From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Tue, 23 Mar 2021 13:26:15 +0000 (+0000)
Subject: Merge pull request #2801 in SNORT/snort3 from ~OSHUMEIK/snort3:dup_rtn_with_vars... 
X-Git-Tag: 3.1.3.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f6f24537bf04d1433df25d431e36fdbb9bedcad;p=thirdparty%2Fsnort3.git

Merge pull request #2801 in SNORT/snort3 from ~OSHUMEIK/snort3:dup_rtn_with_vars to master

Squashed commit of the following:

commit 2aaa48fd2e09639b937e61533b14d55544cb1355
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Thu Mar 18 12:13:34 2021 +0200

    parser: support duped RTN if its header has been changed
---

diff --git a/src/detection/rules.cc b/src/detection/rules.cc
index e1bd6c368..6c09fcf67 100644
--- a/src/detection/rules.cc
+++ b/src/detection/rules.cc
@@ -100,22 +100,13 @@ void RuleStateMap::apply(
     if ( policy )
         policy->rules_shared++;
 
-    RuleTreeNode* t_rtn = dup_rtn(b_rtn, policy);
+    RuleTreeNode* t_rtn = dup_rtn(sc, otn, b_rtn, policy);
     update_rtn(t_rtn, s);
-
-    auto bspo = b_rtn->src_portobject;
-    auto bdpo = b_rtn->dst_portobject;
-    auto tspo = t_rtn->src_portobject;
-    auto tdpo = t_rtn->dst_portobject;
-
-    if ( (bspo and tspo and !PortObjectEqual(bspo, tspo)) or
-         (bdpo and tdpo and !PortObjectEqual(bdpo, tdpo)) )
-        parse_rule_finish_portlist(sc, t_rtn, otn);
-
     addRtnToOtn(sc, otn, t_rtn, ips_num);
 }
 
-RuleTreeNode* RuleStateMap::dup_rtn(RuleTreeNode* rtn, IpsPolicy* policy)
+RuleTreeNode* RuleStateMap::dup_rtn(
+    SnortConfig* sc, OptTreeNode* otn, RuleTreeNode* rtn, IpsPolicy* policy)
 {
     RuleTreeNode* ret = new RuleTreeNode(*rtn);
 
@@ -132,16 +123,20 @@ RuleTreeNode* RuleStateMap::dup_rtn(RuleTreeNode* rtn, IpsPolicy* policy)
     ret->sip = sip
         ? sfvar_create_alias(sip, sip->name)
         : sfvar_deep_copy(rtn->sip);
-
     ret->dip = dip
         ? sfvar_create_alias(dip, dip->name)
         : sfvar_deep_copy(rtn->dip);
-
     ret->src_portobject = spo ? spo : ret->src_portobject;
     ret->dst_portobject = dpo ? dpo : ret->dst_portobject;
-
     ret->otnRefCount = 0;
 
+    if ( sip or dip or spo or dpo )
+    {
+        ret->rule_func = nullptr;
+        parse_rule_process_rtn(sc, ret, otn);
+        return ret;
+    }
+
     RuleFpList* from = rtn->rule_func;
 
     if ( from )
diff --git a/src/detection/rules.h b/src/detection/rules.h
index b5bd75b23..69b0629ca 100644
--- a/src/detection/rules.h
+++ b/src/detection/rules.h
@@ -96,7 +96,7 @@ public:
     void apply(snort::SnortConfig*);
 
 private:
-    RuleTreeNode* dup_rtn(RuleTreeNode*, IpsPolicy*);
+    RuleTreeNode* dup_rtn(snort::SnortConfig*, OptTreeNode*, RuleTreeNode*, IpsPolicy*);
     void update_rtn(RuleTreeNode*, const RuleState&);
     void apply(snort::SnortConfig*, OptTreeNode*, unsigned ips_num, const RuleState&);
 
diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index 804128f81..7069343a9 100644
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -1382,7 +1382,9 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn)
 
     validate_services(sc, otn);
     OtnLookupAdd(sc->otn_map, otn);
-    parse_rule_finish_portlist(sc, new_rtn, otn);
+
+    if ( FinishPortListRule(sc->port_tables, new_rtn, otn, sc->fast_pattern_config) )
+        ParseError("Failed to finish a port list rule.");
 
     if ( s_capture )
     {
@@ -1393,9 +1395,34 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn)
     ClearIpsOptionsVars();
 }
 
-void parse_rule_finish_portlist(SnortConfig* sc, RuleTreeNode* rtn, OptTreeNode* otn)
+void parse_rule_process_rtn(SnortConfig* sc, RuleTreeNode* rtn, OptTreeNode* otn)
 {
+    if (rtn->sip->head && rtn->sip->head->flags & SFIP_ANY)
+        rtn->flags |= RuleTreeNode::ANY_SRC_IP;
+    else
+        rtn->flags &= ~RuleTreeNode::ANY_SRC_IP;
+
+    if (rtn->dip->head && rtn->dip->head->flags & SFIP_ANY)
+        rtn->flags |= RuleTreeNode::ANY_DST_IP;
+    else
+        rtn->flags &= ~RuleTreeNode::ANY_DST_IP;
+
+    ValidateIPList(rtn->sip, rtn->sip->name);
+    ValidateIPList(rtn->dip, rtn->dip->name);
+
+    if ( PortObjectHasAny(rtn->src_portobject) )
+        rtn->flags |= RuleTreeNode::ANY_SRC_PORT;
+    else
+        rtn->flags &= ~RuleTreeNode::ANY_SRC_PORT;
+
+    if ( PortObjectHasAny(rtn->dst_portobject) )
+        rtn->flags |= RuleTreeNode::ANY_DST_PORT;
+    else
+        rtn->flags &= ~RuleTreeNode::ANY_DST_PORT;
+
+    head_count++;
+    SetupRTNFuncList(rtn);
+
     if ( FinishPortListRule(sc->port_tables, rtn, otn, sc->fast_pattern_config) )
-        ParseError("%u:%u rule failed to finish a port list.",
-            otn->sigInfo.gid, otn->sigInfo.sid);
+        ParseError("%u:%u rule failed to finish a port list.", otn->sigInfo.gid, otn->sigInfo.sid);
 }
diff --git a/src/parser/parse_rule.h b/src/parser/parse_rule.h
index 9ddd00665..16086858f 100644
--- a/src/parser/parse_rule.h
+++ b/src/parser/parse_rule.h
@@ -49,7 +49,7 @@ void parse_rule_opt_end(snort::SnortConfig*, const char* key, OptTreeNode*);
 
 OptTreeNode* parse_rule_open(snort::SnortConfig*, RuleTreeNode&, bool stub = false);
 void parse_rule_close(snort::SnortConfig*, RuleTreeNode&, OptTreeNode*);
-void parse_rule_finish_portlist(snort::SnortConfig*, RuleTreeNode*, OptTreeNode*);
+void parse_rule_process_rtn(snort::SnortConfig*, RuleTreeNode*, OptTreeNode*);
 
 #endif