From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Fri, 28 May 2021 17:13:27 +0000 (+0000)
Subject: Merge pull request #2894 in SNORT/snort3 from ~MASHASAN/snort3:aux_ip_reload to master
X-Git-Tag: 3.1.6.0~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa928eb51c5a318e8a26fc06b753ee8a09c3ec28;p=thirdparty%2Fsnort3.git

Merge pull request #2894 in SNORT/snort3 from ~MASHASAN/snort3:aux_ip_reload to master

Squashed commit of the following:

commit c99146d5876c23277920b795a9dd7c6d8f6d9df3
Author: Masud Hasan <mashasan@cisco.com>
Date:   Tue May 18 20:54:15 2021 -0400

    reputation: Supporting auxiliary IP matching upon reload
---

diff --git a/src/flow/flow_stash.h b/src/flow/flow_stash.h
index b24caf410..180cc84fd 100644
--- a/src/flow/flow_stash.h
+++ b/src/flow/flow_stash.h
@@ -52,6 +52,9 @@ public:
 
     bool store(const snort::SfIp&, const SnortConfig* sc = nullptr);
 
+    std::list<snort::SfIp>& get_aux_ip_list()
+    { return aux_ip_fifo; }
+
 private:
     std::list<snort::SfIp> aux_ip_fifo;
     std::unordered_map<std::string, StashItem*> container;
diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc
index 7d316f0b7..3b1bb28fb 100644
--- a/src/network_inspectors/reputation/reputation_inspect.cc
+++ b/src/network_inspectors/reputation/reputation_inspect.cc
@@ -247,10 +247,12 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p)
     return decision_final;
 }
 
-static void snort_reputation_aux_ip(ReputationConfig* config, Packet* p, const SfIp* ip)
+static IPdecision snort_reputation_aux_ip(ReputationConfig* config, Packet* p, const SfIp* ip)
 {
+    IPdecision decision = DECISION_NULL;
+
     if (!config->ip_list)
-        return;
+        return decision;
 
     uint32_t ingress_intf = 0;
     uint32_t egress_intf = 0;
@@ -267,7 +269,7 @@ static void snort_reputation_aux_ip(ReputationConfig* config, Packet* p, const S
     IPrepInfo* result = reputation_lookup(config, ip);
     if (result)
     {
-        IPdecision decision = get_reputation(config, result, &p->iplist_id, ingress_intf,
+        decision = get_reputation(config, result, &p->iplist_id, ingress_intf,
             egress_intf);
 
         if (decision == BLOCKED)
@@ -315,6 +317,7 @@ static void snort_reputation_aux_ip(ReputationConfig* config, Packet* p, const S
             reputationstats.aux_ip_trusted++;
         }
     }
+    return decision;
 }
 
 static void snort_reputation(ReputationConfig* config, Packet* p)
@@ -327,10 +330,7 @@ static void snort_reputation(ReputationConfig* config, Packet* p)
     decision = reputation_decision(config, p);
     Active* act = p->active;
 
-    if (DECISION_NULL == decision)
-        return;
-
-    else if (BLOCKED_SRC == decision or BLOCKED_DST == decision)
+    if (BLOCKED_SRC == decision or BLOCKED_DST == decision)
     {
         unsigned blocklist_event = (BLOCKED_SRC == decision) ?
             REPUTATION_EVENT_BLOCKLIST_SRC : REPUTATION_EVENT_BLOCKLIST_DST;
@@ -351,6 +351,22 @@ static void snort_reputation(ReputationConfig* config, Packet* p)
         reputationstats.blocked++;
         if (PacketTracer::is_active())
             PacketTracer::log("Reputation: packet blocked, drop\n");
+        return;
+    }
+
+    else if ( p->flow and p->flow->reload_id > 0 )
+    {
+        const auto& aux_ip_list =  p->flow->stash->get_aux_ip_list();
+        for ( const auto& ip : aux_ip_list )
+        {
+            if ( BLOCKED == snort_reputation_aux_ip(config, p, &ip) )
+                return;
+        }
+    }
+
+    if (DECISION_NULL == decision)
+    {
+        return;
     }
 
     else if (MONITORED_SRC == decision or MONITORED_DST == decision)