diff --git a/src/action-globals.h b/src/action-globals.h new file mode 100644 index 0000000000..4e4b84510b --- /dev/null +++ b/src/action-globals.h @@ -0,0 +1,10 @@ +/* Copyright (c) 2008 Victor Julien */ +#ifndef __ACTION_GLOBALS_H__ +#define __DECODE_H__ + +#define ACTION_ALERT 0 +#define ACTION_DROP 1 +#define ACTION_REJECT 2 +#define ACTION_PASS 3 + +#endif /* __ACTION_GLOBALS_H__ */ diff --git a/src/decode.h b/src/decode.h index a28fd89986..2c81bc2a03 100644 --- a/src/decode.h +++ b/src/decode.h @@ -30,6 +30,7 @@ #include "source-nfq.h" #endif /* NFQ */ +#include "action-globals.h" #include "decode-ethernet.h" #include "decode-ipv4.h" #include "decode-ipv6.h" @@ -265,9 +266,6 @@ typedef struct _Packet (p)->http_uri.cnt = 0; \ } -#define ACTION_ACCEPT 0 -#define ACTION_DROP 1 -#define ACTION_REJECT 2 /* macro's for setting the action * handle the case of a root packet diff --git a/src/detect.c b/src/detect.c index fa29272741..cf48e099e4 100644 --- a/src/detect.c +++ b/src/detect.c @@ -28,7 +28,7 @@ #include "detect-flow.h" #include "detect-dsize.h" #include "detect-flowvar.h" - +#include "action-globals.h" #include "detect-mpm.h" #include "tm-modules.h" @@ -328,6 +328,24 @@ int SigParsePort(Signature *s, const char *portstr, char flag) { return 0; } +int SigParseAction(Signature *s, const char *action){ + if(strcasecmp(action, "alert") == 0){ + s->action = ACTION_ALERT; + return 0; + } else if(strcasecmp(action, "drop") == 0){ + s->action = ACTION_DROP; + return 0; + } else if(strcasecmp(action, "pass") == 0){ + s->action = ACTION_PASS; + return 0; + } else if(strcasecmp(action, "reject") == 0){ + s->action = ACTION_REJECT; + return 0; + } else { + return -1; + } +} + int SigParseBasics(Signature *s, char *sigstr, char ***result) { #define MAX_SUBSTRINGS 30 int ov[MAX_SUBSTRINGS]; @@ -350,6 +368,11 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) { } arr[i-1]=NULL; + /* Parse Action */ + if (SigParseAction(s, arr[CONFIG_ACTION]) < 0) + goto error; + + /* Parse Ports */ if (SigParsePort(s, arr[CONFIG_SP], 0) < 0) goto error; if (SigParsePort(s, arr[CONFIG_DP], 1) < 0) @@ -498,11 +521,9 @@ void SigLoadSignatures (void) prevsig->next = sig; prevsig = sig; } - - //#if 0 int good = 0, bad = 0; - FILE *fp = fopen("/home/victor/rules/bleeding-all.rules", "r"); + FILE *fp = fopen("/etc/vips/rules/bleeding-all.rules", "r"); //FILE *fp = fopen("/home/victor/rules/vips-http.sigs", "r"); //FILE *fp = fopen("/home/victor/rules/vips-all.sigs", "r"); //FILE *fp = fopen("/home/victor/rules/eml.rules", "r"); @@ -531,6 +552,7 @@ void SigLoadSignatures (void) printf("SigLoadSignatures: %d successfully loaded from file. %d sigs failed to load\n", good, bad); //#endif /* Setup the pattern matcher */ + PatternMatchPrepare(sig_list); } @@ -607,7 +629,8 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) /* only add once */ if (rmatch == 0) PacketAlertAppend(p, 1, s->id, s->rev, s->msg); - + /* set verdict on packet */ + p->action = s->action; //printf("%u Signature %u matched: %s\n", th_v->pkt_cnt, s->id, s->msg ? s->msg : ""); rmatch = fmatch = 1; pmt->pkt_cnt++; @@ -635,6 +658,8 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) fmatch = 1; PacketAlertAppend(p, 1, s->id, s->rev, s->msg); + /* set verdict on packet */ + p->action = s->action; } } else { /* done with this sig */ diff --git a/src/detect.h b/src/detect.h index 368da312ed..f25f093066 100644 --- a/src/detect.h +++ b/src/detect.h @@ -33,7 +33,7 @@ typedef struct _Signature { u_int8_t rev; char *msg; u_int8_t flags; - + u_int8_t action; SigAddress src, dst; SigPort sp, dp; diff --git a/src/source-nfq.c b/src/source-nfq.c index 5b126226c0..257802ffeb 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -12,7 +12,7 @@ #include "tm-modules.h" #include "source-nfq.h" #include "source-nfq-prototypes.h" - +#include "action-globals.h" /* shared vars for all for nfq queues and threads */ static NFQGlobalVars nfq_g; @@ -240,9 +240,24 @@ int ReceiveNFQ(ThreadVars *tv, Packet *p, void *data) { void NFQSetVerdict(NFQThreadVars *t, Packet *p) { int ret; + u_int32_t verdict; + + if(p->action == ACTION_ALERT){ + verdict = NF_ACCEPT; + } else if(p->action == ACTION_PASS){ + verdict = NF_ACCEPT; + } else if(p->action == ACTION_DROP){ + verdict = NF_DROP; + } else if(p->action == ACTION_REJECT){ + verdict = NF_DROP; + /* reject code will be called from here */ + } else { + /* wtf? a verdict we don't know about */ + verdict = NF_DROP; + } mutex_lock(&t->mutex_qh); - ret = nfq_set_verdict(t->qh, p->nfq_v.id, NF_ACCEPT, 0, NULL); + ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL); mutex_unlock(&t->mutex_qh); if (ret < 0)