From: Ron Dempster (rdempste) <rdempste@cisco.com>
Date: Wed, 2 Jun 2021 19:31:42 +0000 (+0000)
Subject: Merge pull request #2908 in SNORT/snort3 from ~SMULKA/snort3:si_ip to master
X-Git-Tag: 3.1.6.0~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65bf01f4c722b2b2bf075b439b55da7d85053bf0;p=thirdparty%2Fsnort3.git

Merge pull request #2908 in SNORT/snort3 from ~SMULKA/snort3:si_ip to master

Squashed commit of the following:

commit afd5ac41ba87a6a2bfd8321fe8c18947bca0e907
Author: smulka <smulka@cisco.com>
Date:   Tue May 25 18:33:45 2021 -0400

    reputation: daq trace log
---

diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc
index 3b1bb28fb..6318c4bf9 100644
--- a/src/network_inspectors/reputation/reputation_inspect.cc
+++ b/src/network_inspectors/reputation/reputation_inspect.cc
@@ -74,6 +74,7 @@ const char* AllowActionOption[] =
  * Function prototype(s)
  */
 static void snort_reputation(ReputationConfig* GlobalConf, Packet* p);
+static void populate_trace_data(IPdecision& decision, Packet* p);
 
 static inline IPrepInfo* reputation_lookup(ReputationConfig* config, const SfIp* ip)
 {
@@ -351,6 +352,10 @@ static void snort_reputation(ReputationConfig* config, Packet* p)
         reputationstats.blocked++;
         if (PacketTracer::is_active())
             PacketTracer::log("Reputation: packet blocked, drop\n");
+
+        if (PacketTracer::is_daq_activated())
+            populate_trace_data(decision, p);
+
         return;
     }
 
@@ -399,6 +404,9 @@ static void snort_reputation(ReputationConfig* config, Packet* p)
         act->trust_session(p, true);
         reputationstats.trusted++;
     }
+
+    if (PacketTracer::is_daq_activated())
+        populate_trace_data(decision, p);
 }
 
 static const char* to_string(NestedIP nip)
@@ -460,6 +468,27 @@ static const char* to_string(IPdecision ipd)
     }
 }
 
+static void populate_trace_data(IPdecision& decision, Packet* p)
+{
+    char addr[INET6_ADDRSTRLEN];
+    const SfIp* ip = nullptr;
+
+    if (BLOCKED_SRC == decision or MONITORED_SRC == decision or TRUSTED_SRC == decision)
+    {
+        ip = p->ptrs.ip_api.get_src();
+    }
+    else if (BLOCKED_DST == decision or MONITORED_DST == decision or TRUSTED_DST == decision)
+    {
+        ip = p->ptrs.ip_api.get_dst();
+    }
+
+    sfip_ntop(ip, addr, sizeof(addr));
+
+    PacketTracer::daq_log("SI-IP+%" PRId64"++Matched ip %s, action %s$",
+        TO_NSECS(pt_timer->get()),
+        addr, to_string(decision));
+}
+
 class AuxiliaryIpRepHandler : public DataHandler
 {
 public:
@@ -523,6 +552,9 @@ void Reputation::eval(Packet* p)
     if (p->is_rebuilt())
         return;
 
+    if (PacketTracer::is_daq_activated())
+        PacketTracer::pt_timer_start();
+
     snort_reputation(&config, p);
     ++reputationstats.packets;
 }