Add support for class id in classification code. Submitted by firnsy@securixlive.com, thanks.

src/detect-classtype.c

@@ -131,7 +131,7 @@ static inline const char *DetectClasstypeParseRawString(char *rawstr)
 static inline SCClassConfClasstype *DetectClasstypeGetClasstypeInfo(const char *ct_name,
                                                                     DetectEngineCtx *de_ctx)
 {
-    SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(ct_name, NULL,
+    SCClassConfClasstype *ct_info = SCClassConfAllocClasstype(0, ct_name, NULL,
                                                               0);
     SCClassConfClasstype *lookup_ct_info = HashTableLookup(de_ctx->class_conf_ht,
                                                            ct_info, 0);
@@ -171,6 +171,7 @@ static int DetectClasstypeSetup(DetectEngineCtx *de_ctx, Signature *s, char *raw
 
     /* if we have retrieved the classtype, assign the message to be displayed
      * for this Signature by fast.log, if a Packet matches this Signature */
+    s->class = ct->classtype_id;
     s->class_msg = ct->classtype_desc;
 
     /* if a priority keyword has appeared before the classtype, s->prio would

src/detect-engine-alert.c

@@ -97,6 +97,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p)
         p->alerts.alerts[p->alerts.cnt].rev = s->rev;
         p->alerts.alerts[p->alerts.cnt].prio = s->prio;
         p->alerts.alerts[p->alerts.cnt].msg = s->msg;
+        p->alerts.alerts[p->alerts.cnt].class = s->class;
         p->alerts.alerts[p->alerts.cnt].class_msg = s->class_msg;
         p->alerts.alerts[p->alerts.cnt].references = s->references;
     } else {
@@ -120,6 +121,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p)
         p->alerts.alerts[i].rev = s->rev;
         p->alerts.alerts[i].prio = s->prio;
         p->alerts.alerts[i].msg = s->msg;
+        p->alerts.alerts[i].class = s->class;
         p->alerts.alerts[i].class_msg = s->class_msg;
         p->alerts.alerts[i].references = s->references;
     }

src/detect.h

@@ -232,6 +232,9 @@ typedef struct Signature_ {
     uint8_t nchunk_groups; /**< Internal chunk grp id (for splitted patterns) */
     char *msg;
 
+    /** classification id **/
+    uint8_t class;
+
     /** classification message */
     char *class_msg;
 

src/util-classification-config.c

@@ -188,17 +188,19 @@ static char *SCClassConfStringToLowercase(const char *str)
  *        hash table in DetectEngineCtx, i.e. DetectEngineCtx->class_conf_ht.
  *
  * \param rawstr Pointer to the string to be parsed.
+ * \param index  Relative index of the string to be parsed.
  * \param de_ctx Pointer to the Detection Engine Context.
  *
  * \retval  0 On success.
  * \retval -1 On failure.
  */
-int SCClassConfAddClasstype(char *rawstr, DetectEngineCtx *de_ctx)
+int SCClassConfAddClasstype(char *rawstr, uint8_t index, DetectEngineCtx *de_ctx)
 {
     const char *ct_name = NULL;
     const char *ct_desc = NULL;
     const char *ct_priority_str = NULL;
     int ct_priority = 0;
+    uint8_t ct_id = index;
 
     SCClassConfClasstype *ct_new = NULL;
     SCClassConfClasstype *ct_lookup = NULL;
@@ -238,7 +240,7 @@ int SCClassConfAddClasstype(char *rawstr, DetectEngineCtx *de_ctx)
     ct_priority = atoi(ct_priority_str);
 
     /* Create a new instance of the parsed Classtype string */
-    ct_new = SCClassConfAllocClasstype(ct_name, ct_desc, ct_priority);
+    ct_new = SCClassConfAllocClasstype(ct_id, ct_name, ct_desc, ct_priority);
     if (ct_new == NULL)
         goto error;
 
@@ -307,12 +309,14 @@ static int SCClassConfIsLineBlankOrComment(char *line)
 void SCClassConfParseFile(DetectEngineCtx *de_ctx)
 {
     char line[1024];
+    uint8_t i = 1;
 
     while (fgets(line, sizeof(line), fd) != NULL) {
         if (SCClassConfIsLineBlankOrComment(line))
             continue;
 
-        SCClassConfAddClasstype(line, de_ctx);
+        SCClassConfAddClasstype(line, i, de_ctx);
+        i++;
     }
 
 #ifdef UNITTESTS
@@ -334,7 +338,8 @@ void SCClassConfParseFile(DetectEngineCtx *de_ctx)
  * \retval ct Pointer to the new instance of SCClassConfClasstype on success;
  *            NULL on failure.
  */
-SCClassConfClasstype *SCClassConfAllocClasstype(const char *classtype,
+SCClassConfClasstype *SCClassConfAllocClasstype(uint8_t classtype_id,
+                                                const char *classtype,
                                                 const char *classtype_desc,
                                                 int priority)
 {
@@ -358,6 +363,7 @@ SCClassConfClasstype *SCClassConfAllocClasstype(const char *classtype,
         exit(EXIT_FAILURE);
     }
 
+    ct->classtype_id = classtype_id;
     ct->priority = priority;
 
     return ct;
@@ -672,27 +678,27 @@ int SCClassConfTest04(void)
 
     result = (de_ctx->class_conf_ht->count == 3);
 
-    ct = SCClassConfAllocClasstype("unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("unKnoWn", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bamboo", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bad-unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("BAD-UNKnOWN", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bed-unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
@@ -724,31 +730,30 @@ int SCClassConfTest05(void)
 
     result = (de_ctx->class_conf_ht->count == 0);
 
-    ct = SCClassConfAllocClasstype("unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("unKnoWn", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bamboo", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bad-unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("BAD-UNKnOWN", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bed-unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-
     DetectEngineCtxFree(de_ctx);
 
     return result;
@@ -776,27 +781,27 @@ int SCClassConfTest06(void)
 
     result = (de_ctx->class_conf_ht->count == 3);
 
-    ct = SCClassConfAllocClasstype("unknown", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("not-suspicious", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "not-suspicious", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bamboola1", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("bamboola1", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("BAMBOolA1", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "BAMBOolA1", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
     SCClassConfDeAllocClasstype(ct);
 
-    ct = SCClassConfAllocClasstype("unkNOwn", NULL, 0);
+    ct = SCClassConfAllocClasstype(0, "unkNOwn", NULL, 0);
     result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
     SCClassConfDeAllocClasstype(ct);
 

src/util-classification-config.h

@@ -28,6 +28,9 @@
  * \brief Container for a Classtype from the Classification.config file.
  */
 typedef struct SCClassConfClasstype_ {
+    /* The index of the classification within classification.confg */
+    uint8_t classtype_id;
+
     /* The classtype name.  This is the primary key for a Classification. */
     char *classtype;
 
@@ -39,8 +42,8 @@ typedef struct SCClassConfClasstype_ {
     int priority;
 } SCClassConfClasstype;
 
-SCClassConfClasstype *SCClassConfAllocClasstype(const char *, const char *,
+SCClassConfClasstype *SCClassConfAllocClasstype(uint8_t, const char *,
-                                                    int);
+                                                    const char *, int);
 void SCClassConfDeAllocClasstype(SCClassConfClasstype *);
 void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *);
 void SCClassConfRegisterTests(void);