From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Thu, 21 Apr 2022 15:59:14 +0000 (+0000)
Subject: Pull request #3386: events: add action logging to the event
X-Git-Tag: 3.1.28.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dde55261a22408754bc4bfb94ca9373b23c7c939;p=thirdparty%2Fsnort3.git

Pull request #3386: events: add action logging to the event

Merge in SNORT/snort3 from ~VHORBATO/snort3:events_upd to master

Squashed commit of the following:

commit 68bc9987e0c57edc1aae1bb18fb88a29529d1ca7
Author: Vitalii <vhorbato@cisco.com>
Date:   Sun Apr 3 13:45:25 2022 +0300

    events: add action logging to the event

    packet_io: add rewrite action logging
---

diff --git a/src/actions/act_replace.cc b/src/actions/act_replace.cc
index d49986add..2dd2a7d56 100644
--- a/src/actions/act_replace.cc
+++ b/src/actions/act_replace.cc
@@ -106,6 +106,8 @@ private:
 
 void ReplaceAction::exec(Packet* p, const OptTreeNode* otn)
 {
+    p->active->rewrite_packet(p);
+    
     Actions::alert(p, otn);
 }
 
diff --git a/src/detection/detect.cc b/src/detection/detect.cc
index 881d805ad..8b219c494 100644
--- a/src/detection/detect.cc
+++ b/src/detection/detect.cc
@@ -83,6 +83,8 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
     event.ref_time.tv_sec = p->pkth->ts.tv_sec;
     event.ref_time.tv_usec = p->pkth->ts.tv_usec;
     event.update_event_id_and_ref(p->context->conf->get_event_log_id());
+    if (head and head->ruleListNode)
+        event.action_string = head->ruleListNode->name;
 
     DetectionEngine::set_check_tags(false);
     pc.log_pkts++;
@@ -99,6 +101,8 @@ void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
     event.ref_time.tv_sec = p->pkth->ts.tv_sec;
     event.ref_time.tv_usec = p->pkth->ts.tv_usec;
     event.update_event_id_and_ref(p->context->conf->get_event_log_id());
+    if (head and head->ruleListNode)
+        event.action_string = head->ruleListNode->name;
 
     pc.total_alert_pkts++;
 
diff --git a/src/events/event.cc b/src/events/event.cc
index 1debf01d7..4f8b49f27 100644
--- a/src/events/event.cc
+++ b/src/events/event.cc
@@ -71,7 +71,7 @@ uint32_t Event::update_and_get_event_id(void)
 
 void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev,
     uint32_t classification, uint32_t priority, uint16_t event_ref,
-    uint16_t log_id, const struct timeval& tv)
+    uint16_t log_id, const struct timeval& tv, const std::string& act)
 {
     sig_info->gid = gid;
     sig_info->sid = sid;
@@ -88,5 +88,6 @@ void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev,
 
     ref_time.tv_sec = tv.tv_sec;
     ref_time.tv_usec = tv.tv_usec;
+    action_string = act;
 }
 
diff --git a/src/events/event.h b/src/events/event.h
index e81160554..36d817cfc 100644
--- a/src/events/event.h
+++ b/src/events/event.h
@@ -39,6 +39,7 @@ struct Event
     SigInfo* sig_info = nullptr;
     struct sf_timeval32 ref_time = { 0, 0 };   /* reference time for the event reference */
     const char* alt_msg = nullptr;
+    std::string action_string;
 
     Event() = default;
     Event(SigInfo& si)
@@ -56,7 +57,7 @@ struct Event
 
     void set_event(uint32_t gid, uint32_t sid, uint32_t rev,
         uint32_t classification, uint32_t priority, uint16_t event_ref,
-        uint16_t log_id, const struct timeval& tv);
+        uint16_t log_id, const struct timeval& tv, const std::string& act = "");
 
 
 private:
diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index cc5297bff..acfa36f00 100644
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -229,7 +229,7 @@ static DAQ_Verdict distill_verdict(Packet* p)
     if ( act->session_was_blocked() ||
             (p->flow && (p->flow->flow_state == Flow::FlowState::BLOCK)) )
     {
-        if ( !act->can_block() )
+        if ( !act->can_act() )
             verdict = DAQ_VERDICT_PASS;
         else if ( act->get_tunnel_bypass() )
         {
@@ -243,7 +243,7 @@ static DAQ_Verdict distill_verdict(Packet* p)
     }
 
     // Second Pass, now with more side effects
-    if ( act->packet_was_dropped() && act->can_block() )
+    if ( act->packet_was_dropped() && act->can_act() )
     {
         if ( verdict == DAQ_VERDICT_PASS )
             verdict = DAQ_VERDICT_BLOCK;
diff --git a/src/main/test/distill_verdict_stubs.h b/src/main/test/distill_verdict_stubs.h
index dd4a9851e..c4d81c14d 100644
--- a/src/main/test/distill_verdict_stubs.h
+++ b/src/main/test/distill_verdict_stubs.h
@@ -156,6 +156,7 @@ bool SFDAQ::forwarding_packet(const DAQ_PktHdr_t*) { return false; }
 int SFDAQ::inject(DAQ_Msg_h, int, const uint8_t*, uint32_t) { return -1; }
 bool SFDAQ::can_inject() { return false; }
 bool SFDAQ::can_inject_raw() { return false; }
+bool SFDAQ::can_replace() { return false; }
 int SFDAQInstance::set_packet_verdict_reason(DAQ_Msg_h, uint8_t) { return 0; }
 DetectionEngine::DetectionEngine() = default;
 DetectionEngine::~DetectionEngine() = default;
diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc
index 4ab8a3340..33fcc23ae 100644
--- a/src/packet_io/active.cc
+++ b/src/packet_io/active.cc
@@ -61,6 +61,7 @@ const char* Active::act_str[Active::ACT_MAX][Active::AST_MAX] =
     { "allow", "error", "error", "error" },
     { "hold", "error", "error", "error" },
     { "retry", "error", "error", "error" },
+    { "rewrite", "cant_rewrite", "would_rewrite", "force_rewrite" },
     { "drop", "cant_drop", "would_drop", "force_drop" },
     { "block", "cant_block", "would_block", "force_block" },
     { "reset", "cant_reset", "would_reset", "force_reset" },
@@ -527,6 +528,11 @@ void Active::update_status_actionable(const Packet* p)
             active_status = AST_WOULD;
             active_would_reason = WHD_INTERFACE_IDS;
         }
+        else if ( active_action == ACT_REWRITE and !SFDAQ::can_replace() )
+        {
+            active_status = AST_WOULD;
+            active_would_reason = WHD_INTERFACE_IDS;
+        }
     }
     else if ( p->context->conf->inline_test_mode() )
     {
@@ -552,9 +558,7 @@ void Active::update_status(const Packet* p, bool force)
     else if ( force )
         active_status = AST_FORCE;
     else if ( active_status != AST_FORCE )
-    {
         update_status_actionable(p);
-    }
 }
 
 void Active::daq_update_status(const Packet* p)
@@ -588,6 +592,14 @@ void Active::daq_drop_packet(const Packet* p)
     daq_update_status(p);
 }
 
+void Active::rewrite_packet(const Packet* p, bool force)
+{
+    if ( active_action < ACT_REWRITE )
+        active_action = ACT_REWRITE;
+
+    update_status(p, force);
+}
+
 bool Active::retry_packet(const Packet* p)
 {
     if (ACT_RETRY == active_action)
@@ -854,4 +866,3 @@ void Active::send_reason_to_daq(Packet& p)
     if ( reason != -1 )
         p.daq_instance->set_packet_verdict_reason(p.daq_msg, reason);
 }
-
diff --git a/src/packet_io/active.h b/src/packet_io/active.h
index 403ee8ac5..e41ba384d 100644
--- a/src/packet_io/active.h
+++ b/src/packet_io/active.h
@@ -60,7 +60,7 @@ public:
     // apply_delayed_action, in a big switch(action). Do away with these and
     // use the actual (Base)Action objects.
     enum ActiveActionType : uint8_t
-    { ACT_TRUST, ACT_ALLOW, ACT_HOLD, ACT_RETRY, ACT_DROP, ACT_BLOCK, ACT_RESET, ACT_MAX };
+    { ACT_TRUST, ACT_ALLOW, ACT_HOLD, ACT_RETRY, ACT_REWRITE, ACT_DROP, ACT_BLOCK, ACT_RESET, ACT_MAX };
 
 public:
 
@@ -111,7 +111,7 @@ public:
 
     void kill_session(Packet*, EncodeFlags = ENC_FLAG_FWD);
 
-    bool can_block() const
+    bool can_act() const
     { return active_status == AST_ALLOW or active_status == AST_FORCE; }
 
     const char* get_action_string() const
@@ -121,6 +121,7 @@ public:
 
     void drop_packet(const Packet*, bool force = false);
     void daq_drop_packet(const Packet*);
+    void rewrite_packet(const Packet*, bool force = false);
     bool retry_packet(const Packet*);
     bool hold_packet(const Packet*);
     void cancel_packet_hold();
diff --git a/src/piglet_plugins/pp_event_iface.cc b/src/piglet_plugins/pp_event_iface.cc
index 6885bea3b..d8cefe6bf 100644
--- a/src/piglet_plugins/pp_event_iface.cc
+++ b/src/piglet_plugins/pp_event_iface.cc
@@ -48,13 +48,22 @@ static void set_fields(lua_State* L, int tindex, Event& self)
     table.get_field("event_reference", value);
     self.set_event_reference(value);
 
-    const char* s = nullptr;
-    if ( table.get_field("alt_msg", s) && s )  // FIXIT-L shouldn't need both conditions
+    const char* s_alt_msg = nullptr;
+    if ( table.get_field("alt_msg", s_alt_msg) && s_alt_msg )  // FIXIT-L shouldn't need both conditions
     {
-        self.alt_msg = RawBufferIface.create(L, s).c_str();
+        self.alt_msg = RawBufferIface.create(L, s_alt_msg).c_str();
         Lua::add_ref(L, &self, "alt_msg", lua_gettop(L));
         lua_pop(L, 1);
     }
+
+    const char* s_action_string = nullptr;
+    // FIXIT-L shouldn't need both conditions
+    if ( table.get_field("action_string", s_action_string) && s_action_string )
+    {
+        self.action_string = RawBufferIface.create(L, s_action_string);
+        Lua::add_ref(L, &self, "action_string", lua_gettop(L));
+        lua_pop(L, 1);
+    }
 }
 
 static void get_fields(lua_State* L, int tindex, Event& self)
@@ -66,6 +75,9 @@ static void get_fields(lua_State* L, int tindex, Event& self)
 
     if ( self.alt_msg )
         table.set_field("alt_msg", self.alt_msg);
+
+    if ( !self.action_string.empty() )
+        table.set_field("action_string", self.action_string);
 }
 
 static const luaL_Reg methods[] =
diff --git a/tools/u2spewfoo/u2spewfoo.cc b/tools/u2spewfoo/u2spewfoo.cc
index ff3f91808..290ce74df 100644
--- a/tools/u2spewfoo/u2spewfoo.cc
+++ b/tools/u2spewfoo/u2spewfoo.cc
@@ -301,7 +301,7 @@ static const char* get_status(uint8_t stat)
 
 static const char* get_action(uint8_t act)
 {
-    const char* acts[] = { "trust", "pass", "hold", "retry", "drop", "block", "reset" };
+    const char* acts[] = { "trust", "pass", "hold", "retry", "rewrite", "drop", "block", "reset" };
     return lookup(acts, sizeof(acts)/sizeof(acts[0]), act);
 }