From: Abhishek Rawat (abhrawat) <abhrawat@cisco.com>
Date: Fri, 9 Feb 2024 03:02:51 +0000 (+0000)
Subject: Pull request #4181: flow: added ips event suppression flags
X-Git-Tag: 3.1.81.0~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be19a34cd8874251273fb1c65dab36b46e31b7d3;p=thirdparty%2Fsnort3.git

Pull request #4181: flow: added ips event suppression flags

Merge in SNORT/snort3 from ~ABHRAWAT/snort3:conn_event_ips_suppression to master

Squashed commit of the following:

commit 4790cd489d98de6f2759d5bd875e23f04f561940
Author: abhrawat <abhrawat@cisco.com>
Date:   Mon Jan 29 19:33:39 2024 +0000

    flow: added ips event suppression flags
---

diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc
index a6ebdb57c..c9e97556d 100644
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -224,10 +224,16 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p)
         */
         IpsAction * act = get_ips_policy()->action[action];
         act->exec(p);
+
         if ( p->active && p->flow &&
             (p->active->get_action() >= Active::ACT_DROP) )
         {
-            p->flow->flags.ips_event_suppressed = true;
+            if ( p->active->can_partial_block_session() )
+                p->flow->flags.ips_pblock_event_suppressed = true;
+            else if (p->active->packet_would_be_dropped())
+                p->flow->flags.ips_wblock_event_suppressed = true;
+            else
+                p->flow->flags.ips_block_event_suppressed = true;
         }
         fpLogOther(p, rtn, otn, action);
         pc.event_limit++;
diff --git a/src/flow/flow.h b/src/flow/flow.h
index 7246bbc61..29fcca07e 100644
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -500,8 +500,10 @@ public:  // FIXIT-M privatize if possible
         bool svc_event_generated : 1; // Set if FLOW_NO_SERVICE_EVENT was generated for this flow
         bool retry_queued : 1; // Set if a packet was queued for retry for this flow
         bool ha_flow : 1; // Set if this flow was created by an HA message
-        bool ips_event_suppressed : 1; // Set if event filters have suppressed ips event
         bool disable_reassembly_by_ips : 1; // Set if IPS has disabled reassembly for this flow
+        bool ips_block_event_suppressed : 1; // Set if event filters have suppressed a block ips event
+        bool ips_wblock_event_suppressed : 1; // set if event filters have suppressed a would block/drop ips event
+        bool ips_pblock_event_suppressed : 1; // set if event filters have suppressed a partial block ips event
     } flags = {};
 
     FlowState flow_state = FlowState::SETUP;