From: George Koikara (gkoikara) <gkoikara@cisco.com>
Date: Thu, 5 Mar 2020 11:19:24 +0000 (+0000)
Subject: Merge pull request #1986 in SNORT/snort3 from ~APOORAJ/snort3:ftp_whitelist to master
X-Git-Tag: 3.0.0-269~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed55316c7a2a3274b039f121638cce1cf16bdd97;p=thirdparty%2Fsnort3.git

Merge pull request #1986 in SNORT/snort3 from ~APOORAJ/snort3:ftp_whitelist to master

Squashed commit of the following:

commit cd28ecf05fbe5379661772cdd6704ea2d7f8c253
Author: Apoorv Raj <apooraj@cisco.com>
Date:   Thu Feb 6 02:57:58 2020 -0500

    ftp: Whitelist ftp session after max sig depth reached
---

diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc
index 1d7621d5c..00e025ef0 100644
--- a/src/file_api/file_lib.cc
+++ b/src/file_api/file_lib.cc
@@ -477,6 +477,10 @@ bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size,
 
                 log_file_event(flow, policy);
             }
+            else
+            {
+                return false;
+            }
         }
     }
     else
diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index e23a5d342..daadfdf1b 100644
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -855,8 +855,11 @@ static int mergeDuplicateOtn(
     return false;
 }
 
+namespace snort
+{
 int get_rule_count()
 { return rule_count; }
+}
 
 void parse_rule_init()
 {
diff --git a/src/parser/parse_rule.h b/src/parser/parse_rule.h
index 7c855d333..8c0480d25 100644
--- a/src/parser/parse_rule.h
+++ b/src/parser/parse_rule.h
@@ -26,6 +26,7 @@
 namespace snort
 {
 struct SnortConfig;
+SO_PUBLIC int get_rule_count();
 }
 struct OptFpList;
 struct OptTreeNode;
@@ -47,7 +48,5 @@ void parse_rule_opt_end(snort::SnortConfig*, const char* key, OptTreeNode*);
 OptTreeNode* parse_rule_open(snort::SnortConfig*, RuleTreeNode&, bool stub = false);
 void parse_rule_close(snort::SnortConfig*, RuleTreeNode&, OptTreeNode*);
 
-int get_rule_count();
-
 #endif
 
diff --git a/src/service_inspectors/ftp_telnet/ftp_data.cc b/src/service_inspectors/ftp_telnet/ftp_data.cc
index 6fcdaeb7e..5b0848605 100644
--- a/src/service_inspectors/ftp_telnet/ftp_data.cc
+++ b/src/service_inspectors/ftp_telnet/ftp_data.cc
@@ -27,6 +27,8 @@
 #include "file_api/file_flows.h"
 #include "file_api/file_service.h"
 #include "packet_io/active.h"
+#include "packet_tracer/packet_tracer.h"
+#include "parser/parse_rule.h"
 #include "profiler/profiler.h"
 #include "stream/stream.h"
 #include "utils/util.h"
@@ -96,10 +98,19 @@ static void FTPDataProcess(
         data_ssn->packet_flags |= FTPDATA_FLG_FILENAME_SET;
     }
 
-    /* Ignore the rest of this transfer if file processing is complete
-     * and preprocessor was configured to ignore ftp-data sessions. */
-    if (!status && data_ssn->data_chan)
-        p->flow->set_ignore_direction(SSN_DIR_BOTH);
+    // Ignore the rest of this transfer if file processing is complete
+    // and status is returned false (eg sig not enabled, sig depth exceeded etc)
+    // and no IPS rules are configured.
+    if ( !status )
+    {
+        IpsPolicy* empty_policy = snort::get_empty_ips_policy(SnortConfig::get_conf());
+        if ( !get_rule_count() || (empty_policy->policy_id == p->flow->ips_policy_id) )
+        {
+            if ( PacketTracer::is_active() )
+                PacketTracer::log("Whitelisting Flow: FTP sig depth exceeded\n");
+            p->flow->set_ignore_direction(SSN_DIR_BOTH);
+        }
+    }
 }
 
 static int SnortFTPData(Packet* p)