From: Russ Combs (rucombs) Date: Thu, 7 Jul 2022 13:34:04 +0000 (+0000) Subject: Pull request #3496: file_id: fix rules_file path resolution X-Git-Tag: 3.1.34.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8241aafd4f439cc412899df984095b5c8b95aafe;p=thirdparty%2Fsnort3.git Pull request #3496: file_id: fix rules_file path resolution Merge in SNORT/snort3 from ~RUCOMBS/snort3:file_magic_path to master Squashed commit of the following: commit 07d6ee41b541ffa39b5d4be6c9f034f104246431 Author: russ Date: Wed Jul 6 15:39:01 2022 -0400 file_id: fix rules_file path resolution --- diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc index 275d28f49..295c71883 100644 --- a/src/file_api/file_module.cc +++ b/src/file_api/file_module.cc @@ -32,6 +32,7 @@ #include "log/messages.h" #include "main/snort.h" #include "main/snort_config.h" +#include "managers/module_manager.h" #include "packet_io/active.h" #include "trace/trace.h" @@ -206,16 +207,23 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("decompress_buffer_size") ) FileService::decode_conf.set_decompress_buffer_size(v.get_uint32()); + else if ( v.is("rules_file") ) { - std::string s = "include "; - s += v.get_string(); - parser_append_rules_special(s.c_str()); + magic_file = "include "; + magic_file += v.get_string(); } return true; } +bool FileIdModule::end(const char*, int, SnortConfig*) +{ + const char* inc = ModuleManager::get_includer("file_id"); + parser_append_rules_special(magic_file.c_str(), inc); + return true; +} + void FileIdModule::load_config(FileConfig*& dst) { dst = fc; diff --git a/src/file_api/file_module.h b/src/file_api/file_module.h index a394bdadf..ec94e489a 100644 --- a/src/file_api/file_module.h +++ b/src/file_api/file_module.h @@ -22,6 +22,8 @@ #ifndef FILE_MODULE_H #define FILE_MODULE_H +#include + #include "framework/module.h" #include "file_config.h" @@ -48,6 +50,7 @@ public: ~FileIdModule() override; bool set(const char*, snort::Value&, snort::SnortConfig*) override; + bool end(const char*, int, snort::SnortConfig*) override; snort::ProfileStats* get_profile() const override; const PegInfo* get_pegs() const override; @@ -74,6 +77,7 @@ public: private: FileMeta rule; FileConfig *fc = nullptr; + std::string magic_file; }; enum FileSid diff --git a/src/main/bootstrap.lua b/src/main/bootstrap.lua index 4c0ff103f..cc473fb5d 100644 --- a/src/main/bootstrap.lua +++ b/src/main/bootstrap.lua @@ -117,9 +117,12 @@ function include(file) dofile(fname) end - local iname = path_top() - if ( (ips ~= nil) and (ips.includer == nil) and (iname ~= nil) ) then - ips.includer = iname + if ( (ips ~= nil) and (ips.includer == nil) ) then + ips.includer = fname + end + + if ( file_id ~= nil and file_id.includer == nil ) then + file_id.includer = fname end path_pop() diff --git a/src/main/finalize.lua b/src/main/finalize.lua index 876a60d6c..060b43da8 100644 --- a/src/main/finalize.lua +++ b/src/main/finalize.lua @@ -29,6 +29,7 @@ void close_table(const char*, int); bool set_bool(const char*, bool); bool set_number(const char*, double); bool set_string(const char*, const char*); +bool set_includer(const char*, const char*); bool set_alias(const char*, const char*); void clear_alias(); ]] @@ -68,7 +69,11 @@ function snort_set(fqn, key, val) ffi.C.set_number(name, val) elseif ( what == 'string' ) then - ffi.C.set_string(name, val) + if ( key == "includer" ) then + ffi.C.set_includer(name, val) + else + ffi.C.set_string(name, val) + end elseif ( what == 'table' ) then if ( ffi.C.open_table(name, idx) ) then diff --git a/src/main/modules.cc b/src/main/modules.cc index 2a10a8182..881cd2023 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -1146,9 +1146,6 @@ static const Parameter ips_params[] = { "include", Parameter::PT_STRING, nullptr, nullptr, "snort rules and includes" }, - { "includer", Parameter::PT_STRING, "(optional)", nullptr, - "for internal use; where includes are included from" }, - // FIXIT-L no default; it breaks initialization by -Q { "mode", Parameter::PT_ENUM, "tap | inline | inline-test", nullptr, "set policy mode" }, @@ -1214,9 +1211,6 @@ bool IpsModule::set(const char* fqn, Value& v, SnortConfig*) else if ( v.is("include") ) p->include = v.get_string(); - else if ( v.is("includer") ) - p->includer = v.get_string(); - else if ( v.is("mode") ) p->policy_mode = (PolicyMode)v.get_uint8(); @@ -1278,6 +1272,7 @@ bool IpsModule::end(const char* fqn, int idx, SnortConfig* sc) else if (!idx and !strcmp(fqn, "ips")) { IpsPolicy* p = get_ips_policy(); + p->includer = ModuleManager::get_includer("ips"); sc->policy_map->set_user_ips(p); } return true; diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc index 40d4baa2e..1267f7d4d 100644 --- a/src/managers/module_manager.cc +++ b/src/managers/module_manager.cc @@ -81,6 +81,8 @@ mutex ModuleManager::stats_mutex; static string s_current; static string s_aliased_name; static string s_aliased_type; +static string s_ips_includer; +static string s_file_id_includer; // for callbacks from Lua static SnortConfig* s_config = nullptr; @@ -98,8 +100,10 @@ extern "C" bool set_alias(const char* from, const char* to); void clear_alias(); - const char* push_include_path(const char* file); + bool set_includer(const char* fqn, const char* val); + const char* push_include_path(const char*); void pop_include_path(); + void snort_whitelist_append(const char*); void snort_whitelist_add_prefix(const char*); } @@ -719,6 +723,19 @@ SO_PUBLIC void pop_include_path() pop_parse_location(); } +// cppcheck-suppress unusedFunction +SO_PUBLIC bool set_includer(const char* fqn, const char* s) +{ + if ( !strcmp(fqn, "ips.includer") ) + s_ips_includer = s; + else + { + assert(!strcmp(fqn, "file_id.includer")); + s_file_id_includer = s; + } + return true; +} + //------------------------------------------------------------------------- // ffi methods - also called internally so no cppcheck suppressions //------------------------------------------------------------------------- @@ -960,6 +977,16 @@ void ModuleManager::reset_errors() unsigned ModuleManager::get_errors() { return s_errors; } +const char* ModuleManager::get_includer(const char* mod) +{ + assert(!strcmp(mod, "ips") or !strcmp(mod, "file_id")); + + if ( !strcmp(mod, "ips") ) + return s_ips_includer.c_str(); + + return s_file_id_includer.c_str(); +} + void ModuleManager::list_modules(const char* s) { PlugType pt = s ? PluginManager::get_type(s) : PT_MAX; diff --git a/src/managers/module_manager.h b/src/managers/module_manager.h index dd5877327..8fb6604f4 100644 --- a/src/managers/module_manager.h +++ b/src/managers/module_manager.h @@ -53,6 +53,7 @@ public: SO_PUBLIC static std::list get_all_modules(); static const char* get_lua_coreinit(); + static const char* get_includer(const char* module); static void list_modules(const char* = nullptr); static void dump_modules(); diff --git a/src/parser/parse_conf.cc b/src/parser/parse_conf.cc index b04e23f16..e8d860b50 100644 --- a/src/parser/parse_conf.cc +++ b/src/parser/parse_conf.cc @@ -61,6 +61,7 @@ struct Location static std::stack files; static int rules_file_depth = 0; +static bool s_ips_policy = true; const char* get_parse_file() { @@ -190,7 +191,16 @@ void parse_include(SnortConfig* sc, const char* arg) { assert(arg); std::string conf = ExpandVars(arg); - std::string file = !rules_file_depth ? get_ips_policy()->includer : get_parse_file(); + std::string file; + + if ( rules_file_depth ) + file = get_parse_file(); + + else if ( s_ips_policy ) + file = get_ips_policy()->includer; + + else + file = parser_get_special_includer(); const char* code = get_config_file(conf.c_str(), file); @@ -293,10 +303,12 @@ void parse_rules_file(SnortConfig* sc, const char* fname) --rules_file_depth; } -void parse_rules_string(SnortConfig* sc, const char* s) +void parse_rules_string(SnortConfig* sc, const char* s, bool ips_policy) { + s_ips_policy = ips_policy; std::string rules = s; std::stringstream ss(rules); parse_stream(ss, sc); + s_ips_policy = true; } diff --git a/src/parser/parse_conf.h b/src/parser/parse_conf.h index 69ec922b7..ed19a8d41 100644 --- a/src/parser/parse_conf.h +++ b/src/parser/parse_conf.h @@ -39,7 +39,7 @@ const char* get_parse_file(); const char* get_config_file(const char* arg, std::string& file); void parse_rules_file(snort::SnortConfig*, const char* fname); -void parse_rules_string(snort::SnortConfig*, const char* str); +void parse_rules_string(snort::SnortConfig*, const char* str, bool ips_policy = true); void ParseIpVar(const char* name, const char* value); void parse_include(snort::SnortConfig*, const char*); diff --git a/src/parser/parser.cc b/src/parser/parser.cc index eaedc900b..902473e8b 100644 --- a/src/parser/parser.cc +++ b/src/parser/parser.cc @@ -69,6 +69,7 @@ static struct rule_index_map_t* ruleIndexMap = nullptr; static std::string s_aux_rules; static std::string s_special_rules; +static std::string s_special_includer; class RuleTreeHashKeyOps : public HashKeyOperations { @@ -430,8 +431,8 @@ void ParseRules(SnortConfig* sc) if (!idx and !s_special_rules.empty()) { - push_parse_location("W", "./", "rule args"); - parse_rules_string(sc, s_special_rules.c_str()); + push_parse_location("W", "./", "file_id.rules_file"); + parse_rules_string(sc, s_special_rules.c_str(), false); pop_parse_location(); s_special_rules.clear(); } @@ -853,12 +854,16 @@ void parser_append_rules(const char* s) s_aux_rules += "\n"; } -void parser_append_rules_special(const char *s) +void parser_append_rules_special(const char *s, const char* inc) { s_special_rules += s; s_special_rules += "\n"; + s_special_includer = inc; } +const char* parser_get_special_includer() +{ return s_special_includer.c_str(); } + void parser_append_includes(const char* d) { Directory dir(d); diff --git a/src/parser/parser.h b/src/parser/parser.h index 0aacdeb1e..16d357ba1 100644 --- a/src/parser/parser.h +++ b/src/parser/parser.h @@ -55,7 +55,8 @@ void VarTablesFree(snort::SnortConfig*); void parser_append_rules(const char*); void parser_append_includes(const char*); -void parser_append_rules_special(const char *); +void parser_append_rules_special(const char* file, const char* includer); +const char* parser_get_special_includer(); int ParseBool(const char* arg);