From: Juliana Fajardini Date: Tue, 6 Sep 2022 19:16:45 +0000 (-0300) Subject: exceptions: add reject support to exception policy X-Git-Tag: suricata-6.0.7~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F7852%2Fhead;p=thirdparty%2Fsuricata.git exceptions: add reject support to exception policy This enables the usage of 'reject' as an exception policy. As for both IPS and IDS modes the intended result of sending a reject packet is to reject the related flow, this will effectively mean setting the reject action to the packet that triggered the exception condition, and then dropping the associated flow. Task #5503 (cherry picked from commit bbd968c738230b4f77de3278994c4fd5aa859dcd) --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 616fa71768..b60d797c9e 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -1000,7 +1000,8 @@ thread ensures that wherever possible and within the memcap. there will be 10000 flows prepared. In IPS mode, a memcap-policy exception policy can be set, telling Suricata -what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'. +what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'reject', +'ignore'. :: @@ -1101,7 +1102,8 @@ be recognized by Suricata. The stream-engine has two memcaps that can be set. One for the stream-tracking-engine and one for the reassembly-engine. For both cases, in IPS mode, an exception policy (memcap-policy) can be set, telling Suricata -what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'. +what to do in case memcap is hit: 'drop-flow', 'pass-flow', 'bypass', 'reject', +'ignore'. The stream-tracking-engine keeps information of the flow in memory. Information about the state, TCP-sequence-numbers and the TCP @@ -1192,7 +1194,7 @@ The reassembly-engine has to keep data segments in memory in order to be able to reconstruct a stream. To avoid resource starvation a memcap is used to limit the memory used. In IPS mode, an exception policy (memcap-policy) can be set, telling Suricata what to do in case memcap -is hit: 'drop-flow', 'pass-flow', 'bypass', 'ignore'. +is hit: 'drop-flow', 'pass-flow', 'bypass', 'reject', 'ignore'. Reassembling a stream is an expensive operation. With the option depth you can control how far into a stream reassembly is done. By default @@ -1255,8 +1257,8 @@ The ``app-layer`` section holds application layer specific configurations. A in IPS mode, a global exception policy accessed via the ``error-policy`` setting can be defined to indicate what the engine should do in case if encounters an app-layer error. Possible values are "drop-flow", "pass-flow", -"bypass", "drop-packet", "pass-packet" or "ignore" (which will mean keeping -the default behavior). +"bypass", "drop-packet", "pass-packet", "reject" or "ignore" (which will mean +keeping the default behavior). Each supported protocol will have a dedicated subsection under ``protocols``. diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c index ea7d72dcfc..b8361c6328 100644 --- a/src/util-exception-policy.c +++ b/src/util-exception-policy.c @@ -31,6 +31,10 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro switch (policy) { case EXCEPTION_POLICY_IGNORE: break; + case EXCEPTION_POLICY_REJECT: + SCLogDebug("EXCEPTION_POLICY_REJECT"); + PacketDrop(p, ACTION_REJECT, drop_reason); + /* fall through */ case EXCEPTION_POLICY_DROP_FLOW: SCLogDebug("EXCEPTION_POLICY_DROP_FLOW"); if (p->flow) { @@ -87,6 +91,9 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support } else if (strcmp(value_str, "pass-packet") == 0) { policy = EXCEPTION_POLICY_PASS_PACKET; SCLogConfig("%s: %s", option, value_str); + } else if (strcmp(value_str, "reject") == 0) { + policy = EXCEPTION_POLICY_REJECT; + SCLogConfig("%s: %s", option, value_str); } else if (strcmp(value_str, "ignore") == 0) { // TODO name? policy = EXCEPTION_POLICY_IGNORE; SCLogConfig("%s: %s", option, value_str); diff --git a/src/util-exception-policy.h b/src/util-exception-policy.h index 093a93924c..0a3b78d9f7 100644 --- a/src/util-exception-policy.h +++ b/src/util-exception-policy.h @@ -29,6 +29,7 @@ enum ExceptionPolicy { EXCEPTION_POLICY_BYPASS_FLOW, EXCEPTION_POLICY_DROP_PACKET, EXCEPTION_POLICY_DROP_FLOW, + EXCEPTION_POLICY_REJECT, }; void ExceptionPolicyApply( diff --git a/suricata.yaml.in b/suricata.yaml.in index aa43f255be..13bb75caf6 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -717,8 +717,8 @@ pcap-file: # Configure the app-layer parsers. # # The error-policy setting applies to all app-layer parsers. Values can be -# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet" or "ignore" -# (the default). +# "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", "reject" or +# "ignore" (the default). # # The protocol's section details each protocol. # @@ -1159,7 +1159,7 @@ host-os-policy: # Defrag settings: # The memcap-policy value can be "drop-flow", "pass-flow", "bypass", -# "drop-packet", "pass-packet" or "ignore" (which is the default). +# "drop-packet", "pass-packet", "reject" or "ignore" (which is the default). defrag: memcap: 32mb # memcap-policy: ignore @@ -1203,7 +1203,7 @@ defrag: # The memcap can be specified in kb, mb, gb. Just a number indicates it's # in bytes. # The memcap-policy can be "drop-flow", "pass-flow", "bypass", "drop-packet", -# "pass-packet" or "ignore" (which is the default). +# "pass-packet", "reject" or "ignore" (which is the default). flow: memcap: 128mb @@ -1281,8 +1281,8 @@ flow-timeouts: # memcap: 64mb # Can be specified in kb, mb, gb. Just a # # number indicates it's in bytes. # memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet" or "ignore" -# # default is "ignore" +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # checksum-validation: yes # To validate the checksum of received # # packet. If csum validation is specified as # # "yes", then packets with invalid csum values will not @@ -1295,8 +1295,8 @@ flow-timeouts: # prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread # midstream: false # don't allow midstream session pickups # midstream-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet" or "ignore" -# # default is "ignore" +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # async-oneside: false # don't enable async stream handling # inline: no # stream inline mode # drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine @@ -1309,8 +1309,8 @@ flow-timeouts: # memcap: 256mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # memcap-policy: ignore # Can be "drop-flow", "pass-flow", "bypass", -# # "drop-packet", "pass-packet" or "ignore" -# # default is "ignore" +# # "drop-packet", "pass-packet", "reject" or +# # "ignore" default is "ignore" # depth: 1mb # Can be specified in kb, mb, gb. Just a number # # indicates it's in bytes. # toserver-chunk-size: 2560 # inspect raw stream in chunks of at least