NFQUE drop support added with ident of 4 :-(

17 years ago · 559edc01e3
parent 37e31e0240
commit 559edc01e3
5 changed files with 59 additions and 11 deletions
--- a/src/action-globals.h
+++ b/src/action-globals.h
@ -0,0 +1,10 @@
 /* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */
 #ifndef __ACTION_GLOBALS_H__
 #define __DECODE_H__
 #define ACTION_ALERT           0
 #define ACTION_DROP            1
 #define ACTION_REJECT          2
 #define ACTION_PASS            3
 #endif /* __ACTION_GLOBALS_H__ */
--- a/src/decode.h
+++ b/src/decode.h
@ -30,6 +30,7 @@
 #include "source-nfq.h"
 #endif /* NFQ */
 #include "action-globals.h"
 #include "decode-ethernet.h"
 #include "decode-ipv4.h"
 #include "decode-ipv6.h"
@ -265,9 +266,6 @@ typedef struct _Packet
    (p)->http_uri.cnt = 0; \
 }
 #define ACTION_ACCEPT          0
 #define ACTION_DROP            1
 #define ACTION_REJECT          2
 /* macro's for setting the action
 * handle the case of a root packet
--- a/src/detect.c
+++ b/src/detect.c
@ -28,7 +28,7 @@
 #include "detect-flow.h"
 #include "detect-dsize.h"
 #include "detect-flowvar.h"
-
+#include "action-globals.h"
 #include "detect-mpm.h"
 #include "tm-modules.h"
@ -328,6 +328,24 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
    return 0;
 }
 int SigParseAction(Signature *s, const char *action){
    if(strcasecmp(action, "alert") == 0){
       s->action = ACTION_ALERT;
       return 0;
    } else if(strcasecmp(action, "drop") == 0){
       s->action = ACTION_DROP;
       return 0;
    } else if(strcasecmp(action, "pass") == 0){
       s->action = ACTION_PASS;
       return 0;
    } else if(strcasecmp(action, "reject") == 0){
       s->action = ACTION_REJECT;
       return 0;
    } else {
       return -1;
    }
 }
 int SigParseBasics(Signature *s, char *sigstr, char ***result) {
 #define MAX_SUBSTRINGS 30
    int ov[MAX_SUBSTRINGS];
@ -350,6 +368,11 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
    }
    arr[i-1]=NULL;
    /* Parse Action */
    if (SigParseAction(s, arr[CONFIG_ACTION]) < 0)
        goto error;
    /* Parse Ports */
    if (SigParsePort(s, arr[CONFIG_SP], 0) < 0)
        goto error;
    if (SigParsePort(s, arr[CONFIG_DP], 1) < 0)
@ -498,11 +521,9 @@ void SigLoadSignatures (void)
        prevsig->next = sig;
        prevsig = sig;
    }
 //#if 0
    int good = 0, bad = 0;
-    FILE *fp = fopen("/home/victor/rules/bleeding-all.rules", "r");
+    FILE *fp = fopen("/etc/vips/rules/bleeding-all.rules", "r");
    //FILE *fp = fopen("/home/victor/rules/vips-http.sigs", "r");
    //FILE *fp = fopen("/home/victor/rules/vips-all.sigs", "r");
    //FILE *fp = fopen("/home/victor/rules/eml.rules", "r");
@ -531,6 +552,7 @@ void SigLoadSignatures (void)
    printf("SigLoadSignatures: %d successfully loaded from file. %d sigs failed to load\n", good, bad);
 //#endif
    /* Setup the pattern matcher */
    PatternMatchPrepare(sig_list);
 }
@ -607,7 +629,8 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
                            /* only add once */
                            if (rmatch == 0)
                                PacketAlertAppend(p, 1, s->id, s->rev, s->msg);
-
+                                /* set verdict on packet */
                                p->action = s->action;
                            //printf("%u Signature %u matched: %s\n", th_v->pkt_cnt, s->id, s->msg ? s->msg : "");
                            rmatch = fmatch = 1;
                            pmt->pkt_cnt++;
@ -635,6 +658,8 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
                        fmatch = 1;
                        PacketAlertAppend(p, 1, s->id, s->rev, s->msg);
                        /* set verdict on packet */
                        p->action = s->action;
                    }
                } else {
                    /* done with this sig */
--- a/src/detect.h
+++ b/src/detect.h
@ -33,7 +33,7 @@ typedef struct _Signature {
    u_int8_t rev;
    char *msg;
    u_int8_t flags;
-
+    u_int8_t action; 
    SigAddress src, dst;
    SigPort sp, dp;
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@ -12,7 +12,7 @@
 #include "tm-modules.h"
 #include "source-nfq.h"
 #include "source-nfq-prototypes.h"
-
+#include "action-globals.h"
 /* shared vars for all for nfq queues and threads */
 static NFQGlobalVars nfq_g;
@ -240,9 +240,24 @@ int ReceiveNFQ(ThreadVars *tv, Packet *p, void *data) {
 void NFQSetVerdict(NFQThreadVars *t, Packet *p) {
    int ret;
    u_int32_t verdict;
    if(p->action == ACTION_ALERT){
       verdict = NF_ACCEPT;
    } else if(p->action == ACTION_PASS){
       verdict = NF_ACCEPT;
    } else if(p->action == ACTION_DROP){
       verdict = NF_DROP;
    } else if(p->action == ACTION_REJECT){
       verdict = NF_DROP;
       /* reject code will be called from here */
    } else {
       /* wtf? a verdict we don't know about */
       verdict = NF_DROP;
    }
    mutex_lock(&t->mutex_qh);
-    ret = nfq_set_verdict(t->qh, p->nfq_v.id, NF_ACCEPT, 0, NULL);
+    ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL);
    mutex_unlock(&t->mutex_qh);
    if (ret < 0)