From: Michael Altizer (mialtize) Date: Fri, 15 Feb 2019 17:11:18 +0000 (-0500) Subject: Merge pull request #1512 in SNORT/snort3 from ~BBANTWAL/snort3:empty_policy to master X-Git-Tag: 3.0.0-251~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf414e4d9ea642c348e56accd98ff884008026cf;p=thirdparty%2Fsnort3.git Merge pull request #1512 in SNORT/snort3 from ~BBANTWAL/snort3:empty_policy to master Squashed commit of the following: commit 2c7bf69cb63eb054cde8895e62a11e40628c6868 Author: Bhagya Tholpady Date: Mon Feb 11 12:15:13 2019 -0500 policy: allow an empty policy be set by firewall when ac rule does not have a ips policy assigned to it. --- diff --git a/src/main/policy.cc b/src/main/policy.cc index 8212b3ff6..95ab6ffbb 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -146,7 +146,11 @@ PolicyMap::PolicyMap(PolicyMap* other_map) if ( other_map ) clone(other_map); else + { add_shell(new Shell); + empty_ips_policy = new IpsPolicy(ips_policy.size()); + ips_policy.emplace_back(empty_ips_policy); + } set_inspection_policy(inspection_policy[0]); set_ips_policy(ips_policy[0]); @@ -177,6 +181,7 @@ PolicyMap::~PolicyMap() for ( auto p : network_policy ) delete p; + } shells.clear(); @@ -191,6 +196,7 @@ void PolicyMap::clone(PolicyMap *other_map) shells = other_map->shells; ips_policy = other_map->ips_policy; network_policy = other_map->network_policy; + empty_ips_policy = other_map->empty_ips_policy; for ( unsigned i = 0; i < (other_map->inspection_policy.size()); i++) { @@ -303,6 +309,11 @@ IpsPolicy* get_user_ips_policy(SnortConfig* sc, unsigned policy_id) return sc->policy_map->get_user_ips(policy_id); } +IpsPolicy* get_empty_ips_policy(SnortConfig* sc) +{ + return sc->policy_map->get_empty_ips(); +} + NetworkPolicy* get_user_network_policy(SnortConfig* sc, unsigned policy_id) { return sc->policy_map->get_user_network(policy_id); diff --git a/src/main/policy.h b/src/main/policy.h index 6b8b6ef45..9b47dcc1c 100644 --- a/src/main/policy.h +++ b/src/main/policy.h @@ -215,6 +215,9 @@ public: IpsPolicy* get_ips_policy(unsigned i = 0) { return i < ips_policy.size() ? ips_policy[i] : nullptr; } + IpsPolicy* get_empty_ips() + { return empty_ips_policy; } + NetworkPolicy* get_network_policy(unsigned i = 0) { return i < network_policy.size() ? network_policy[i] : nullptr; } @@ -235,6 +238,7 @@ private: std::vector inspection_policy; std::vector ips_policy; std::vector network_policy; + IpsPolicy* empty_ips_policy; std::unordered_map> shell_map; std::unordered_map user_inspection; std::unordered_map user_ips; @@ -260,6 +264,7 @@ SO_PUBLIC InspectionPolicy* get_default_inspection_policy(snort::SnortConfig*); SO_PUBLIC void set_ips_policy(IpsPolicy* p); SO_PUBLIC void set_network_policy(NetworkPolicy* p); SO_PUBLIC IpsPolicy* get_user_ips_policy(snort::SnortConfig* sc, unsigned policy_id); +SO_PUBLIC IpsPolicy* get_empty_ips_policy(snort::SnortConfig* sc); SO_PUBLIC NetworkPolicy* get_user_network_policy(snort::SnortConfig* sc, unsigned policy_id); } diff --git a/src/parser/parser.cc b/src/parser/parser.cc index 6802b06c7..38aa4dca7 100644 --- a/src/parser/parser.cc +++ b/src/parser/parser.cc @@ -554,6 +554,8 @@ void ParseRules(SnortConfig* sc) } } + set_ips_policy(sc, 0); + /* Compile/Finish and Print the PortList Tables */ PortTablesFinish(sc->port_tables, sc->fast_pattern_config);