump") )
         v.update_mask(sc->output_flags, OUTPUT_FLAG__WIDE_HEX);
 
+    else if ( v.is("obfuscate") )
+        v.update_mask(sc->output_flags, OUTPUT_FLAG__OBFUSCATE);
+
     else
         return false;
 
@@ -1215,6 +1209,9 @@ static const Parameter ips_params[] =
     { "rules", Parameter::PT_STRING, nullptr, nullptr,
       "snort rules and includes" },
 
+    { "obfuscate_pii", Parameter::PT_BOOL, nullptr, "false",
+      "mask all but the last 4 characters of credit card and social security numbers" },
+
 #ifdef HAVE_UUID
     { "uuid", Parameter::PT_STRING, nullptr, "00000000-0000-0000-0000-000000000000",
       "IPS policy uuid" },
@@ -1258,6 +1255,9 @@ bool IpsModule::set(const char*, Value& v, SnortConfig* sc)
     else if ( v.is("rules") )
         p->rules = v.get_string();
 
+    else if ( v.is("obfuscate_pii") )
+        p->obfuscate_pii = v.get_bool();
+
 #ifdef HAVE_UUID
     else if ( v.is("uuid") )
     {
@@ -1922,4 +1922,3 @@ void module_init()
     ModuleManager::add_module(new HostTrackerModule);
     ModuleManager::add_module(new HostCacheModule);
 }
-
diff --git a/src/main/policy.cc b/src/main/policy.cc
index cb6399fde..8f3260a3e 100644
--- a/src/main/policy.cc
+++ b/src/main/policy.cc
@@ -119,6 +119,7 @@ IpsPolicy::IpsPolicy(PolicyId id)
     nonamePortVarTable = PortTableNew();
 
     enable_builtin_rules = false;
+    obfuscate_pii = false;
 }
 
 IpsPolicy::~IpsPolicy()
@@ -265,7 +266,7 @@ std::shared_ptr<PolicyTuple> PolicyMap::add_shell(Shell* sh)
 std::shared_ptr<PolicyTuple> PolicyMap::get_policies(Shell* sh)
 {
     const auto& pt = shell_map.find(sh);
-    
+
     return pt == shell_map.end() ? nullptr:pt->second;
 }
 
@@ -363,7 +364,7 @@ bool default_inspection_policy()
 {
     if ( !get_inspection_policy() )
         return false;
-    
+
     if ( get_inspection_policy()->policy_id != 0 )
         return false;
 
@@ -378,4 +379,3 @@ bool only_ips_policy()
 
 bool only_network_policy()
 { return get_network_policy() && !get_ips_policy() && !get_inspection_policy(); }
-
diff --git a/src/main/policy.h b/src/main/policy.h
index 97c9c0aff..4a04b3cc4 100644
--- a/src/main/policy.h
+++ b/src/main/policy.h
@@ -158,6 +158,8 @@ public:
     /* The portobjects in these are attached to rtns and used during runtime */
     PortVarTable* portVarTable;     /* named entries, uses a hash table */
     PortTable* nonamePortVarTable;  /* un-named entries */
+
+    bool obfuscate_pii;
 };
 
 //-------------------------------------------------------------------------
@@ -278,4 +280,3 @@ bool only_ips_policy();
 bool only_network_policy();
 
 #endif
-
diff --git a/src/main/snort_config.h b/src/main/snort_config.h
index b0413f78e..e027d2490 100644
--- a/src/main/snort_config.h
+++ b/src/main/snort_config.h
@@ -282,7 +282,7 @@ public:
     ThresholdConfig* threshold_config = nullptr;
     RateFilterConfig* rate_filter_config = nullptr;
     DetectionFilterConfig* detection_filter_config = nullptr;
-    FlowBitState* flowbit_state = nullptr; 
+    FlowBitState* flowbit_state = nullptr;
 
     //------------------------------------------------------
     // FIXIT-L command line only stuff, add to conf / module
@@ -299,7 +299,6 @@ public:
     bool id_zero = false;
 
     bool stdin_rules = false;
-    bool obfuscate_pii = false;
 
     std::string pid_filename;
     std::string orig_log_dir;      /* set in case of chroot */
@@ -663,4 +662,3 @@ public:
 }
 
 #endif
-
diff --git a/tools/snort2lua/preprocessor_states/pps_sdf.cc b/tools/snort2lua/preprocessor_states/pps_sdf.cc
index 5511974ce..31c3f6a81 100644
--- a/tools/snort2lua/preprocessor_states/pps_sdf.cc
+++ b/tools/snort2lua/preprocessor_states/pps_sdf.cc
@@ -37,7 +37,7 @@ public:
         {
             if ( keyword == "mask_output")
             {
-                table_api.open_table("output");
+                table_api.open_table("ips");
                 table_api.add_option("obfuscate_pii", true);
                 table_api.close_table();
             }
@@ -61,4 +61,3 @@ static const ConvertMap preprocessor_sdf =
 
 const ConvertMap* sdf_map = &preprocessor_sdf;
 } // namespace preprocessors
-