typedef struct PacketAlerts_ {
uint16_t cnt;
PacketAlert alerts[PACKET_ALERT_MAX];
+ /* single pa used when we're dropping,
+ * so we can log it out in the drop log. */
+ PacketAlert drop;
} PacketAlerts;
/** number of decoder events we support per packet. Power of 2 minus 1
(p)->payload_len = 0; \
(p)->pktlen = 0; \
(p)->alerts.cnt = 0; \
+ (p)->alerts.drop.action = 0; \
(p)->pcap_cnt = 0; \
(p)->tunnel_rtv_cnt = 0; \
(p)->tunnel_tpr_cnt = 0; \
}
}
- /* set verdict on packet */
- PACKET_UPDATE_ACTION(p, p->alerts.alerts[i].action);
+ /* set actions on packet */
+ DetectSignatureApplyActions(p, p->alerts.alerts[i].s);
if (PACKET_TEST_ACTION(p, ACTION_PASS)) {
/* Ok, reset the alert cnt to end in the previous of pass
PacketAlertAppend(det_ctx, s, p, 0, 0);
} else {
/* apply actions for noalert/rule suppressed as well */
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
}
}
PacketAlertAppend(det_ctx, s, p, tx_id,
PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_TX);
} else {
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
alert_cnt = 1;
PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH);
} else {
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
alert_cnt = 1;
PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH);
} else {
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
}
PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH);
} else {
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
alert_cnt = 1;
}
PacketAlertAppend(det_ctx, s, p, 0,
PACKET_ALERT_FLAG_STATE_MATCH);
} else {
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
}
PacketAlertAppend(det_ctx, s, p, 0, alert_flags);
} else {
/* apply actions even if not alerting */
- PACKET_UPDATE_ACTION(p, s->action);
+ DetectSignatureApplyActions(p, s);
}
alerts++;
next:
SCReturnInt((int)(alerts > 0));
}
+/** \brief Apply action(s) and Set 'drop' sig info,
+ * if applicable */
+void DetectSignatureApplyActions(Packet *p, const Signature *s)
+{
+ PACKET_UPDATE_ACTION(p, s->action);
+
+ if (s->action & ACTION_DROP) {
+ if (p->alerts.drop.action == 0) {
+ p->alerts.drop.num = s->num;
+ p->alerts.drop.action = s->action;
+ p->alerts.drop.s = (Signature *)s;
+ }
+ }
+}
+
/* tm module api functions */
/** \brief Detection engine thread wrapper.
int SigMatchSignaturesRunPostMatch(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p,
Signature *s);
+void DetectSignatureApplyActions(Packet *p, const Signature *s);
#endif /* __DETECT_H__ */
projects / thirdparty / suricata.git / commitdiff
