From: Juliana Fajardini Date: Wed, 19 Jan 2022 18:29:39 +0000 (+0000) Subject: decode: make packet_alert_max configurable X-Git-Tag: suricata-5.0.10~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d926f166943a9ed028d356707df7cc6e6f417b73;p=thirdparty%2Fsuricata.git decode: make packet_alert_max configurable The maximum of possible alerts triggered by a unique packet was hardcoded to 15. With usage of 'noalert' rules, that limit could be reached somewhat easily. Make that configurable via suricata.yaml. Conf Bug#4941 Task #4207 (cherry picked from commit 3ace577d5426e2e1afd1cdf0736151022771226c) --- diff --git a/src/decode.c b/src/decode.c index 09c9efdf6f..ecbe0011ba 100644 --- a/src/decode.c +++ b/src/decode.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2019 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -73,6 +73,26 @@ extern bool stats_decoder_events; extern const char *stats_decoder_events_prefix; extern bool stats_stream_events; uint8_t decoder_max_layers = PKT_DEFAULT_MAX_DECODED_LAYERS; +uint16_t packet_alert_max = PACKET_ALERT_MAX; + +/** + * \brief Initialize PacketAlerts with dynamic alerts array size + * + */ +PacketAlert *PacketAlertCreate(void) +{ + PacketAlert *pa_array = SCCalloc(packet_alert_max, sizeof(PacketAlert)); + BUG_ON(pa_array == NULL); + + return pa_array; +} + +void PacketAlertFree(PacketAlert *pa) +{ + if (pa != NULL) { + SCFree(pa); + } +} static int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) WARN_UNUSED; @@ -753,6 +773,21 @@ void DecodeGlobalConfig(void) decoder_max_layers = value; } } + PacketAlertGetMaxConfig(); +} + +void PacketAlertGetMaxConfig(void) +{ + intmax_t max = 0; + if (ConfGetInt("packet-alert-max", &max) == 1) { + if (max <= 0 || max > UINT8_MAX) { + SCLogWarning(SC_ERR_INVALID_VALUE, + "Invalid value for packet-alert-max, default value set instead"); + } else { + packet_alert_max = max; + } + } + SCLogDebug("detect->packet_alert_max set to %d", packet_alert_max); } /** diff --git a/src/decode.h b/src/decode.h index 825bd9cfae..87600e5a7d 100644 --- a/src/decode.h +++ b/src/decode.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2020 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -288,16 +288,21 @@ typedef struct PacketAlert_ { /** action was changed by rate_filter */ #define PACKET_ALERT_RATE_FILTER_MODIFIED 0x10 +extern uint16_t packet_alert_max; #define PACKET_ALERT_MAX 15 typedef struct PacketAlerts_ { uint16_t cnt; - PacketAlert alerts[PACKET_ALERT_MAX]; + PacketAlert *alerts; /* single pa used when we're dropping, * so we can log it out in the drop log. */ PacketAlert drop; } PacketAlerts; +PacketAlert *PacketAlertCreate(void); + +void PacketAlertFree(PacketAlert *pa); + /** number of decoder events we support per packet. Power of 2 minus 1 * for memory layout */ #define PACKET_ENGINE_EVENT_MAX 15 @@ -735,11 +740,13 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); /** * \brief Initialize a packet structure for use. */ -#define PACKET_INITIALIZE(p) { \ - SCMutexInit(&(p)->tunnel_mutex, NULL); \ - PACKET_RESET_CHECKSUMS((p)); \ - (p)->livedev = NULL; \ -} +#define PACKET_INITIALIZE(p) \ + { \ + SCMutexInit(&(p)->tunnel_mutex, NULL); \ + (p)->alerts.alerts = PacketAlertCreate(); \ + PACKET_RESET_CHECKSUMS((p)); \ + (p)->livedev = NULL; \ + } #define PACKET_RELEASE_REFS(p) do { \ FlowDeReference(&((p)->flow)); \ @@ -833,6 +840,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); if ((p)->pktvar != NULL) { \ PktVarFree((p)->pktvar); \ } \ + PacketAlertFree((p)->alerts.alerts); \ PACKET_FREE_EXTDATA((p)); \ SCMutexDestroy(&(p)->tunnel_mutex); \ AppLayerDecoderEventsFreeEvents(&(p)->app_layer_events); \ @@ -976,6 +984,7 @@ int DecoderParseDataFromFile(char *filename, DecoderFunc Decoder); int DecoderParseDataFromFileSerie(char *fileprefix, DecoderFunc Decoder); #endif void DecodeGlobalConfig(void); +void PacketAlertGetMaxConfig(void); void DecodeUnregisterCounters(void); /** \brief Set the No payload inspection Flag for the packet. diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 87315cf37a..a8a540d481 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2021 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free diff --git a/suricata.yaml.in b/suricata.yaml.in index 26eea87a76..3d6227beec 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1081,6 +1081,10 @@ legacy: # - reject # - alert +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +#packet-alert-max: 15 + # IP Reputation #reputation-categories-file: @e_sysconfdir@iprep/categories.txt #default-reputation-path: @e_sysconfdir@iprep