From: Shivani Bhardwaj <shivani@oisf.net>
Date: Fri, 23 Aug 2024 06:57:35 +0000 (+0530)
Subject: flow/pkts: allow matching on either direction
X-Git-Tag: suricata-8.0.0-beta1~579
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F12373%2Fhead;p=thirdparty%2Fsuricata.git

flow/pkts: allow matching on either direction

For flow.bytes and flow.pkts keywords, allow matching in either
direction.

Feature 5646
---

diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst
index 2ab6128e72..3ba6bbe06a 100644
--- a/doc/userguide/rules/flow-keywords.rst
+++ b/doc/userguide/rules/flow-keywords.rst
@@ -331,6 +331,8 @@ following directions:
 
 * toserver
 
+* either
+
 Syntax::
 
  flow.pkts:<direction>,[op]<number>
@@ -339,6 +341,7 @@ The number of packets can be matched exactly, or compared using the _op_ setting
 
  flow.pkts:toclient,3    # exactly 3
  flow.pkts:toserver,<3   # smaller than 3
+ flow.pkts:either,>=2  # greater than or equal to 2
 
 Signature example::
 
@@ -361,6 +364,8 @@ following directions:
 
 * toserver
 
+* either
+
 Syntax::
 
  flow.bytes:<direction>,[op]<number>
@@ -369,6 +374,7 @@ The number of bytes can be matched exactly, or compared using the _op_ setting::
 
  flow.bytes:toclient,3    # exactly 3
  flow.bytes:toserver,<3   # smaller than 3
+ flow.bytes:either,>=2  # greater than or equal to 2
 
 Signature example::
 
diff --git a/src/detect-flow-pkts.c b/src/detect-flow-pkts.c
index 884ba2f1cb..0ed1b48775 100644
--- a/src/detect-flow-pkts.c
+++ b/src/detect-flow-pkts.c
@@ -26,6 +26,7 @@
 enum FlowDirection {
     DETECT_FLOW_TOSERVER = 1,
     DETECT_FLOW_TOCLIENT,
+    DETECT_FLOW_TOEITHER,
 };
 
 typedef struct DetectFlowPkts_ {
@@ -50,6 +51,11 @@ static int DetectFlowPktsMatch(
         return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
     } else if (df->dir == DETECT_FLOW_TOCLIENT) {
         return DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data);
+    } else if (df->dir == DETECT_FLOW_TOEITHER) {
+        if (DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data)) {
+            return 1;
+        }
+        return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
     }
     return 0;
 }
@@ -141,6 +147,8 @@ static int DetectFlowPktsSetup(DetectEngineCtx *de_ctx, Signature *s, const char
                 dir = DETECT_FLOW_TOSERVER;
             } else if (strcmp(token, "toclient") == 0) {
                 dir = DETECT_FLOW_TOCLIENT;
+            } else if (strcmp(token, "either") == 0) {
+                dir = DETECT_FLOW_TOEITHER;
             } else {
                 SCLogError("Invalid direction given: %s", token);
                 return -1;
@@ -277,6 +285,11 @@ static int DetectFlowBytesMatch(
         return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
     } else if (df->dir == DETECT_FLOW_TOCLIENT) {
         return DetectU64Match(p->flow->tosrcbytecnt, df->byte_data);
+    } else if (df->dir == DETECT_FLOW_TOEITHER) {
+        if (DetectU64Match(p->flow->tosrcbytecnt, df->byte_data)) {
+            return 1;
+        }
+        return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
     }
     return 0;
 }
@@ -368,6 +381,8 @@ static int DetectFlowBytesSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
                 dir = DETECT_FLOW_TOSERVER;
             } else if (strcmp(token, "toclient") == 0) {
                 dir = DETECT_FLOW_TOCLIENT;
+            } else if (strcmp(token, "either") == 0) {
+                dir = DETECT_FLOW_TOEITHER;
             } else {
                 SCLogError("Invalid direction given: %s", token);
                 return -1;