From: Victor Julien <victor@inliniac.net>
Date: Wed, 7 Oct 2015 05:08:02 +0000 (+0200)
Subject: detect grouping: warn on and fix up bad sigs
X-Git-Tag: suricata-3.1RC1~358
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5772f526dcd235f80d3c9f65bb9fb5a7c1d8c0de;p=thirdparty%2Fsuricata.git

detect grouping: warn on and fix up bad sigs

Only inspect directionless SYN scan sigs toserver. Issue a warning for
those rules.
---

diff --git a/src/detect.c b/src/detect.c
index 107d0e4f26..f50dd4855f 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -3008,6 +3008,20 @@ static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint3
         else
             BUG_ON(1);
 
+        /* see if we want to exclude directionless sigs that really care only for
+         * to_server syn scans/floods */
+        if ((direction == SIG_FLAG_TOCLIENT) &&
+             DetectFlagsSignatureNeedsSynPackets(s) &&
+             DetectFlagsSignatureNeedsSynOnlyPackets(s) &&
+            ((s->flags & (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) == (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)) &&
+            (!(s->dp->port == 0 && s->dp->port2 == 65535)))
+        {
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: SYN-only to port(s) %u:%u "
+                    "w/o direction specified, disabling for toclient direction",
+                    s->id, s->dp->port, s->dp->port2);
+            goto next;
+        }
+
         while (p) {
             DetectPort *tmp = DetectPortCopySingle(de_ctx, p);
             BUG_ON(tmp == NULL);
diff --git a/src/util-error.c b/src/util-error.c
index 3bf695504a..3706789b2b 100644
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -316,6 +316,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_JSON_STATS_LOG_NEGATED);
         CASE_CODE (SC_ERR_DEPRECATED_CONF);
         CASE_CODE (SC_WARN_FASTER_CAPTURE_AVAILABLE);
+        CASE_CODE (SC_WARN_POOR_RULE);
     }
 
     return "UNKNOWN_ERROR";
diff --git a/src/util-error.h b/src/util-error.h
index 42fd74f963..1e9ef4f026 100644
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -306,6 +306,7 @@ typedef enum {
     SC_ERR_JSON_STATS_LOG_NEGATED, /** When totals and threads are both NO in yaml **/
     SC_ERR_DEPRECATED_CONF, /**< Deprecated configuration parameter. */
     SC_WARN_FASTER_CAPTURE_AVAILABLE,
+    SC_WARN_POOR_RULE,
 } SCError;
 
 const char *SCErrorToString(SCError);