From: Bhagya Tholpady (bbantwal) Date: Mon, 5 Oct 2020 15:13:35 +0000 (+0000) Subject: Merge pull request #2504 in SNORT/snort3 from ~SVLASIUK/snort3:rule_state_cleanup... X-Git-Tag: 3.0.3-2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa6b12ee156eb3d0352fe99ca861775edbe6653c;p=thirdparty%2Fsnort3.git Merge pull request #2504 in SNORT/snort3 from ~SVLASIUK/snort3:rule_state_cleanup to master Squashed commit of the following: commit 1d46cc8fea3a37a18dc4c6dc1dbd882796131760 Author: Serhii Vlasiuk Date: Thu Oct 1 18:42:11 2020 +0300 snort2lua: convert rule_state into ips.states commit 2c87618a426b72b58f52300b3928014e166832e3 Author: Serhii Vlasiuk Date: Thu Oct 1 18:39:22 2020 +0300 main: remove deprecated rule_state module --- diff --git a/doc/user/params.txt b/doc/user/params.txt index e3b2b4865..d9eb2c8df 100644 --- a/doc/user/params.txt +++ b/doc/user/params.txt @@ -32,8 +32,7 @@ information about the type and use of the parameter: * IPS rules may also have a wild card parameter, which is indicated by a *. Used for unquoted, comma-separated lists such as service and metadata. * The snort module has command line options starting with a -. -* $ denotes variable names, eg rule_state.$gid_sid which would be used - like rule_state["1:23456"] = { }. +* $ denotes variable names. Some additional details to note: diff --git a/src/main/modules.cc b/src/main/modules.cc index 34d6d5437..76428b53b 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -1818,120 +1818,6 @@ bool RateFilterModule::end(const char*, int idx, SnortConfig* sc) return true; } -//------------------------------------------------------------------------- -// rule_state module -//------------------------------------------------------------------------- - -static const Parameter single_rule_state_params[] = -{ - { "action", Parameter::PT_ENUM, - "log | pass | alert | drop | block | reset", "alert", - "apply action if rule matches or inherit from rule definition" }, - - { "enable", Parameter::PT_ENUM, "no | yes | inherit", "inherit", - "enable or disable rule in current ips policy or use default defined by ips policy" }, - - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } -}; - -static const Parameter rule_state_params[] = -{ - { "$gid_sid", Parameter::PT_LIST, single_rule_state_params, nullptr, - "defines rule state parameters for gid:sid" }, - - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } -}; - -#define rule_state_help \ - "enable/disable and set actions for specific IPS rules; " \ - "deprecated, use rule state stubs with enable instead" - -class RuleStateModule : public Module -{ -public: - RuleStateModule() : Module("rule_state", rule_state_help, rule_state_params, false) { } - - bool set(const char*, Value&, SnortConfig*) override; - bool begin(const char*, int, SnortConfig*) override; - bool end(const char*, int, SnortConfig*) override; - - bool matches(const char*, std::string&) override; - - Usage get_usage() const override - { return DETECT; } - -private: - RuleKey key; - RuleState state; -}; - -bool RuleStateModule::matches(const char* param, std::string& name) -{ - if ( strcmp(param, "$gid_sid") ) - return false; - - std::stringstream ss(name); - char sep; - - ss >> key.gid >> sep >> key.sid; - - if ( key.gid and key.sid and sep == ':' ) - return true; - - return false; -} - -bool RuleStateModule::set(const char* fqn, Value& v, SnortConfig*) -{ - // the name itself is passed as the fqn when declaring rule_state = { } - if ( !strcmp(fqn, "$gid_sid") ) - return true; - - if ( key.gid and key.sid ) - { - if ( v.is("action") ) - { - state.rule_action = v.get_string(); - state.action = snort::Actions::Type(v.get_uint8() + 1); - } - - else if ( v.is("enable") ) - state.enable = IpsPolicy::Enable(v.get_uint8()); - } - else - return false; - - return true; -} - -bool RuleStateModule::begin(const char*, int, SnortConfig* sc) -{ - if ( !sc->rule_states ) - sc->rule_states = new RuleStateMap; - - else - { - key = { 0, 0, 0 }; - state.action = snort::Actions::Type::ALERT; - state.enable = IpsPolicy::Enable::INHERIT_ENABLE; - } - return true; -} - -bool RuleStateModule::end(const char* fqn, int, SnortConfig* sc) -{ - if ( !strcmp(fqn, "rule_state") ) - return true; - - if ( !key.gid or !key.sid ) - return false; - - key.policy_id = snort::get_ips_policy()->policy_id; - sc->rule_states->add(key, state); - - return true; -} - //------------------------------------------------------------------------- // hosts module //------------------------------------------------------------------------- @@ -2104,7 +1990,6 @@ void module_init() ModuleManager::add_module(new ProcessModule); ModuleManager::add_module(new ProfilerModule); ModuleManager::add_module(new ReferencesModule); - ModuleManager::add_module(new RuleStateModule); ModuleManager::add_module(new SearchEngineModule); ModuleManager::add_module(new SFDAQModule); ModuleManager::add_module(new PayloadInjectorModule); diff --git a/src/main/shell.cc b/src/main/shell.cc index 791dd99c7..3889ebdc9 100644 --- a/src/main/shell.cc +++ b/src/main/shell.cc @@ -211,19 +211,13 @@ void Shell::set_config_value(const std::string& fqn, const snort::Value& value) if ( !s_config_output || !s_current_node ) return; - // lua interpreter does not call open_table for simple list items like (string) or - // special rule_state list items - // We have to add tree node for this item too + // lua interpreter does not call open_table for simple list items like (string) + // we have to add tree node for this item if ( s_current_node->get_type() == Parameter::PT_LIST ) { - auto node = s_current_node->get_node(""); - if ( !node || s_current_node->get_name().find(":") == std::string::npos ) - { - node = new TreeConfigNode(s_current_node, "", Parameter::PT_TABLE); - s_current_node->add_child_node(node); - } - - node->add_child_node(new ValueConfigNode(node, value)); + add_config_child_node("", Parameter::PT_TABLE); + s_current_node->add_child_node(new ValueConfigNode(s_current_node, value)); + s_current_node = s_current_node->get_parent_node(); return; } diff --git a/src/managers/coreinit.lua b/src/managers/coreinit.lua index bf02b77ea..b214cb393 100644 --- a/src/managers/coreinit.lua +++ b/src/managers/coreinit.lua @@ -61,7 +61,6 @@ port_scan = { } -- opt in profiler = { } -- don't activate rate_filter = { } -- pure list references = { } -- pure list -rule_state = { } -- pure list side_channel = { } -- leaks! snort = { } -- command line only suppress = { } -- pure list diff --git a/tools/snort2lua/conversion_state.h b/tools/snort2lua/conversion_state.h index 80b37b4b4..60fb9973f 100644 --- a/tools/snort2lua/conversion_state.h +++ b/tools/snort2lua/conversion_state.h @@ -28,6 +28,7 @@ class DataApi; class RuleApi; +class StateApi; class TableApi; class ConversionState @@ -37,7 +38,8 @@ public: // FIXIT-L these should be removed and accessed through cv data_api(c.get_data_api()), table_api(c.get_table_api()), - rule_api(c.get_rule_api()) + rule_api(c.get_rule_api()), + state_api(c.get_state_api()) { } virtual ~ConversionState() = default; virtual bool convert(std::istringstream& data)=0; @@ -47,6 +49,7 @@ protected: DataApi& data_api; TableApi& table_api; RuleApi& rule_api; + StateApi& state_api; inline bool eat_option(std::istringstream& stream) { diff --git a/tools/snort2lua/data/CMakeLists.txt b/tools/snort2lua/data/CMakeLists.txt index 00532b803..3c19e3fd1 100644 --- a/tools/snort2lua/data/CMakeLists.txt +++ b/tools/snort2lua/data/CMakeLists.txt @@ -4,9 +4,11 @@ add_subdirectory (data_types) add_library( conversion_data OBJECT dt_data.h dt_data.cc - dt_table_api.h - dt_table_api.cc dt_rule_api.h dt_rule_api.cc + dt_state_api.h + dt_state_api.cc + dt_table_api.h + dt_table_api.cc ) diff --git a/tools/snort2lua/data/dt_state_api.cc b/tools/snort2lua/data/dt_state_api.cc new file mode 100644 index 000000000..ce21c08ed --- /dev/null +++ b/tools/snort2lua/data/dt_state_api.cc @@ -0,0 +1,73 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// dt_state_api.cc author Serhii Vlasiuk + +#include "data/dt_state_api.h" + +#include "data/data_types/dt_rule.h" + +void StateApi::create_state() +{ + curr_state = new Rule(); + states.push_back(curr_state); +} + +void StateApi::clear() +{ + for (auto s : states) + delete s; + + states.clear(); +} + +bool StateApi::empty() const +{ + return states.empty(); +} + +void StateApi::set_action(const std::string& action) +{ + if ( curr_state ) + curr_state->add_hdr_data(action); +} + +void StateApi::add_option(const std::string& name, const std::string& val) +{ + if ( curr_state ) + curr_state->add_option(name, val); +} + +void StateApi::add_comment(const std::string& comment) +{ + if ( curr_state ) + curr_state->add_comment(comment); +} + +void StateApi::print_states(std::ostream& out) const +{ + if ( states.empty() ) + return; + + out << "local_states =\n[[\n"; + + for (const auto r : states) + out << (*r) << "\n"; + + out << "]]\n\n"; +} + diff --git a/tools/snort2lua/data/dt_state_api.h b/tools/snort2lua/data/dt_state_api.h new file mode 100644 index 000000000..831de4a84 --- /dev/null +++ b/tools/snort2lua/data/dt_state_api.h @@ -0,0 +1,48 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// dt_state_api.h author Serhii Vlasiuk + +#ifndef DATA_DT_STATE_API_H +#define DATA_DT_STATE_API_H + +#include +#include + +class Rule; + +class StateApi +{ +public: + StateApi() = default; + ~StateApi() = default; + + void create_state(); + void clear(); + bool empty() const; + void add_option(const std::string& keyword, const std::string& val); + void add_comment(const std::string& comment); + void set_action(const std::string& action); + void print_states(std::ostream& out) const; + +private: + std::vector states; + Rule* curr_state = nullptr; +}; + +#endif + diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc index 934d44197..717bb9eb2 100644 --- a/tools/snort2lua/helpers/converter.cc +++ b/tools/snort2lua/helpers/converter.cc @@ -48,7 +48,6 @@ TableDelegation table_delegation = { "ips", true }, { "network", true }, { "normalizer", true }, - { "rule_state", true }, { "stream_tcp", true }, { "suppress", true }, }; @@ -489,6 +488,15 @@ int Converter::convert( out << "\n"; data_api.print_data(out); + if (!state_api.empty()) + { + table_api.open_top_level_table("ips"); + state_api.print_states(out); + state_api.clear(); + table_api.add_option("states", "$local_states"); + table_api.close_table(); + } + if (!rule_api.empty()) { data_api.print_local_variables(out); diff --git a/tools/snort2lua/helpers/converter.h b/tools/snort2lua/helpers/converter.h index 3edf019a3..07798e935 100644 --- a/tools/snort2lua/helpers/converter.h +++ b/tools/snort2lua/helpers/converter.h @@ -23,6 +23,7 @@ #include "conversion_defines.h" #include "data/dt_data.h" #include "data/dt_rule_api.h" +#include "data/dt_state_api.h" #include "data/dt_table_api.h" #include "helpers/util_binder.h" @@ -122,6 +123,9 @@ public: inline RuleApi& get_rule_api() { return rule_api; } + inline StateApi& get_state_api() + { return state_api; } + bool added_ftp_data() const { return ftp_data_is_added; } @@ -152,6 +156,9 @@ private: TableApi table_api; RuleApi rule_api; + + StateApi state_api; + std::vector> binders; // the current parsing state. diff --git a/tools/snort2lua/keyword_states/kws_rule_state.cc b/tools/snort2lua/keyword_states/kws_rule_state.cc index 3913890a9..d3a8a1c3a 100644 --- a/tools/snort2lua/keyword_states/kws_rule_state.cc +++ b/tools/snort2lua/keyword_states/kws_rule_state.cc @@ -52,8 +52,6 @@ bool RuleState::convert(std::istringstream& data_stream) table_api.open_table("detection"); table_api.add_option("global_rule_state", true); table_api.close_table(); - table_api.open_table("rule_state"); - table_api.close_table(); } string gid; @@ -104,13 +102,14 @@ bool RuleState::convert(std::istringstream& data_stream) if ( retval ) { - string key = gid + ":" + sid; - table_api.open_associative_table("rule_state", key.c_str()); + state_api.create_state(); + state_api.add_option("gid", gid); + state_api.add_option("sid", sid); if ( !enable.empty() ) { - table_api.add_diff_option_comment("enabled/disabled", "enable"); - table_api.add_option("enable", enable); + state_api.add_option("enable", enable); + state_api.add_comment("option change: 'enabled/disabled' --> 'enable'"); } if ( !action.empty() ) @@ -118,13 +117,11 @@ bool RuleState::convert(std::istringstream& data_stream) if ( action == "sdrop" ) { action = "drop"; - table_api.add_diff_option_comment("sdrop", "drop"); + state_api.add_comment("action change: 'sdrop' --> 'drop'"); } - table_api.add_option("action", action); + state_api.set_action(action); } - - table_api.close_table(); } return retval;