Bug #75 » 0001-Changing-the-veredict-actions-to-flags-to-allow-simu.patch
| src/action-globals.h | ||
|---|---|---|
|
#ifndef __ACTION_GLOBALS_H__
|
||
|
#define __ACTION_GLOBALS_H__
|
||
|
typedef enum {
|
||
|
ACTION_ALERT,
|
||
|
ACTION_DROP,
|
||
|
ACTION_REJECT,
|
||
|
ACTION_REJECT_DST,
|
||
|
ACTION_REJECT_BOTH,
|
||
|
ACTION_PASS
|
||
|
} ActionType;
|
||
|
/* Changing them as flags, so later we can have alerts
|
||
|
* and drop simultaneously */
|
||
|
#define ACTION_ALERT 0x01
|
||
|
#define ACTION_DROP 0x02
|
||
|
#define ACTION_REJECT 0x04
|
||
|
#define ACTION_REJECT_DST 0x08
|
||
|
#define ACTION_REJECT_BOTH 0x10
|
||
|
#define ACTION_PASS 0x20
|
||
|
#endif /* __ACTION_GLOBALS_H__ */
|
||
| src/alert-unified2-alert.c | ||
|---|---|---|
|
phdr.dst_ip = *(struct in6_addr*)GET_IPV6_DST_ADDR(p);
|
||
|
phdr.protocol = IPV6_GET_NH(p);
|
||
|
if(p->action == ACTION_DROP)
|
||
|
if(p->action & ACTION_DROP)
|
||
|
phdr.packet_action = UNIFIED2_BLOCKED_FLAG;
|
||
|
else
|
||
|
phdr.packet_action = 0;
|
||
| ... | ... | |
|
phdr.dst_ip = p->ip4h->ip_dst.s_addr;
|
||
|
phdr.protocol = IPV4_GET_RAW_IPPROTO(p->ip4h);
|
||
|
if(p->action == ACTION_DROP)
|
||
|
if(p->action & ACTION_DROP)
|
||
|
phdr.packet_action = UNIFIED2_BLOCKED_FLAG;
|
||
|
else
|
||
|
phdr.packet_action = 0;
|
||
| src/decode.h | ||
|---|---|---|
|
PacketAlerts alerts;
|
||
|
/* IPS action to take */
|
||
|
ActionType action;
|
||
|
uint8_t action;
|
||
|
/* double linked list ptrs */
|
||
|
struct Packet_ *next;
|
||
| src/detect-engine-iponly.c | ||
|---|---|---|
|
if (!(s->flags & SIG_FLAG_NOALERT)) {
|
||
|
PacketAlertHandle(de_ctx,s,p);
|
||
|
/* set verdict on packet */
|
||
|
p->action = s->action;
|
||
|
p->action |= s->action;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
| src/detect.c | ||
|---|---|---|
|
if (!(s->flags & SIG_FLAG_NOALERT)) {
|
||
|
PacketAlertHandle(de_ctx,s,p);
|
||
|
/* set verdict on packet */
|
||
|
p->action = s->action;
|
||
|
p->action |= s->action;
|
||
|
}
|
||
|
} else {
|
||
|
/* reset pkt ptr and offset */
|
||
| ... | ... | |
|
if (rmatch == 0) {
|
||
|
PacketAlertHandle(de_ctx,s,p);
|
||
|
/* set verdict on packet */
|
||
|
p->action = s->action;
|
||
|
p->action |= s->action;
|
||
|
}
|
||
|
}
|
||
|
rmatch = fmatch = 1;
|
||
| ... | ... | |
|
PacketAlertHandle(de_ctx,s,p);
|
||
|
/* set verdict on packet */
|
||
|
p->action = s->action;
|
||
|
p->action |= s->action;
|
||
|
}
|
||
|
}
|
||
|
} else {
|
||
| src/respond-reject.c | ||
|---|---|---|
|
int ret = 0;
|
||
|
/* ACTION_REJECT defaults to rejecting the SRC */
|
||
|
if (p->action != ACTION_REJECT && p->action != ACTION_REJECT_DST &&
|
||
|
p->action != ACTION_REJECT_BOTH) {
|
||
|
if (!(p->action & ACTION_REJECT) && !(p->action & ACTION_REJECT_DST) &&
|
||
|
(p->action & ACTION_REJECT_BOTH)) {
|
||
|
return TM_ECODE_OK;
|
||
|
}
|
||
| ... | ... | |
|
}
|
||
|
int RejectSendIPv4TCP(ThreadVars *tv, Packet *p, void *data) {
|
||
|
if (p->action == ACTION_REJECT) {
|
||
|
if (p->action & ACTION_REJECT) {
|
||
|
return RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_SRC);
|
||
|
} else if (p->action == ACTION_REJECT_DST) {
|
||
|
} else if (p->action & ACTION_REJECT_DST) {
|
||
|
return RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_DST);
|
||
|
} else if(p->action == ACTION_REJECT_BOTH) {
|
||
|
} else if(p->action & ACTION_REJECT_BOTH) {
|
||
|
if (RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_SRC) == 0 &&
|
||
|
RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_DST) == 0) {
|
||
|
return 0;
|
||
| ... | ... | |
|
}
|
||
|
int RejectSendIPv4ICMP(ThreadVars *tv, Packet *p, void *data) {
|
||
|
if (p->action == ACTION_REJECT) {
|
||
|
if (p->action & ACTION_REJECT) {
|
||
|
return RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_SRC);
|
||
|
} else if (p->action == ACTION_REJECT_DST) {
|
||
|
} else if (p->action & ACTION_REJECT_DST) {
|
||
|
return RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_DST);
|
||
|
} else if(p->action == ACTION_REJECT_BOTH) {
|
||
|
} else if(p->action & ACTION_REJECT_BOTH) {
|
||
|
if (RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_SRC) == 0 &&
|
||
|
RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_DST) == 0) {
|
||
|
return 0;
|
||
| src/source-nfq.c | ||
|---|---|---|
|
//printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num);
|
||
|
switch (p->action) {
|
||
|
case ACTION_ALERT:
|
||
|
case ACTION_PASS:
|
||
|
verdict = NF_ACCEPT;
|
||
|
if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH ||
|
||
|
p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
|
||
|
verdict = NF_DROP;
|
||
|
#ifdef COUNTERS
|
||
|
t->accepted++;
|
||
|
t->dropped++;
|
||
|
#endif /* COUNTERS */
|
||
|
break;
|
||
|
case ACTION_REJECT:
|
||
|
case ACTION_REJECT_DST:
|
||
|
case ACTION_REJECT_BOTH:
|
||
|
case ACTION_DROP:
|
||
|
default:
|
||
|
} else if (p->action & ACTION_ALERT || p->action & ACTION_ALERT) {
|
||
|
verdict = NF_ACCEPT;
|
||
|
#ifdef COUNTERS
|
||
|
t->accepted++;
|
||
|
#endif /* COUNTERS */
|
||
|
} else {
|
||
|
/* a verdict we don't know about, drop to be sure */
|
||
|
verdict = NF_DROP;
|
||
|
verdict = NF_DROP;
|
||
|
#ifdef COUNTERS
|
||
|
t->dropped++;
|
||
|
t->dropped++;
|
||
|
#endif /* COUNTERS */
|
||
|
}
|
||