From: Shanmugam S (shanms) Date: Wed, 3 Mar 2021 05:05:45 +0000 (+0000) Subject: Merge pull request #2403 in SNORT/snort3 from ~KBHANDAN/snort3:cleanup_cmd_line to... X-Git-Tag: 3.1.2.0~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b82a6c6b28bc03f88bc099a03e3617ea8448cb4f;p=thirdparty%2Fsnort3.git Merge pull request #2403 in SNORT/snort3 from ~KBHANDAN/snort3:cleanup_cmd_line to master Squashed commit of the following: commit 1e5322ae5ba0f32c3af2ccf35d52c637a556ffe2 Author: Kaushal Bhandankar Date: Fri Aug 14 16:12:59 2020 -0400 snort_config: remove unnecessary command line options --- diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index a9effa7e0..cc1c72252 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -580,9 +580,7 @@ static inline int fpSessionAlerted(Packet* p, const OptTreeNode* otn) ** event. Otherwise if the ordering has it that pass rule events are ** processed after a drop or alert you will see the drops and alerts, ** and the pass event just causes us to stop processing any more events -** on the packet, but the packet does not pass. Also, the --treat-drop-as-alert -** flag causes any drop/block/reset rules to be loaded as alert rules. -** The default has been to ignore them on parsing. +** on the packet, but the packet does not pass. ** ** If this is less than clear, here's the $.02 version: ** default order -> pass drop alert log ( --alert-before-pass reverts @@ -592,8 +590,6 @@ static inline int fpSessionAlerted(Packet* p, const OptTreeNode* otn) ** the -o flag is useless, but accepted, for now. ** the max_events and log fields are reduced to only needing the log ** events field. max_fields is harmless. -** ( drop rules may be honored as alerts in IDS mode (no -Q) by using -** the --treat-drop-as-alert) ** ** FORMAL INPUTS ** OtnxMatchData * - omd to select event from. diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index 3a8b4b788..e0a32ff6e 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -726,22 +726,6 @@ void SnortConfig::set_show_year(bool enabled) output_flags &= ~OUTPUT_FLAG__INCLUDE_YEAR; } -void SnortConfig::set_treat_drop_as_alert(bool enabled) -{ - if (enabled) - run_flags |= RUN_FLAG__TREAT_DROP_AS_ALERT; - else - run_flags &= ~RUN_FLAG__TREAT_DROP_AS_ALERT; -} - -void SnortConfig::set_treat_drop_as_ignore(bool enabled) -{ - if (enabled) - run_flags |= RUN_FLAG__TREAT_DROP_AS_IGNORE; - else - run_flags &= ~RUN_FLAG__TREAT_DROP_AS_IGNORE; -} - void SnortConfig::set_process_all_events(bool enabled) { if (enabled) diff --git a/src/main/snort_config.h b/src/main/snort_config.h index dbd734a61..f9d121e40 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -50,37 +50,35 @@ enum RunFlag RUN_FLAG__CREATE_PID_FILE = 0x00000040, RUN_FLAG__NO_LOCK_PID_FILE = 0x00000080, - RUN_FLAG__TREAT_DROP_AS_ALERT = 0x00000100, - RUN_FLAG__ALERT_BEFORE_PASS = 0x00000200, - RUN_FLAG__CONF_ERROR_OUT = 0x00000400, - RUN_FLAG__MPLS_MULTICAST = 0x00000800, - - RUN_FLAG__MPLS_OVERLAPPING_IP = 0x00001000, - RUN_FLAG__PROCESS_ALL_EVENTS = 0x00002000, - RUN_FLAG__INLINE_TEST = 0x00004000, - RUN_FLAG__PCAP_SHOW = 0x00008000, - - RUN_FLAG__SHOW_FILE_CODES = 0x00010000, - RUN_FLAG__PAUSE = 0x00020000, - RUN_FLAG__NO_PCRE = 0x00040000, + RUN_FLAG__ALERT_BEFORE_PASS = 0x00000100, + RUN_FLAG__CONF_ERROR_OUT = 0x00000200, + RUN_FLAG__MPLS_MULTICAST = 0x00000400, + RUN_FLAG__MPLS_OVERLAPPING_IP = 0x00000800, + + RUN_FLAG__PROCESS_ALL_EVENTS = 0x00001000, + RUN_FLAG__INLINE_TEST = 0x00002000, + RUN_FLAG__PCAP_SHOW = 0x00004000, + RUN_FLAG__SHOW_FILE_CODES = 0x00008000, + + RUN_FLAG__PAUSE = 0x00010000, + RUN_FLAG__NO_PCRE = 0x00020000, /* If stream is configured, the STATEFUL flag is set. This is * somewhat misnamed and is used to assure a session is established */ - RUN_FLAG__ASSURE_EST = 0x00080000, + RUN_FLAG__ASSURE_EST = 0x00040000, + RUN_FLAG__DUMP_RULE_DEPS = 0x00080000, - RUN_FLAG__TREAT_DROP_AS_IGNORE= 0x00100000, - RUN_FLAG__DUMP_RULE_DEPS = 0x00200000, - RUN_FLAG__TEST = 0x00400000, + RUN_FLAG__TEST = 0x00100000, #ifdef SHELL - RUN_FLAG__SHELL = 0x00800000, + RUN_FLAG__SHELL = 0x00200000, #endif #ifdef PIGLET - RUN_FLAG__PIGLET = 0x01000000, + RUN_FLAG__PIGLET = 0x00400000, #endif - RUN_FLAG__MEM_CHECK = 0x02000000, - RUN_FLAG__TRACK_ON_SYN = 0x04000000, - RUN_FLAG__IP_FRAGS_ONLY = 0x08000000, + RUN_FLAG__MEM_CHECK = 0x00800000, - RUN_FLAG__DUMP_RULE_STATE = 0x10000000, + RUN_FLAG__TRACK_ON_SYN = 0x01000000, + RUN_FLAG__IP_FRAGS_ONLY = 0x02000000, + RUN_FLAG__DUMP_RULE_STATE = 0x04000000, }; enum OutputFlag @@ -477,8 +475,6 @@ public: void set_process_all_events(bool); void set_show_year(bool); void set_tunnel_verdicts(const char*); - void set_treat_drop_as_alert(bool); - void set_treat_drop_as_ignore(bool); void set_tweaks(const char*); void set_uid(const char*); void set_umask(uint32_t); @@ -543,6 +539,9 @@ public: bool inline_test_mode() const { return get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; } + bool passive_mode() const + { return get_ips_policy()->policy_mode == POLICY_MODE__PASSIVE; } + bool show_file_codes() const { return run_flags & RUN_FLAG__SHOW_FILE_CODES; } @@ -609,12 +608,6 @@ public: bool pcap_show() const { return run_flags & RUN_FLAG__PCAP_SHOW; } - bool treat_drop_as_alert() const - { return run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; } - - bool treat_drop_as_ignore() const - { return run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; } - bool alert_before_pass() const { return run_flags & RUN_FLAG__ALERT_BEFORE_PASS; } diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index a48bfd473..0e2cf0d2a 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -556,12 +556,6 @@ static const Parameter s_params[] = { "--talos", Parameter::PT_IMPLIED, nullptr, nullptr, "enable Talos tweak (same as --tweaks talos)", }, - { "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr, - "converts drop, block, and reset rules into alert rules when loaded" }, - - { "--treat-drop-as-ignore", Parameter::PT_IMPLIED, nullptr, nullptr, - "use drop, block, and reset rules to ignore session traffic when not inline" }, - { "--tweaks", Parameter::PT_STRING, nullptr, nullptr, "tune configuration" }, @@ -1090,12 +1084,6 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc) else if ( v.is("--talos") ) sc->set_tweaks("talos"); - else if ( v.is("--treat-drop-as-alert") ) - sc->set_treat_drop_as_alert(true); - - else if ( v.is("--treat-drop-as-ignore") ) - sc->set_treat_drop_as_ignore(true); - else if ( v.is("--tweaks") ) sc->set_tweaks(v.get_string()); diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc index e1d3d6fb4..4165775a5 100644 --- a/src/packet_io/active.cc +++ b/src/packet_io/active.cc @@ -542,6 +542,11 @@ void Active::update_status_actionable(const Packet* p) active_status = AST_WOULD; active_would_reason = WHD_IPS_INLINE_TEST; } + else if ( p->context->conf->passive_mode() ) + { + active_status = AST_WOULD; + active_would_reason = WHD_INTERFACE_IDS; + } } void Active::update_status(const Packet* p, bool force) @@ -671,8 +676,7 @@ void Active::block_session(Packet* p, bool force) active_action = ACT_BLOCK; update_status(p, force); - if ( force or ( p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth) ) - or p->context->conf->treat_drop_as_ignore() ) + if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth))) Stream::block_flow(p); p->disable_inspect = true; @@ -688,8 +692,7 @@ void Active::reset_session(Packet* p, ActiveAction* reject, bool force) active_action = ACT_RESET; update_status(p, force); - if ( force or ( p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth) ) - or p->context->conf->treat_drop_as_ignore() ) + if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth))) Stream::drop_flow(p); if ( p->context->conf->is_active_enabled() ) diff --git a/src/parser/parse_conf.cc b/src/parser/parse_conf.cc index 19f5540b7..43d452eaf 100644 --- a/src/parser/parse_conf.cc +++ b/src/parser/parse_conf.cc @@ -265,21 +265,6 @@ void add_service_to_otn(SnortConfig* sc, OptTreeNode* otn, const char* svc_name) otn->sigInfo.services.emplace_back(si); } -// only keep drop rules ... -// if we are inline (and can actually drop), -// or we are going to just alert instead of drop, -// or we are going to ignore session data instead of drop. -// the alert case is tested for separately with SnortConfig::treat_drop_as_alert(). -static inline int keep_drop_rules(const SnortConfig* sc) -{ - return ( sc->inline_mode() or sc->adaptor_inline_mode() or sc->treat_drop_as_ignore() ); -} - -static inline int load_as_drop_rules(const SnortConfig* sc) -{ - return ( sc->inline_test_mode() || sc->adaptor_inline_test_mode() ); -} - Actions::Type get_rule_type(const char* s) { Actions::Type rt = Actions::get_type(s); @@ -287,20 +272,12 @@ Actions::Type get_rule_type(const char* s) if ( rt == Actions::NONE ) rt = ActionManager::get_action_type(s); - const SnortConfig* sc = SnortConfig::get_conf(); - switch ( rt ) { case Actions::DROP: case Actions::BLOCK: case Actions::RESET: - if ( sc->treat_drop_as_alert() ) - return Actions::ALERT; - - if ( keep_drop_rules(sc) || load_as_drop_rules(sc) ) - return rt; - - return Actions::NONE; + return rt; case Actions::NONE: ParseError("unknown rule type '%s'", s);