From: Masud Hasan (mashasan) Date: Thu, 27 May 2021 18:55:39 +0000 (+0000) Subject: Merge pull request #2909 in SNORT/snort3 from ~MASHASAN/snort3:filter_dhcp to master X-Git-Tag: 3.1.6.0~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a901150c564d4cab6fdb77954a12ba38f5b84d2;p=thirdparty%2Fsnort3.git Merge pull request #2909 in SNORT/snort3 from ~MASHASAN/snort3:filter_dhcp to master Squashed commit of the following: commit e98fe541ff4d5972373d2a8c5124fb1b727fa3a3 Author: Masud Hasan Date: Tue May 25 17:10:00 2021 -0400 rna: Filtering DHCP events and some refactoring --- diff --git a/src/network_inspectors/rna/rna_module.cc b/src/network_inspectors/rna/rna_module.cc index c0e172e4d..808f15d3e 100644 --- a/src/network_inspectors/rna/rna_module.cc +++ b/src/network_inspectors/rna/rna_module.cc @@ -92,12 +92,13 @@ static int purge_data(lua_State* L) if ( rna ) { HostCacheMac* mac_cache = new HostCacheMac(MAC_CACHE_INITIAL_SIZE); - main_broadcast_command(new DataPurgeAC(mac_cache), (L != nullptr)); + bool from_shell = ( L != nullptr ); + main_broadcast_command(new DataPurgeAC(mac_cache), from_shell); host_cache.invalidate(); SharedRequest request = get_dispatched_request(); - request->respond("data purge done\n", false, true); + request->respond("data purge done\n", from_shell, true); LogMessage("data purge done\n"); } diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc index c1b89cc08..b8f6ab028 100644 --- a/src/network_inspectors/rna/rna_pnd.cc +++ b/src/network_inspectors/rna/rna_pnd.cc @@ -273,11 +273,14 @@ void RnaPnd::discover_network(const Packet* p, uint8_t ttl) void RnaPnd::analyze_dhcp_fingerprint(DataEvent& event) { const Packet* p = event.get_packet(); + const auto& src_ip = p->ptrs.ip_api.get_src(); + if ( !filter.is_host_monitored(p, nullptr, src_ip) ) + return; + const DHCPDataEvent& dhcp_data_event = static_cast(event); const uint8_t* src_mac = dhcp_data_event.get_eth_addr(); bool new_host = false; bool new_mac = false; - const auto& src_ip = p->ptrs.ip_api.get_src(); auto ht = find_or_create_host_tracker(*src_ip, new_host); if (!new_host) ht->update_last_seen(); @@ -316,14 +319,17 @@ void RnaPnd::analyze_dhcp_fingerprint(DataEvent& event) void RnaPnd::add_dhcp_info(DataEvent& event) { const DHCPInfoEvent& dhcp_info_event = static_cast(event); - const uint8_t* src_mac = dhcp_info_event.get_eth_addr(); uint32_t ip_address = dhcp_info_event.get_ip_address(); + SfIp leased_ip = {(void*)&ip_address, AF_INET}; + const Packet* p = event.get_packet(); + if ( !filter.is_host_monitored(p, nullptr, &leased_ip) ) + return; + + const uint8_t* src_mac = dhcp_info_event.get_eth_addr(); uint32_t net_mask = dhcp_info_event.get_subnet_mask(); uint32_t lease = dhcp_info_event.get_lease_secs(); uint32_t router = dhcp_info_event.get_router(); - const Packet* p = event.get_packet(); - SfIp leased_ip = {(void*)&ip_address, AF_INET}; SfIp router_ip = {(void*)&router, AF_INET}; bool new_host = false; bool new_mac = false; @@ -957,10 +963,14 @@ int RnaPnd::discover_host_types_icmpv6_ndp(RnaTracker& ht, const Packet* p, uint if ( memcmp(src_mac, neighbor_src_mac, MAC_SIZE) ) return 1; - if ( is_router and ((ht->get_host_type() != HOST_TYPE_ROUTER) and (ht->get_host_type() != HOST_TYPE_BRIDGE)) ) + if ( is_router ) { - ht->set_host_type(HOST_TYPE_ROUTER); - logger.log(RNA_EVENT_CHANGE, CHANGE_HOST_TYPE, p, &ht, src_ip, neighbor_src_mac); + auto host_type = ht->get_host_type(); + if ( host_type != HOST_TYPE_ROUTER and host_type != HOST_TYPE_BRIDGE ) + { + ht->set_host_type(HOST_TYPE_ROUTER); + logger.log(RNA_EVENT_CHANGE, CHANGE_HOST_TYPE, p, &ht, src_ip, neighbor_src_mac); + } } if ( ht->make_primary(src_mac) )