aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for class id in classification code. Submitted by firnsy@securixlive.com, thanks.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent fcac4d2896
commit 7a6d4b57f0
5 changed files with 40 additions and 26 deletions
Show Stats Download Patch File Download Diff File

3
src/detect-classtype.c
Unescape Escape View File

@ -131,7 +131,7 @@ static inline const char *DetectClasstypeParseRawString(char *rawstr)
static inline SCClassConfClasstype *DetectClasstypeGetClasstypeInfo(const char *ct_name,
DetectEngineCtx *de_ctx)
{
SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(ct_name, NULL,
SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(0, ct_name, NULL,
0);
SCClassConfClasstype *lookup_ct_info = HashTableLookup(de_ctx->class_conf_ht,
ct_info, 0);
@ -171,6 +171,7 @@ static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, char *raw
/* if we have retrieved the classtype, assign the message to be displayed
* for this Signature by fast.log, if a Packet matches this Signature */
s->class = ct->classtype_id;
s->class_msg = ct->classtype_desc;
/* if a priority keyword has appeared before the classtype, s->prio would

2
src/detect-engine-alert.c
Unescape Escape View File

@ -97,6 +97,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p)
p->alerts.alerts[p->alerts.cnt].rev = s->rev;
p->alerts.alerts[p->alerts.cnt].prio = s->prio;
p->alerts.alerts[p->alerts.cnt].msg = s->msg;
p->alerts.alerts[p->alerts.cnt].class = s->class;
p->alerts.alerts[p->alerts.cnt].class_msg = s->class_msg;
p->alerts.alerts[p->alerts.cnt].references = s->references;
} else {
@ -120,6 +121,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p)
p->alerts.alerts[i].rev = s->rev;
p->alerts.alerts[i].prio = s->prio;
p->alerts.alerts[i].msg = s->msg;
p->alerts.alerts[i].class = s->class;
p->alerts.alerts[i].class_msg = s->class_msg;
p->alerts.alerts[i].references = s->references;
}

3
src/detect.h
Unescape Escape View File

@ -232,6 +232,9 @@ typedef struct Signature_ {
uint8_t nchunk_groups; /**< Internal chunk grp id (for splitted patterns) */
char *msg;
/** classification id **/
uint8_t class;
/** classification message */
char *class_msg;

51
src/util-classification-config.c
Unescape Escape View File

@ -188,17 +188,19 @@ static char *SCClassConfStringToLowercase(const char *str)
* hash table in DetectEngineCtx, i.e. DetectEngineCtx->class_conf_ht.
*
* \param rawstr Pointer to the string to be parsed.
* \param index Relative index of the string to be parsed.
* \param de_ctx Pointer to the Detection Engine Context.
*
* \retval 0 On success.
* \retval -1 On failure.
*/
int SCClassConfAddClasstype(char *rawstr, DetectEngineCtx *de_ctx)
int SCClassConfAddClasstype(char *rawstr, uint8_t index, DetectEngineCtx *de_ctx)
{
const char *ct_name = NULL;
const char *ct_desc = NULL;
const char *ct_priority_str = NULL;
int ct_priority = 0;
uint8_t ct_id = index;
SCClassConfClasstype *ct_new = NULL;
SCClassConfClasstype *ct_lookup = NULL;
@ -238,7 +240,7 @@ int SCClassConfAddClasstype(char *rawstr, DetectEngineCtx *de_ctx)
ct_priority = atoi(ct_priority_str);
/* Create a new instance of the parsed Classtype string */
ct_new = SCClassConfAllocClasstype(ct_name, ct_desc, ct_priority);
ct_new = SCClassConfAllocClasstype(ct_id, ct_name, ct_desc, ct_priority);
if (ct_new == NULL)
goto error;
@ -307,12 +309,14 @@ static int SCClassConfIsLineBlankOrComment(char *line)
void SCClassConfParseFile(DetectEngineCtx *de_ctx)
{
char line[1024];
uint8_t i = 1;
while (fgets(line, sizeof(line), fd) != NULL) {
if (SCClassConfIsLineBlankOrComment(line))
continue;
SCClassConfAddClasstype(line, de_ctx);
SCClassConfAddClasstype(line, i, de_ctx);
i++;
}
#ifdef UNITTESTS
@ -334,7 +338,8 @@ void SCClassConfParseFile(DetectEngineCtx *de_ctx)
* \retval ct Pointer to the new instance of SCClassConfClasstype on success;
* NULL on failure.
*/
SCClassConfClasstype *SCClassConfAllocClasstype(const char *classtype,
SCClassConfClasstype *SCClassConfAllocClasstype(uint8_t classtype_id,
const char *classtype,
const char *classtype_desc,
int priority)
{
@ -358,6 +363,7 @@ SCClassConfClasstype *SCClassConfAllocClasstype(const char *classtype,
exit(EXIT_FAILURE);
}
ct->classtype_id = classtype_id;
ct->priority = priority;
return ct;
@ -672,27 +678,27 @@ int SCClassConfTest04(void)
result = (de_ctx->class_conf_ht->count == 3);
ct = SCClassConfAllocClasstype("unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("unKnoWn", NULL, 0);
ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bamboo", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bad-unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("BAD-UNKnOWN", NULL, 0);
ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bed-unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
@ -724,31 +730,30 @@ int SCClassConfTest05(void)
result = (de_ctx->class_conf_ht->count == 0);
ct = SCClassConfAllocClasstype("unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("unKnoWn", NULL, 0);
ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bamboo", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bad-unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("BAD-UNKnOWN", NULL, 0);
ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bed-unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
DetectEngineCtxFree(de_ctx);
return result;
@ -776,27 +781,27 @@ int SCClassConfTest06(void)
result = (de_ctx->class_conf_ht->count == 3);
ct = SCClassConfAllocClasstype("unknown", NULL, 0);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("not-suspicious", NULL, 0);
ct = SCClassConfAllocClasstype(0, "not-suspicious", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bamboola1", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("bamboola1", NULL, 0);
ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("BAMBOolA1", NULL, 0);
ct = SCClassConfAllocClasstype(0, "BAMBOolA1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype("unkNOwn", NULL, 0);
ct = SCClassConfAllocClasstype(0, "unkNOwn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);

7
src/util-classification-config.h
Unescape Escape View File

@ -28,6 +28,9 @@
* \brief Container for a Classtype from the Classification.config file.
*/
typedef struct SCClassConfClasstype_ {
/* The index of the classification within classification.confg */
uint8_t classtype_id;
/* The classtype name. This is the primary key for a Classification. */
char *classtype;
@ -39,8 +42,8 @@ typedef struct SCClassConfClasstype_ {
int priority;
} SCClassConfClasstype;
SCClassConfClasstype *SCClassConfAllocClasstype(const char *, const char *,
int);
SCClassConfClasstype *SCClassConfAllocClasstype(uint8_t, const char *,
const char *, int);
void SCClassConfDeAllocClasstype(SCClassConfClasstype *);
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *);
void SCClassConfRegisterTests(void);

Write Preview
Loading…
Cancel
Save