From: Victor Julien <vjulien@oisf.net>
Date: Fri, 12 Jan 2024 13:00:37 +0000 (+0100)
Subject: detect: implement 'alert' keyword as a companion to 'noalert'
X-Git-Tag: suricata-8.0.0-beta1~1179
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d5fb8204b6b30b9617ebd95dd12c87a812b2cb5a;p=thirdparty%2Fsuricata.git

detect: implement 'alert' keyword as a companion to 'noalert'

This can be used to implement alert then pass logic.

Add support for alert-then-pass to alert handling routines.

Ticket: #5466.
---

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 750ed6a8be..01452ecf89 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -417,12 +417,18 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
             p->alerts.alerts[p->alerts.cnt] = *pa;
             SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
 
-            /* pass "alert" found, we're done */
-            if (pa->action & ACTION_PASS) {
+            /* pass w/o alert found, we're done. Alert is not logged. */
+            if ((pa->action & (ACTION_PASS | ACTION_ALERT)) == ACTION_PASS) {
                 SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
                 break;
             }
             p->alerts.cnt++;
+
+            /* pass with alert, we're done. Alert is logged. */
+            if (pa->action & ACTION_PASS) {
+                SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
+                break;
+            }
         } else {
             p->alerts.discarded++;
         }
diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
index 87fcce20e9..58908c05d7 100644
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@@ -87,6 +87,7 @@ enum DetectKeywordId {
     DETECT_FLOWINT,
     DETECT_PKTVAR,
     DETECT_NOALERT,
+    DETECT_ALERT,
     DETECT_FLOWBITS,
     DETECT_HOSTBITS,
     DETECT_IPV4_CSUM,
diff --git a/src/detect-noalert.c b/src/detect-noalert.c
index c0d90eca2f..4cb522cf02 100644
--- a/src/detect-noalert.c
+++ b/src/detect-noalert.c
@@ -20,7 +20,7 @@
  *
  * \author Victor Julien <victor@inliniac.net>
  *
- * Implements the noalert keyword
+ * Implements the noalert and alert keywords.
  */
 
 #include "suricata-common.h"
@@ -38,6 +38,14 @@ static int DetectNoalertSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     return 0;
 }
 
+static int DetectAlertSetup(DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
+{
+    DEBUG_VALIDATE_BUG_ON(nullstr != NULL);
+
+    s->action |= ACTION_ALERT;
+    return 0;
+}
+
 void DetectNoalertRegister(void)
 {
     sigmatch_table[DETECT_NOALERT].name = "noalert";
@@ -45,4 +53,10 @@ void DetectNoalertRegister(void)
     sigmatch_table[DETECT_NOALERT].url = "/rules/flow-keywords.html";
     sigmatch_table[DETECT_NOALERT].Setup = DetectNoalertSetup;
     sigmatch_table[DETECT_NOALERT].flags |= SIGMATCH_NOOPT;
+
+    sigmatch_table[DETECT_ALERT].name = "alert";
+    sigmatch_table[DETECT_ALERT].desc = "alert will be generated by the rule";
+    sigmatch_table[DETECT_ALERT].url = "/rules/flow-keywords.html";
+    sigmatch_table[DETECT_ALERT].Setup = DetectAlertSetup;
+    sigmatch_table[DETECT_ALERT].flags |= SIGMATCH_NOOPT;
 }