From: Anna Norokh -X (anorokh - SOFTSERVE INC at Cisco) Date: Wed, 19 Feb 2025 09:30:14 +0000 (+0000) Subject: Pull request #4592: pub_sub: add ips rule event for extractor X-Git-Tag: 3.7.1.0~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a9b313c726955e79eae7907175fb943ccce51e7;p=thirdparty%2Fsnort3.git Pull request #4592: pub_sub: add ips rule event for extractor Merge in SNORT/snort3 from ~ANOROKH/snort3:extr_rule_events to master Squashed commit of the following: commit 86b80f37d26c1ba03e46feaff262bd6b65d716c2 Author: anorokh Date: Thu Jan 30 15:57:16 2025 +0200 pub_sub: add ips rule event for extractor --- diff --git a/src/detection/detect.cc b/src/detection/detect.cc index 863f639f8..fcc3f55b2 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -37,6 +37,7 @@ #include "packet_io/active.h" #include "ports/port_object.h" #include "profiler/profiler_defs.h" +#include "pub_sub/detection_events.h" #include "reputation/reputation_common.h" #include "sfip/sf_ipvar.h" #include "stream/stream.h" @@ -95,6 +96,9 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) p->dsize = dsize; } + IpsRuleEvent data_event(event, p); + DataBus::publish(DetectionEngine::get_pub_id(), DetectionEventIds::IPS_LOGGING, data_event, p->flow); + OutputSet* idx = head ? head->LogList : nullptr; EventManager::call_loggers(idx, p, otn->sigInfo.message.c_str(), &event); diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 458e7cc0d..ea5d25f54 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -40,6 +40,7 @@ #include "parser/parser.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" +#include "pub_sub/detection_events.h" #include "stream/stream.h" #include "time/packet_time.h" #include "trace/trace_api.h" @@ -61,6 +62,8 @@ using namespace snort; static THREAD_LOCAL RegexOffload* offloader = nullptr; bool DetectionEngine::offload_enabled = false; +static unsigned de_pub_id = 0; + //-------------------------------------------------------------------------- // basic de //-------------------------------------------------------------------------- @@ -126,6 +129,12 @@ DetectionEngine::~DetectionEngine() } } +void DetectionEngine::init() +{ + assert(in_main_thread()); + de_pub_id = DataBus::get_id(de_pub_key); +} + void DetectionEngine::enable_offload() { offload_enabled = true; } @@ -764,3 +773,6 @@ void DetectionEngine::clear_events(Packet* p) pc.log_limit += sfeventq_reset(pq); } +unsigned DetectionEngine::get_pub_id() +{ return de_pub_id; } + diff --git a/src/detection/detection_engine.h b/src/detection/detection_engine.h index 249eeba54..344b76f4b 100644 --- a/src/detection/detection_engine.h +++ b/src/detection/detection_engine.h @@ -47,6 +47,7 @@ public: ~DetectionEngine(); public: + static void init(); static void thread_init(); static void thread_term(); @@ -108,6 +109,8 @@ public: static void wait_for_context(); + static unsigned get_pub_id(); + private: static struct SF_EVENTQ* get_event_queue(); static bool do_offload(snort::Packet*); diff --git a/src/main/snort.cc b/src/main/snort.cc index 0820f0113..d2f86f008 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -31,6 +31,7 @@ #include "actions/ips_actions.h" #include "codecs/codec_api.h" #include "connectors/connectors.h" +#include "detection/detection_engine.h" #include "detection/fp_config.h" #include "file_api/file_service.h" #include "filters/detection_filter.h" @@ -116,6 +117,8 @@ void Snort::init(int argc, char** argv) InitProtoNames(); DataBus::init(); + DetectionEngine::init(); + load_actions(); load_codecs(); load_connectors(); diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt index 4b66e33b1..0782021d3 100644 --- a/src/pub_sub/CMakeLists.txt +++ b/src/pub_sub/CMakeLists.txt @@ -7,6 +7,7 @@ set (PUB_SUB_INCLUDES data_decrypt_event.h daq_message_event.h dcerpc_events.h + detection_events.h dhcp_events.h domain_fronting.h eve_process_event.h diff --git a/src/pub_sub/detection_events.h b/src/pub_sub/detection_events.h new file mode 100644 index 000000000..bd6742cad --- /dev/null +++ b/src/pub_sub/detection_events.h @@ -0,0 +1,53 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2025 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// detection_events.h author Anna Norokh + +#ifndef DETECTION_EVENTS_H +#define DETECTION_EVENTS_H + +#include "events/event.h" +#include "framework/data_bus.h" + +namespace snort +{ + +struct DetectionEventIds +{ + enum : unsigned + { + IPS_LOGGING, + MAX + }; +}; + +const PubKey de_pub_key { "detection", DetectionEventIds::MAX }; + +class IpsRuleEvent : public DataEvent, public Event +{ +public: + IpsRuleEvent(const Event& e, const Packet* p) : Event(e), p(p) {} + + const snort::Packet* get_packet() const override + { return p; } + +private: + const Packet* p; +}; + +} +#endif