From: Michael Altizer (mialtize) Date: Tue, 8 Sep 2020 17:00:31 +0000 (+0000) Subject: Merge pull request #2435 in SNORT/snort3 from ~SUNIMUKH/snort3:zone-group to master X-Git-Tag: 3.0.2-6~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0197487fec6658fc8170e4b712dd8f5bdf56862;p=thirdparty%2Fsnort3.git Merge pull request #2435 in SNORT/snort3 from ~SUNIMUKH/snort3:zone-group to master Squashed commit of the following: commit 2dd056ac9f6e65d99293d914ebc505636d8ba03a Author: Sunirmal Mukherjee Date: Tue Sep 1 03:10:30 2020 -0400 build: Updates for libdaq changes to interface group field width and naming commit ede03a067cf4c5fa98321453d97a1cda544c6b1d Author: Sunirmal Mukherjee Date: Tue Sep 1 03:09:18 2020 -0400 helpers: Rework DiscoveryFilter to monitor IP lists based on interface rather than group commit dc80cdbeb1b12913b5f3968a49e8cc5db5da6d2e Author: Sunirmal Mukherjee Date: Tue Sep 1 02:56:54 2020 -0400 reputation: Change from group-based to interface-based IP lists --- diff --git a/daqs/daq_hext.c b/daqs/daq_hext.c index 88633d405..507ebf896 100644 --- a/daqs/daq_hext.c +++ b/daqs/daq_hext.c @@ -242,8 +242,8 @@ static void IpAddr(uint32_t* addr, char const* ip) static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *desc) { #define FLOWSTATS_FORMAT \ - "%" SCNi32 " " /* ingressZone */ \ - "%" SCNi32 " " /* egressZone */ \ + "%" SCNi16 " " /* ingressGroup */ \ + "%" SCNi16 " " /* egressGroup */ \ "%" SCNi32 " " /* ingressIntf */ \ "%" SCNi32 " " /* egressIntf */ \ "%s " /* srcAddr */ \ @@ -267,7 +267,7 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des Flow_Stats_t* f = &desc->flowstats; char srcaddr[INET6_ADDRSTRLEN], dstaddr[INET6_ADDRSTRLEN]; uint32_t sof_sec, eof_sec; - int rval = sscanf(line, FLOWSTATS_FORMAT, &f->ingressZone, &f->egressZone, &f->ingressIntf, + int rval = sscanf(line, FLOWSTATS_FORMAT, &f->ingressGroup, &f->egressGroup, &f->ingressIntf, &f->egressIntf, srcaddr, &f->initiatorPort, dstaddr, &f->responderPort, &f->opaque, &f->initiatorPkts, &f->responderPkts, &f->initiatorPktsDropped, &f->responderPktsDropped, &f->initiatorBytesDropped, &f->responderBytesDropped, &f->isQoSAppliedOnSrcIntf, diff --git a/src/helpers/discovery_filter.cc b/src/helpers/discovery_filter.cc index d408530f1..20fceb68b 100644 --- a/src/helpers/discovery_filter.cc +++ b/src/helpers/discovery_filter.cc @@ -85,21 +85,21 @@ DiscoveryFilter::DiscoveryFilter(const string& conf_path) if ( config_key.find("Analyze", 0, sizeof("Analyze")-1) != 0 ) continue; - int64_t zone = DF_ANY_ZONE; - string config_zone(""); - line_stream >> config_zone; - if ( !config_zone.empty() and config_zone != "-1" ) + int64_t intf = DF_ANY_INTF; + string config_intf(""); + line_stream >> config_intf; + if ( !config_intf.empty() and config_intf != "-1" ) { - if (config_zone == "0") - zone = 0; + if (config_intf == "0") + intf = 0; else { - zone = strtol(config_zone.c_str(), nullptr, 0); - if ( zone < 1 or zone >= DF_ANY_ZONE ) + intf = strtol(config_intf.c_str(), nullptr, 0); + if ( intf < 1 or intf >= DF_ANY_INTF ) { - WarningMessage("Discovery Filter: Invalid zone at line %u from %s;" + WarningMessage("Discovery Filter: Invalid interface at line %u from %s;" " supported range is -1 (any) to %d\n", line_num, - conf_path.c_str(), DF_ANY_ZONE-1); + conf_path.c_str(), DF_ANY_INTF-1); continue; } } @@ -108,23 +108,23 @@ DiscoveryFilter::DiscoveryFilter(const string& conf_path) // host or user discovery will also enable application discovery if ( config_key == "AnalyzeApplication" ) { - add_ip(DF_APP, zone, config_value); + add_ip(DF_APP, intf, config_value); } else if ( config_key == "AnalyzeHost" ) { - add_ip(DF_APP, zone, config_value); - add_ip(DF_HOST, zone, config_value); + add_ip(DF_APP, intf, config_value); + add_ip(DF_HOST, intf, config_value); } else if ( config_key == "AnalyzeUser" ) { - add_ip(DF_APP, zone, config_value); - add_ip(DF_USER, zone, config_value); + add_ip(DF_APP, intf, config_value); + add_ip(DF_USER, intf, config_value); } else if ( config_key == "AnalyzeHostUser" or config_key == "Analyze" ) { - add_ip(DF_APP, zone, config_value); - add_ip(DF_HOST, zone, config_value); - add_ip(DF_USER, zone, config_value); + add_ip(DF_APP, intf, config_value); + add_ip(DF_HOST, intf, config_value); + add_ip(DF_USER, intf, config_value); } } else if ( config_type == "portexclusion" ) @@ -173,18 +173,18 @@ DiscoveryFilter::DiscoveryFilter(const string& conf_path) } - // Merge any-zone rules to zone-based rules + // Merge any-interface rules to interface-based rules for (int type = DF_APP; type < DF_MAX; ++type) { - auto any_list = get_list((FilterType)type, DF_ANY_ZONE); + auto any_list = get_list((FilterType)type, DF_ANY_INTF); if (!any_list) continue; - for (auto& zone_entry : zone_ip_list[type]) + for (auto& intf_entry : intf_ip_list[type]) { - if (zone_entry.second != any_list and - sfvar_add(zone_entry.second, any_list) != SFIP_SUCCESS) + if (intf_entry.second != any_list and + sfvar_add(intf_entry.second, any_list) != SFIP_SUCCESS) WarningMessage("Discovery Filter: Failed to add any network list " - "to zone network list for type %d", type); + "to interface network list for type %d", type); } } @@ -238,22 +238,22 @@ bool DiscoveryFilter::is_monitored(const Packet* p, FilterType type, uint8_t& fl bool DiscoveryFilter::is_monitored(const Packet* p, FilterType type, const SfIp* ip) { if ( !vartable ) - return true; // when not configured, 'any' ip/port/zone are monitored by default + return true; // when not configured, 'any' ip/port/interface are monitored by default // port exclusion if ( is_port_excluded(p) ) return false; - // check zone - if (zone_ip_list[type].empty()) + // check interface + if (intf_ip_list[type].empty()) return false; // the configuration did not have this type of rule - auto zone = p->pkth->ingress_group; - if ( zone == DAQ_PKTHDR_UNKNOWN or zone < 0 ) - zone = DF_ANY_ZONE; - auto varip = get_list(type, zone, true); - if (!varip and zone != DF_ANY_ZONE) - varip = get_list(type, DF_ANY_ZONE, true); + auto intf = (int32_t)p->pkth->ingress_index; + if ( intf == DAQ_PKTHDR_UNKNOWN or intf < 0 ) + intf = DF_ANY_INTF; + auto varip = get_list(type, intf, true); + if (!varip and intf != DF_ANY_INTF) + varip = get_list(type, DF_ANY_INTF, true); if (!p->ptrs.ip_api.get_src() and !ip) return true; // Don't check for non-IP, non ARP @@ -309,28 +309,28 @@ bool DiscoveryFilter::is_port_excluded(const Packet* p) return false; } -void DiscoveryFilter::add_ip(FilterType type, ZoneType zone, string& ip) +void DiscoveryFilter::add_ip(FilterType type, IntfType intf, string& ip) { - auto varip = get_list(type, zone); + auto varip = get_list(type, intf); if ( varip ) sfvt_add_to_var(vartable, varip, ip.c_str()); else { string named_ip = to_string((int)type); named_ip += "_"; - named_ip += to_string(zone); + named_ip += to_string(intf); named_ip += " "; named_ip += ip; if ( sfvt_add_str(vartable, named_ip.c_str(), &varip) == SFIP_SUCCESS ) - zone_ip_list[type].emplace(zone, varip); + intf_ip_list[type].emplace(intf, varip); } } -sfip_var_t* DiscoveryFilter::get_list(FilterType type, ZoneType zone, bool exclude_empty) +sfip_var_t* DiscoveryFilter::get_list(FilterType type, IntfType intf, bool exclude_empty) { - auto& list = zone_ip_list[type]; - auto entry = list.find(zone); + auto& list = intf_ip_list[type]; + auto entry = list.find(intf); // If head is empty and the boolean flag is true, treat every IP as excluded. The flag // is not used during parsing when we are still building, it is used during searching. @@ -381,20 +381,20 @@ TEST_CASE("Discovery Filter", "[is_monitored]") string conf("test.txt"); ofstream out_stream(conf.c_str()); out_stream << "config Error\n"; // invalid - out_stream << "config AnalyzeUser ::/0 0\n"; // any ipv6, zone 0 - out_stream << "config AnalyzeApplication 1.1.1.0/24 -1\n"; // targeted ipv4, any zone + out_stream << "config AnalyzeUser ::/0 0\n"; // any ipv6, interface 0 + out_stream << "config AnalyzeApplication 1.1.1.0/24 -1\n"; // targeted ipv4, any interface out_stream.close(); Packet p; SfIp ip; - ip.set("1.1.1.1"); // zone 0 by default + ip.set("1.1.1.1"); // interface 0 by default p.ptrs.ip_api.set(ip, ip); DiscoveryFilter df(conf); // Without flag - CHECK(df.is_app_monitored(&p, nullptr) == true); // any zone rule for app is added to zone 0 + CHECK(df.is_app_monitored(&p, nullptr) == true); // any interface rule for app is added to interface 0 CHECK(df.is_host_monitored(&p, nullptr) == false); // no rule for host - CHECK(df.is_user_monitored(&p, nullptr) == false); // no any zone rule for user + CHECK(df.is_user_monitored(&p, nullptr) == false); // no any interface rule for user // With flag uint8_t flag = 0; @@ -440,16 +440,16 @@ TEST_CASE("Discovery Filter Empty Configuration", "[is_monitored_config]") remove("test_empty_analyze.txt"); } -TEST_CASE("Discovery Filter Zone", "[is_monitored_zone_vs_ip]") +TEST_CASE("Discovery Filter Intf", "[is_monitored_intf_vs_ip]") { - string conf("test_zone_ip.txt"); + string conf("test_intf_ip.txt"); ofstream out_stream(conf.c_str()); - out_stream << "config AnalyzeHost 1.1.1.1 -1\n"; // zone any - out_stream << "config AnalyzeHost 1.1.1.2 0\n"; // zone 0 - out_stream << "config AnalyzeHost 1.1.1.3 2\n"; // zone 2 - out_stream << "config AnalyzeHost 1.1.1.4 -3\n"; // zone out of range - out_stream << "config AnalyzeHost 1.1.1.5 2147483648\n"; // zone out of range - out_stream << "config AnalyzeHost 1.1.1.6 kidding\n"; // zone invalid + out_stream << "config AnalyzeHost 1.1.1.1 -1\n"; // interface any + out_stream << "config AnalyzeHost 1.1.1.2 0\n"; // interface 0 + out_stream << "config AnalyzeHost 1.1.1.3 2\n"; // interface 2 + out_stream << "config AnalyzeHost 1.1.1.4 -3\n"; // interface out of range + out_stream << "config AnalyzeHost 1.1.1.5 2147483648\n"; // interface out of range + out_stream << "config AnalyzeHost 1.1.1.6 kidding\n"; // interface invalid out_stream.close(); Packet p; @@ -463,31 +463,31 @@ TEST_CASE("Discovery Filter Zone", "[is_monitored_zone_vs_ip]") ip7.set("1.1.1.7"); const DAQ_PktHdr_t* saved_hdr = p.pkth; DAQ_PktHdr_t z_undefined, z1, z2; - z_undefined.ingress_group = DAQ_PKTHDR_UNKNOWN; - z1.ingress_group = 1; - z2.ingress_group = 2; + z_undefined.ingress_index = DAQ_PKTHDR_UNKNOWN; + z1.ingress_index = 1; + z2.ingress_index = 2; DiscoveryFilter df(conf); - p.ptrs.ip_api.set(ip1, ip7); // ip from undefined zone matches zone any list + p.ptrs.ip_api.set(ip1, ip7); // ip from undefined interface matches interface any list p.pkth = &z_undefined; CHECK(df.is_app_monitored(&p, nullptr) == true); // analyze host enables application discovery CHECK(df.is_host_monitored(&p, nullptr) == true); CHECK(df.is_user_monitored(&p, nullptr) == false); - p.pkth = &z2; // the ip is not in zone 2 list, but it is in zone any list + p.pkth = &z2; // the ip is not in interface 2 list, but it is in interface any list CHECK(df.is_host_monitored(&p, nullptr) == true); - p.ptrs.ip_api.set(ip3, ip7); // the ip matches zone 2 list + p.ptrs.ip_api.set(ip3, ip7); // the ip matches interface 2 list CHECK(df.is_host_monitored(&p, nullptr) == true); - p.pkth = &z1; // no zone 1 list and the ip is not in zone any list + p.pkth = &z1; // no interface 1 list and the ip is not in interface any list CHECK(df.is_host_monitored(&p, nullptr) == false); - p.ptrs.ip_api.set(ip1, ip7); // no zone 1 list, but the ip is in zone any list + p.ptrs.ip_api.set(ip1, ip7); // no interface 1 list, but the ip is in interface any list CHECK(df.is_host_monitored(&p, nullptr) == true); p.pkth = saved_hdr; - p.ptrs.ip_api.set(ip2, ip7); // the ip matches zone 0 list + p.ptrs.ip_api.set(ip2, ip7); // the ip matches interface 0 list CHECK(df.is_host_monitored(&p, nullptr) == true); // no match since the configuration for these ip addresses were invalid @@ -498,7 +498,7 @@ TEST_CASE("Discovery Filter Zone", "[is_monitored_zone_vs_ip]") p.ptrs.ip_api.set(ip6, ip7); CHECK(df.is_host_monitored(&p, nullptr) == false); - remove("test_zone_ip.txt"); + remove("test_intf_ip.txt"); } TEST_CASE("Discovery Filter Port Exclusion", "[portexclusion]") diff --git a/src/helpers/discovery_filter.h b/src/helpers/discovery_filter.h index a9616ac13..0c1c2e9f0 100644 --- a/src/helpers/discovery_filter.h +++ b/src/helpers/discovery_filter.h @@ -29,10 +29,10 @@ enum FilterType { DF_APP, DF_HOST, DF_USER, DF_MAX }; -typedef int32_t ZoneType; // matching daq header -#define DF_ANY_ZONE INT32_MAX +typedef int32_t IntfType; // matching daq header +#define DF_ANY_INTF INT32_MAX -// Holds configurations to filter traffic discovery based network address, port, and zone +// Holds configurations to filter traffic discovery based network address, port, and interface class DiscoveryFilter { public: @@ -52,8 +52,8 @@ private: bool is_monitored(const snort::Packet* p, FilterType type, uint8_t& flag, uint8_t checked, uint8_t monitored, const snort::SfIp* ip = nullptr); bool is_monitored(const snort::Packet* p, FilterType type, const snort::SfIp* ip = nullptr); - void add_ip(FilterType type, ZoneType zone, std::string& ip); - sfip_var_t* get_list(FilterType type, ZoneType zone, bool exclude_empty = false); + void add_ip(FilterType type, IntfType intf, std::string& ip); + sfip_var_t* get_list(FilterType type, IntfType intf, bool exclude_empty = false); // add ip for port exclusion void add_ip(Direction dir, uint16_t proto, uint16_t port, const std::string& ip); @@ -66,7 +66,7 @@ private: bool is_port_excluded(const snort::Packet* p); - std::unordered_map zone_ip_list[DF_MAX]; + std::unordered_map intf_ip_list[DF_MAX]; vartable_t* vartable = nullptr; // Internal cache for sfip_var_t indexed by protocol x port, for port diff --git a/src/loggers/log_hext.cc b/src/loggers/log_hext.cc index ce95f1998..051326177 100644 --- a/src/loggers/log_hext.cc +++ b/src/loggers/log_hext.cc @@ -82,10 +82,10 @@ void DaqMessageEventHandler::handle(DataEvent& event, Flow*) int vlan_tag = fs->vlan_tag == 0xfff ? 0 : fs->vlan_tag; TextLog_Print(hext_log, - "\n$%s %d %d %d %d %s %d %s %d %u %lu %lu %lu %lu %lu %lu %d %lu %lu %d %d %d\n", + "\n$%s %hd %hd %d %d %s %d %s %d %u %lu %lu %lu %lu %lu %lu %d %lu %lu %d %hd %d\n", cmd, - fs->ingressZone, - fs->egressZone, + fs->ingressGroup, + fs->egressGroup, fs->ingressIntf, fs->egressIntf, shost, ntohs(fs->initiatorPort), diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index fda210257..e9431d7fd 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -147,9 +147,9 @@ static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst) } else { - int32_t zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? - p->pkth->ingress_group : p->pkth->egress_group; - if (zone == DAQ_PKTHDR_FLOOD) + int32_t intf = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? + p->pkth->ingress_index : p->pkth->egress_index; + if (intf == DAQ_PKTHDR_FLOOD) return 0; sf_ip = p->ptrs.ip_api.get_dst(); } diff --git a/src/network_inspectors/reputation/dev_notes.txt b/src/network_inspectors/reputation/dev_notes.txt index 98b7357ca..fab441e8c 100644 --- a/src/network_inspectors/reputation/dev_notes.txt +++ b/src/network_inspectors/reputation/dev_notes.txt @@ -5,10 +5,10 @@ block/drop/pass traffic from IP addresses listed. In the past, we use standard Snort rules to implement Reputation-based IP blocking. This inspector will address the performance issue and make the IP reputation management easier. -This inspector also supports zones through manifest files. You can specify an -action (BLACK, WHITE, MONITOR) for an IP list with zones. The name of manifest -file is zone.info. For each line of the manifest file, the format is: +This inspector also supports interfaces through manifest files. You can specify an +action (BLACK, WHITE, MONITOR) for an IP list with interfaces. The name of manifest +file is interface.info. For each line of the manifest file, the format is: - file_name, list_id, action (black, white, monitor), [zone information] + file_name, list_id, action (black, white, monitor), [interface information] -If zone information is empty, this means all zones are applied \ No newline at end of file +If interface information is empty, this means all interfaces are applied diff --git a/src/network_inspectors/reputation/reputation_config.h b/src/network_inspectors/reputation/reputation_config.h index 1a406b49e..762cd4cfb 100644 --- a/src/network_inspectors/reputation/reputation_config.h +++ b/src/network_inspectors/reputation/reputation_config.h @@ -61,7 +61,7 @@ enum IPdecision DECISION_MAX }; -#define MAX_NUM_ZONES UINT32_MAX +#define MAX_NUM_INTFS INT32_MAX #define MAX_LIST_ID UINT32_MAX struct ListFile @@ -69,8 +69,8 @@ struct ListFile std::string file_name; int file_type; uint32_t list_id; - bool all_zones_enabled = false; - std::set zones; + bool all_intfs_enabled = false; + std::set intfs; uint8_t list_index; uint8_t list_type; }; diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 3fe290b12..4505c7726 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -91,7 +91,7 @@ static inline IPrepInfo* reputation_lookup(ReputationConfig* config, const SfIp* } static inline IPdecision get_reputation(ReputationConfig* config, IPrepInfo* rep_info, - uint32_t* listid, uint32_t ingress_zone, uint32_t egress_zone) + uint32_t* listid, uint32_t ingress_intf, uint32_t egress_intf) { IPdecision decision = DECISION_NULL; @@ -108,9 +108,9 @@ static inline IPdecision get_reputation(ReputationConfig* config, IPrepInfo* rep if (!list_index) break; list_index--; - if (list_info[list_index]->all_zones_enabled || - list_info[list_index]->zones.count(ingress_zone) || - list_info[list_index]->zones.count(egress_zone)) + if (list_info[list_index]->all_intfs_enabled || + list_info[list_index]->intfs.count(ingress_intf) || + list_info[list_index]->intfs.count(egress_intf)) { if (WHITELISTED_UNBLACK == (IPdecision)list_info[list_index]->list_type) return DECISION_NULL; @@ -136,7 +136,7 @@ static inline IPdecision get_reputation(ReputationConfig* config, IPrepInfo* rep } static bool decision_per_layer(ReputationConfig* config, Packet* p, - uint32_t ingressZone, uint32_t egressZone, const ip::IpApi& ip_api, IPdecision* decision_final) + uint32_t ingress_intf, uint32_t egress_intf, const ip::IpApi& ip_api, IPdecision* decision_final) { const SfIp* ip; IPdecision decision; @@ -146,7 +146,7 @@ static bool decision_per_layer(ReputationConfig* config, Packet* p, result = reputation_lookup(config, ip); if (result) { - decision = get_reputation(config, result, &p->iplist_id, ingressZone, egressZone); + decision = get_reputation(config, result, &p->iplist_id, ingress_intf, egress_intf); if (decision == BLACKLISTED) *decision_final = BLACKLISTED_SRC; @@ -165,7 +165,7 @@ static bool decision_per_layer(ReputationConfig* config, Packet* p, result = reputation_lookup(config, ip); if (result) { - decision = get_reputation(config, result, &p->iplist_id, ingressZone, egressZone); + decision = get_reputation(config, result, &p->iplist_id, ingress_intf, egress_intf); if (decision == BLACKLISTED) *decision_final = BLACKLISTED_DST; @@ -186,21 +186,21 @@ static bool decision_per_layer(ReputationConfig* config, Packet* p, static IPdecision reputation_decision(ReputationConfig* config, Packet* p) { IPdecision decision_final = DECISION_NULL; - uint32_t ingress_zone = 0; - uint32_t egress_zone = 0; + uint32_t ingress_intf = 0; + uint32_t egress_intf = 0; if (p->pkth) { - ingress_zone = p->pkth->ingress_group; + ingress_intf = p->pkth->ingress_index; if (p->pkth->egress_index < 0) - egress_zone = ingress_zone; + egress_intf = ingress_intf; else - egress_zone = p->pkth->egress_group; + egress_intf = p->pkth->egress_index; } if (config->nested_ip == INNER) { - decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final); + decision_per_layer(config, p, ingress_intf, egress_intf, p->ptrs.ip_api, &decision_final); return decision_final; } @@ -213,7 +213,7 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) if (config->nested_ip == OUTER) { layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer); - decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final); + decision_per_layer(config, p, ingress_intf, egress_intf, p->ptrs.ip_api, &decision_final); } else if (config->nested_ip == ALL) { @@ -222,7 +222,7 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) while (!done and layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer)) { - done = decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, + done = decision_per_layer(config, p, ingress_intf, egress_intf, p->ptrs.ip_api, &decision_current); if (decision_current != DECISION_NULL) { diff --git a/src/network_inspectors/reputation/reputation_parse.cc b/src/network_inspectors/reputation/reputation_parse.cc index c2a6c0f56..032cf2e22 100644 --- a/src/network_inspectors/reputation/reputation_parse.cc +++ b/src/network_inspectors/reputation/reputation_parse.cc @@ -749,7 +749,7 @@ void add_black_white_List(ReputationConfig* config) if (config->blacklist_path.size()) { ListFile* listItem = new ListFile; - listItem->all_zones_enabled = true; + listItem->all_intfs_enabled = true; listItem->file_name = config->blacklist_path; listItem->file_type = BLACK_LIST; listItem->list_id = 0; @@ -758,7 +758,7 @@ void add_black_white_List(ReputationConfig* config) if (config->whitelist_path.size()) { ListFile* listItem = new ListFile; - listItem->all_zones_enabled = true; + listItem->all_intfs_enabled = true; listItem->file_name = config->whitelist_path; listItem->file_type = WHITE_LIST; listItem->list_id = 0; @@ -816,8 +816,8 @@ static int get_file_type(char* type_name) } //The format of manifest is: -// file_name, list_id, action (black, white, monitor), zone information -//If no zone information provided, this means all zones are applied. +// file_name, list_id, action (black, white, monitor), interface information +//If no interface information provided, this means all interfaces are applied. static bool process_line_in_manifest(ListFile* list_item, const char* manifest, const char* line, int line_number, ReputationConfig* config) @@ -825,14 +825,14 @@ static bool process_line_in_manifest(ListFile* list_item, const char* manifest, char* token; int token_index = 0; char* next_ptr = const_cast(line); - bool has_zone = false; + bool has_intf = false; - list_item->zones.clear(); + list_item->intfs.clear(); while ((token = strtok_r(next_ptr, MANIFEST_SEPARATORS, &next_ptr)) != NULL) { char* end_str; - long zone_id; + long intf_id; long list_id; switch (token_index) @@ -878,26 +878,26 @@ static bool process_line_in_manifest(ListFile* list_item, const char* manifest, token= ignore_start_space(token); if ('0' == (*token)) break; - zone_id = SnortStrtol(token, &end_str, 10); + intf_id = SnortStrtol(token, &end_str, 10); end_str = ignore_start_space(end_str); if ( *end_str ) { - ErrorMessage("%s(%d) => Bad value (%s) specified for zone. " + ErrorMessage("%s(%d) => Bad value (%s) specified for interface. " "Please specify an integer between 0 and %u.\n", - manifest, line_number, token, MAX_NUM_ZONES); + manifest, line_number, token, MAX_NUM_INTFS); return false; } - if ((zone_id < 0) || (zone_id > MAX_NUM_ZONES ) || (errno == ERANGE)) + if ((intf_id < 0) || (intf_id > MAX_NUM_INTFS ) || (errno == ERANGE)) { - ErrorMessage(" %s(%d) => Value specified (%s) for zone is " + ErrorMessage(" %s(%d) => Value specified (%s) for interface is " "out of bounds. Please specify an integer between 0 and %u.\n", - manifest, line_number, token, MAX_NUM_ZONES); + manifest, line_number, token, MAX_NUM_INTFS); return false; } - list_item->zones.emplace(zone_id); - has_zone = true; + list_item->intfs.emplace(intf_id); + has_intf = true; } token_index++; @@ -912,9 +912,9 @@ static bool process_line_in_manifest(ListFile* list_item, const char* manifest, return false; } - if (!has_zone) + if (!has_intf) { - list_item->all_zones_enabled = true; + list_item->all_intfs_enabled = true; } config->list_files.emplace_back(list_item); diff --git a/src/network_inspectors/reputation/reputation_parse.h b/src/network_inspectors/reputation/reputation_parse.h index f40965478..5e808033c 100644 --- a/src/network_inspectors/reputation/reputation_parse.h +++ b/src/network_inspectors/reputation/reputation_parse.h @@ -22,7 +22,7 @@ #include "reputation_config.h" -#define MANIFEST_FILENAME "zone.info" +#define MANIFEST_FILENAME "interface.info" void ip_list_init(uint32_t,ReputationConfig *config); void estimate_num_entries(ReputationConfig* config); diff --git a/src/network_inspectors/rna/dev_notes.txt b/src/network_inspectors/rna/dev_notes.txt index c575ccd2c..c1cc66c27 100644 --- a/src/network_inspectors/rna/dev_notes.txt +++ b/src/network_inspectors/rna/dev_notes.txt @@ -22,7 +22,7 @@ are processed via events as per subscriptions. Since RNA needs to see the first of a session published from stream trackers, these modules (e.g., stream, stream_icmp, stream_ip, stream_tcp, and stream_udp) should be enabled whenever RNA module is enabled. -Currently, RNA only supports host discovery with filtering based on IP/port/zone. To enable +Currently, RNA only supports host discovery with filtering based on IP/port/interface. To enable this (disabled by default), the config file referred by rna_conf_path can have keywords: Analyze # discover application, host, user (only host discovery is implemented) AnalyzeHostUser # discover application, host, user (same as Analyze) @@ -32,14 +32,14 @@ AnalyzeUser # discover application, user portexclusion # don't discover on this port Format: -config keyword [!]ip [zone] +config keyword [!]ip [interface] portexclusion dst|src|both tcp|udp port ip Examples: -config AnalyzeHost 0.0.0.0/0 -1 # discover any ipv4 on any zone -config AnalyzeHost ::/0 2 # discover any ipv6 on zone 2 -config AnalyzeHost !1.2.3.4/16 3 # exclude this ipv4 range on zone 3 -config Analyze !cafe:feed::0/64 # exclude this ipv6 range on any zone +config AnalyzeHost 0.0.0.0/0 -1 # discover any ipv4 on any interface +config AnalyzeHost ::/0 2 # discover any ipv6 on interface 2 +config AnalyzeHost !1.2.3.4/16 3 # exclude this ipv4 range on interface 3 +config Analyze !cafe:feed::0/64 # exclude this ipv6 range on any interface portexclusion dst udp 53 8.8.8.8 # exclude this ip for UDP port 53 in destination direction portexclusion both tcp 4000 ::0/0 # exclude any ipv6 for TCP port 4000 in both direction diff --git a/src/stream/tcp/tcp_stream_session.h b/src/stream/tcp/tcp_stream_session.h index 32054907e..7c1fbeecb 100644 --- a/src/stream/tcp/tcp_stream_session.h +++ b/src/stream/tcp/tcp_stream_session.h @@ -119,9 +119,9 @@ public: uint32_t pkt_action_mask = ACTION_NOTHING; uint8_t ecn = 0; int32_t ingress_index = 0; - int32_t ingress_group = 0; + int16_t ingress_group = 0; int32_t egress_index = 0; - int32_t egress_group = 0; + int16_t egress_group = 0; uint32_t daq_flags = 0; uint16_t address_space_id = 0; bool generate_3whs_alert = true;