From: Russ Combs (rucombs) Date: Wed, 3 Nov 2021 16:37:59 +0000 (+0000) Subject: Pull request #3141: detection: add allow_missing_so_rules X-Git-Tag: 3.1.17.0~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc6b087d77869ab72d091b81e6b6bd817bb2ed6f;p=thirdparty%2Fsnort3.git Pull request #3141: detection: add allow_missing_so_rules Merge in SNORT/snort3 from ~RUCOMBS/snort3:allow_missing_so_rules to master Squashed commit of the following: commit 2ad1178e988cef483957cc27644ec6e7f70a1253 Author: russ Date: Wed Nov 3 10:14:11 2021 -0400 build: remove HAVE_HYPERSCAN conditional from installed header Installed headers can't have conditional struct members since plugins don't have config.h. In this case the hyperscan-related variables are now always present. commit 4d5aa95485dfd13ebad9cec518b92dfedf0b89dd Author: russ Date: Thu Oct 28 09:39:33 2021 -0400 detection: add allow_missing_so_rules By default, missing SO rules cause an error. Set this to true to report warnings instead. This is helpful when your rule package is out of date. This should not be enabled in a production environment. --- diff --git a/src/detection/detection_module.cc b/src/detection/detection_module.cc index 169e2012a..29c7d3119 100644 --- a/src/detection/detection_module.cc +++ b/src/detection/detection_module.cc @@ -55,6 +55,9 @@ static const TraceOption detection_trace_options[] = static const Parameter detection_params[] = { + { "allow_missing_so_rules", Parameter::PT_BOOL, nullptr, "false", + "warn (true) or error (false) when an SO rule stub refers to an SO rule that isn't loaded" }, + { "asn1", Parameter::PT_INT, "0:65535", "0", "maximum decode nodes" }, @@ -129,7 +132,10 @@ bool DetectionModule::end(const char*, int, SnortConfig* sc) bool DetectionModule::set(const char*, Value& v, SnortConfig* sc) { - if ( v.is("asn1") ) + if ( v.is("allow_missing_so_rules") ) + sc->allow_missing_so_rules = v.get_bool(); + + else if ( v.is("asn1") ) sc->asn1_mem = v.get_uint16(); else if ( v.is("global_default_rule_state") ) diff --git a/src/main/snort_config.h b/src/main/snort_config.h index eaf01791b..8f7d85681 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -254,13 +254,12 @@ public: unsigned offload_limit = 99999; // disabled unsigned offload_threads = 0; // disabled -#ifdef HAVE_HYPERSCAN bool hyperscan_literals = false; bool pcre_to_regex = false; -#endif bool global_rule_state = false; bool global_default_rule_state = true; + bool allow_missing_so_rules = false; //------------------------------------------------------ // process stuff diff --git a/src/managers/plugin_manager.cc b/src/managers/plugin_manager.cc index 3e44ed6f0..5cafa4c04 100644 --- a/src/managers/plugin_manager.cc +++ b/src/managers/plugin_manager.cc @@ -196,8 +196,8 @@ static bool register_plugin( if ( api->api_version != sym->version ) { - ParseWarning(WARN_PLUGINS, "%s: version mismatch; expected %u, got %u", - api->name, sym->version, api->version); + ParseWarning(WARN_PLUGINS, "%s: version mismatch; expected 0x%x, got 0x%x", + api->name, sym->version, api->api_version); return false; } diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc index d45b6d825..33df6c67c 100644 --- a/src/parser/parse_rule.cc +++ b/src/parser/parse_rule.cc @@ -1103,7 +1103,11 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn) if ( !rule ) { - ParseError("SO rule %s not loaded.", otn->soid); + if ( sc->allow_missing_so_rules ) + ParseWarning(WARN_RULES, "SO rule %s not loaded.", otn->soid); + else + ParseError("SO rule %s not loaded.", otn->soid); + FreeRuleTreeNode(&rtn); } else