From: Steve Chew (stechew) Date: Mon, 23 Mar 2020 14:16:34 +0000 (+0000) Subject: Merge pull request #1937 in SNORT/snort3 from ~OSHUMEIK/snort3:snort2lua_ips_option_r... X-Git-Tag: 3.0.0-270~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9410f4b34ed651c10513a6f5a84e2fdc5f594abd;p=thirdparty%2Fsnort3.git Merge pull request #1937 in SNORT/snort3 from ~OSHUMEIK/snort3:snort2lua_ips_option_replace to master Squashed commit of the following: commit 78fd7e410f877f6850b8e1a43877695e3c9804ac Author: Oleksii Shumeiko Date: Mon Mar 16 11:42:39 2020 +0200 lua: enable a rewrite plugin in a default config commit a96c133df889bf8e9261c960053e5fab347f7a6e Author: Oleksii Shumeiko Date: Tue Mar 10 12:09:40 2020 +0200 build: refactor included headers Sort a list of included headers according to the Coding Style. For .cc files in `tools/snort2lua/rule_states` directory. commit e78f54d6fa600155d05b2eac9f5b0528db452116 Author: Oleksii Shumeiko Date: Thu Jan 9 11:50:20 2020 +0200 snort2lua: convert a replace option to a rewrite plugin/action. Check if option has empty value. Add comment for rules with a replace option. Drop/block action takes precedence over a rewrite action. --- diff --git a/lua/snort.lua b/lua/snort.lua index 7c91abdc6..f48d1ba4b 100644 --- a/lua/snort.lua +++ b/lua/snort.lua @@ -171,10 +171,11 @@ ips = --include = 'snort3-community.rules' } +rewrite = { } + -- use these to configure additional rule actions -- react = { } -- reject = { } --- rewrite = { } --------------------------------------------------------------------------- -- 6. configure filters diff --git a/tools/snort2lua/keyword_states/kws_rule.cc b/tools/snort2lua/keyword_states/kws_rule.cc index 8d47e49fa..e50e398e5 100644 --- a/tools/snort2lua/keyword_states/kws_rule.cc +++ b/tools/snort2lua/keyword_states/kws_rule.cc @@ -66,6 +66,7 @@ bool RuleHeader::convert(std::istringstream& data_stream) template static ConversionState* rule_ctor(Converter& c) { + c.get_rule_api().set_rule_old_action(*name); c.get_rule_api().add_hdr_data(*name); return new RuleHeader(c); } @@ -73,6 +74,7 @@ static ConversionState* rule_ctor(Converter& c) template static ConversionState* dep_rule_ctor(Converter& c) { + c.get_rule_api().set_rule_old_action(*name); c.get_rule_api().add_hdr_data(*name); c.get_rule_api().make_rule_a_comment(); c.get_rule_api().add_comment("The '" + *name + "' ruletype is no longer supported"); @@ -82,11 +84,8 @@ static ConversionState* dep_rule_ctor(Converter& c) template static ConversionState* conv_rule_ctor(Converter& c) { + c.get_rule_api().set_rule_old_action(*old); c.get_rule_api().add_hdr_data(*name); - - if (*old == "sdrop") - c.get_rule_api().set_rule_old_action(*old); - c.get_rule_api().add_comment( "The '" + *old + "' ruletype is no longer supported, using " + *name); return new RuleHeader(c); @@ -94,6 +93,7 @@ static ConversionState* conv_rule_ctor(Converter& c) static ConversionState* drop_rule_ctor(Converter& c) { + c.get_rule_api().set_rule_old_action("drop"); c.get_rule_api().add_hdr_data("block"); c.get_rule_api().add_comment( "Ruletype 'drop' discards the current packet only; " diff --git a/tools/snort2lua/rule_states/CMakeLists.txt b/tools/snort2lua/rule_states/CMakeLists.txt index 3e95975d2..ab12965b9 100644 --- a/tools/snort2lua/rule_states/CMakeLists.txt +++ b/tools/snort2lua/rule_states/CMakeLists.txt @@ -14,6 +14,7 @@ add_library( rule_states OBJECT rule_metadata.cc rule_pcre.cc rule_react.cc + rule_replace.cc rule_resp.cc rule_sd_pattern.cc rule_stream_reassemble.cc diff --git a/tools/snort2lua/rule_states/rule_api.cc b/tools/snort2lua/rule_states/rule_api.cc index 1567e9080..5d2d14d17 100644 --- a/tools/snort2lua/rule_states/rule_api.cc +++ b/tools/snort2lua/rule_states/rule_api.cc @@ -17,10 +17,10 @@ //-------------------------------------------------------------------------- // rule_api.cc author Josh Rosenbaum +#include "rule_api.h" #include -#include "rule_states/rule_api.h" -#include "helpers/s2l_util.h" #include "helpers/converter.h" +#include "helpers/s2l_util.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_base64_decode.cc b/tools/snort2lua/rule_states/rule_base64_decode.cc index 3d5f37ce9..78da99984 100644 --- a/tools/snort2lua/rule_states/rule_base64_decode.cc +++ b/tools/snort2lua/rule_states/rule_base64_decode.cc @@ -21,8 +21,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_content.cc b/tools/snort2lua/rule_states/rule_content.cc index b6c5dd3a1..041bfb045 100644 --- a/tools/snort2lua/rule_states/rule_content.cc +++ b/tools/snort2lua/rule_states/rule_content.cc @@ -23,8 +23,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_convert_comma_list.cc b/tools/snort2lua/rule_states/rule_convert_comma_list.cc index bbce4fe9e..a3ab3f4ae 100644 --- a/tools/snort2lua/rule_states/rule_convert_comma_list.cc +++ b/tools/snort2lua/rule_states/rule_convert_comma_list.cc @@ -21,8 +21,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_dce_iface.cc b/tools/snort2lua/rule_states/rule_dce_iface.cc index eafae91a7..666d141c0 100644 --- a/tools/snort2lua/rule_states/rule_dce_iface.cc +++ b/tools/snort2lua/rule_states/rule_dce_iface.cc @@ -21,8 +21,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_dnp3_obj.cc b/tools/snort2lua/rule_states/rule_dnp3_obj.cc index 0a1e0274b..c0523d076 100644 --- a/tools/snort2lua/rule_states/rule_dnp3_obj.cc +++ b/tools/snort2lua/rule_states/rule_dnp3_obj.cc @@ -21,8 +21,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_dsize.cc b/tools/snort2lua/rule_states/rule_dsize.cc index 1bd4c3074..d4d06d03f 100644 --- a/tools/snort2lua/rule_states/rule_dsize.cc +++ b/tools/snort2lua/rule_states/rule_dsize.cc @@ -23,8 +23,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_file_data.cc b/tools/snort2lua/rule_states/rule_file_data.cc index 9aff45fbf..0851cb0bd 100644 --- a/tools/snort2lua/rule_states/rule_file_data.cc +++ b/tools/snort2lua/rule_states/rule_file_data.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_file_type.cc b/tools/snort2lua/rule_states/rule_file_type.cc index 6989307f2..76c30d89a 100644 --- a/tools/snort2lua/rule_states/rule_file_type.cc +++ b/tools/snort2lua/rule_states/rule_file_type.cc @@ -23,8 +23,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_gid_sid.cc b/tools/snort2lua/rule_states/rule_gid_sid.cc index 61000c8bc..854d3ce5a 100644 --- a/tools/snort2lua/rule_states/rule_gid_sid.cc +++ b/tools/snort2lua/rule_states/rule_gid_sid.cc @@ -29,8 +29,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_http_encode.cc b/tools/snort2lua/rule_states/rule_http_encode.cc index a43681116..d38be6d1b 100644 --- a/tools/snort2lua/rule_states/rule_http_encode.cc +++ b/tools/snort2lua/rule_states/rule_http_encode.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_isdataat.cc b/tools/snort2lua/rule_states/rule_isdataat.cc index 8ee460db6..7ff3818b9 100644 --- a/tools/snort2lua/rule_states/rule_isdataat.cc +++ b/tools/snort2lua/rule_states/rule_isdataat.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_metadata.cc b/tools/snort2lua/rule_states/rule_metadata.cc index 8bb41c6e7..3c04ec1b6 100644 --- a/tools/snort2lua/rule_states/rule_metadata.cc +++ b/tools/snort2lua/rule_states/rule_metadata.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_pcre.cc b/tools/snort2lua/rule_states/rule_pcre.cc index a228fc2ad..fd0cfacd8 100644 --- a/tools/snort2lua/rule_states/rule_pcre.cc +++ b/tools/snort2lua/rule_states/rule_pcre.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_react.cc b/tools/snort2lua/rule_states/rule_react.cc index 8be3f15c2..b88c6671e 100644 --- a/tools/snort2lua/rule_states/rule_react.cc +++ b/tools/snort2lua/rule_states/rule_react.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_replace.cc b/tools/snort2lua/rule_states/rule_replace.cc new file mode 100644 index 000000000..261f55569 --- /dev/null +++ b/tools/snort2lua/rule_states/rule_replace.cc @@ -0,0 +1,95 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// rule_replace.cc author Oleksii Shumeiko + +#include + +#include "conversion_state.h" +#include "helpers/converter.h" +#include "helpers/s2l_util.h" +#include "rule_api.h" + +namespace rules +{ +namespace +{ +class Replace : public ConversionState +{ +public: + Replace(Converter& c) : ConversionState(c) { } + + bool convert(std::istringstream& stream) override + { + std::string args = util::get_rule_option_args(stream); + + if (args.empty()) + rule_api.bad_rule(stream, "replace requires an argument"); + else + rule_api.add_option("replace", args); + + return set_next_rule_state(stream); + } +}; +} // namespace + + +/************************** + ******* A P I *********** + **************************/ + +static ConversionState* ctor(Converter& c) +{ + const std::string& old_action = c.get_rule_api().get_rule_old_action(); + + if (old_action == "drop" + || old_action == "sdrop" + || old_action == "block" + || old_action == "sblock" + || old_action == "reject" + || old_action == "react") + { + c.get_rule_api().add_comment( + "Keeping '" + old_action + "' action, " + "'replace' option is ignored."); + + return new Replace(c); + } + + c.get_rule_api().add_comment( + "Changing ruletype '" + old_action + "' to 'rewrite' " + "because the rule has 'replace' option."); + + // include a rewrite plugin + c.get_table_api().open_table("rewrite"); + c.get_table_api().close_table(); + + // update the rule type + c.get_rule_api().update_rule_action("rewrite"); + + return new Replace(c); +} + +static const ConvertMap rule_replace = +{ + "replace", + ctor, +}; + +const ConvertMap* replace_map = &rule_replace; +} // namespace rules + diff --git a/tools/snort2lua/rule_states/rule_resp.cc b/tools/snort2lua/rule_states/rule_resp.cc index 7a081a0f7..d74a3c70e 100644 --- a/tools/snort2lua/rule_states/rule_resp.cc +++ b/tools/snort2lua/rule_states/rule_resp.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_sd_pattern.cc b/tools/snort2lua/rule_states/rule_sd_pattern.cc index c3a485b92..8347dbe06 100644 --- a/tools/snort2lua/rule_states/rule_sd_pattern.cc +++ b/tools/snort2lua/rule_states/rule_sd_pattern.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_stream_reassemble.cc b/tools/snort2lua/rule_states/rule_stream_reassemble.cc index 4b209e684..f8af04018 100644 --- a/tools/snort2lua/rule_states/rule_stream_reassemble.cc +++ b/tools/snort2lua/rule_states/rule_stream_reassemble.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_stream_size.cc b/tools/snort2lua/rule_states/rule_stream_size.cc index ad538abed..f1915f590 100644 --- a/tools/snort2lua/rule_states/rule_stream_size.cc +++ b/tools/snort2lua/rule_states/rule_stream_size.cc @@ -23,8 +23,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_tag.cc b/tools/snort2lua/rule_states/rule_tag.cc index 44ee8a7fe..774a8ba6c 100644 --- a/tools/snort2lua/rule_states/rule_tag.cc +++ b/tools/snort2lua/rule_states/rule_tag.cc @@ -21,8 +21,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_threshold.cc b/tools/snort2lua/rule_states/rule_threshold.cc index 5f7084bba..6df198774 100644 --- a/tools/snort2lua/rule_states/rule_threshold.cc +++ b/tools/snort2lua/rule_states/rule_threshold.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_ttl.cc b/tools/snort2lua/rule_states/rule_ttl.cc index 5a7033280..b518fc1ce 100644 --- a/tools/snort2lua/rule_states/rule_ttl.cc +++ b/tools/snort2lua/rule_states/rule_ttl.cc @@ -21,8 +21,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { diff --git a/tools/snort2lua/rule_states/rule_unchanged.cc b/tools/snort2lua/rule_states/rule_unchanged.cc index 1a4b13423..aad7bd717 100644 --- a/tools/snort2lua/rule_states/rule_unchanged.cc +++ b/tools/snort2lua/rule_states/rule_unchanged.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules { @@ -355,19 +355,6 @@ static const ConvertMap rule_session = const ConvertMap* session_map = &rule_session; -/************************************ - ************* REPLACE ************* - ************************************/ - -static const std::string replace = "replace"; -static const ConvertMap rule_replace = -{ - replace, - unchanged_rule_ctor<& replace>, -}; - -const ConvertMap* replace_map = &rule_replace; - /************************************ ******* DETECTION_FILETER ********* ************************************/ diff --git a/tools/snort2lua/rule_states/rule_urilen.cc b/tools/snort2lua/rule_states/rule_urilen.cc index 57c020523..9e88a6e23 100644 --- a/tools/snort2lua/rule_states/rule_urilen.cc +++ b/tools/snort2lua/rule_states/rule_urilen.cc @@ -22,8 +22,8 @@ #include "conversion_state.h" #include "helpers/converter.h" -#include "rule_states/rule_api.h" #include "helpers/s2l_util.h" +#include "rule_api.h" namespace rules {