From 96adcf6829dcdadedea1f4f71bc44ccb5f30e8d5 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 15 Apr 2014 17:01:52 +0200 Subject: [PATCH] refactor IDS/IPS engine mode logic Instead of error phrone externs with macro's, use functions with a local static enum var instead. - EngineModeIsIPS(): in IPS mode - EngineModeIsIDS(): in IDS mode To set the modes: - EngineModeSetIDS(): IDS mode (default) - EngineModeSetIPS(): IPS mode Bug #1177. --- src/alert-fastlog.c | 3 +-- src/alert-syslog.c | 7 +++---- src/detect.c | 5 ++--- src/log-droplog.c | 12 ++++++------ src/output-json-alert.c | 6 ++---- src/output-json-drop.c | 3 +-- src/output-json.c | 1 - src/stream-tcp.c | 4 +--- src/stream-tcp.h | 3 +-- src/suricata.c | 36 ++++++++++++++++++++++++++++-------- src/suricata.h | 15 +++++---------- 11 files changed, 50 insertions(+), 45 deletions(-) diff --git a/src/alert-fastlog.c b/src/alert-fastlog.c index feab6b9b8a..1ca45bd974 100644 --- a/src/alert-fastlog.c +++ b/src/alert-fastlog.c @@ -116,7 +116,6 @@ int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p) int i; char timebuf[64]; int decoder_event = 0; - extern uint8_t engine_mode; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); @@ -146,7 +145,7 @@ int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p) } char *action = ""; - if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) { + if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "[Drop] "; } else if (pa->action & ACTION_DROP) { action = "[wDrop] "; diff --git a/src/alert-syslog.c b/src/alert-syslog.c index 4ad4b964c6..a57712bf4c 100644 --- a/src/alert-syslog.c +++ b/src/alert-syslog.c @@ -57,7 +57,6 @@ #define DEFAULT_ALERT_SYSLOG_LEVEL LOG_ERR #define MODULE_NAME "AlertSyslog" -extern uint8_t engine_mode; static int alert_syslog_level = DEFAULT_ALERT_SYSLOG_LEVEL; typedef struct AlertSyslogThread_ { @@ -221,7 +220,7 @@ static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data) PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); - if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) { + if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "[Drop] "; } else if (pa->action & ACTION_DROP) { action = "[wDrop] "; @@ -279,7 +278,7 @@ static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data) PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); - if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) { + if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "[Drop] "; } else if (pa->action & ACTION_DROP) { action = "[wDrop] "; @@ -341,7 +340,7 @@ static TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, const Packet *p, void *da continue; } - if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) { + if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "[Drop] "; } else if (pa->action & ACTION_DROP) { action = "[wDrop] "; diff --git a/src/detect.c b/src/detect.c index d614c0e9a7..6853d563a8 100644 --- a/src/detect.c +++ b/src/detect.c @@ -194,7 +194,6 @@ #include "runmodes.h" -extern uint8_t engine_mode; extern int rule_reload; extern int engine_analysis; @@ -10980,7 +10979,7 @@ static int SigTestDropFlow03(void) uint32_t http_buf2_len = sizeof(http_buf1) - 1; /* Set the engine mode to IPS */ - SET_ENGINE_MODE_IPS(engine_mode); + EngineModeSetIPS(); TcpSession ssn; Packet *p1 = NULL; @@ -11133,7 +11132,7 @@ end: UTHFreePackets(&p2, 1); /* Restore mode to IDS */ - SET_ENGINE_MODE_IDS(engine_mode); + EngineModeSetIDS(); return result; } diff --git a/src/log-droplog.c b/src/log-droplog.c index 8487ca0cf8..549cfb2de5 100644 --- a/src/log-droplog.c +++ b/src/log-droplog.c @@ -268,8 +268,7 @@ static int LogDropLogNetFilter (ThreadVars *tv, const Packet *p, void *data) * \retval bool TRUE or FALSE */ static int LogDropCondition(ThreadVars *tv, const Packet *p) { - extern uint8_t engine_mode; - if (!IS_ENGINE_MODE_IPS(engine_mode)) { + if (!EngineModeIsIPS()) { SCLogDebug("engine is not running in inline mode, so returning"); return FALSE; } @@ -341,8 +340,7 @@ static void LogDropLogExitPrintStats(ThreadVars *tv, void *data) { int LogDropLogTest01() { int result = 0; - extern uint8_t engine_mode; - SET_ENGINE_MODE_IPS(engine_mode); + EngineModeSetIPS(); uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" "Host: one.example.org\r\n"; @@ -404,6 +402,7 @@ int LogDropLogTest01() DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); + EngineModeSetIDS(); return result; } @@ -411,8 +410,7 @@ int LogDropLogTest01() int LogDropLogTest02() { int result = 0; - extern uint8_t engine_mode; - SET_ENGINE_MODE_IPS(engine_mode); + EngineModeSetIPS(); uint8_t *buf = (uint8_t *) "GET"; @@ -473,6 +471,8 @@ int LogDropLogTest02() DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); + + EngineModeSetIDS(); return result; } diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 60d2f7bc10..bfd646ebe3 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -62,8 +62,6 @@ #ifdef HAVE_LIBJANSSON -extern int engine_mode; - typedef struct JsonAlertLogThread_ { /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */ LogFileCtx* file_ctx; @@ -96,7 +94,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) char *action = "allowed"; if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; - } else if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) { + } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } @@ -151,7 +149,7 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const char *action = "allowed"; if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; - } else if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) { + } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } diff --git a/src/output-json-drop.c b/src/output-json-drop.c index 6be56f3e6b..cea1d9865b 100644 --- a/src/output-json-drop.c +++ b/src/output-json-drop.c @@ -289,8 +289,7 @@ static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p) * \retval bool TRUE or FALSE */ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p) { - extern uint8_t engine_mode; - if (!IS_ENGINE_MODE_IPS(engine_mode)) { + if (!EngineModeIsIPS()) { SCLogDebug("engine is not running in inline mode, so returning"); return FALSE; } diff --git a/src/output-json.c b/src/output-json.c index 64383e7d6a..5cfdef5f7c 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -117,7 +117,6 @@ void OutputJsonRegisterTests (void) #define OUTPUT_BUFFER_SIZE 65535 -extern uint8_t engine_mode; #ifndef OS_WIN32 static int alert_syslog_level = DEFAULT_ALERT_SYSLOG_LEVEL; #endif /* OS_WIN32 */ diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 5e7a5abc71..2e69204e14 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -114,8 +114,6 @@ static SCMutex ssn_pool_mutex = SCMUTEX_INITIALIZER; /**< init only, protect ini static uint64_t ssn_pool_cnt = 0; /** counts ssns, protected by ssn_pool_mutex */ #endif -extern uint8_t engine_mode; - SC_ATOMIC_DECLARE(uint64_t, st_memuse); /* stream engine running in "inline" mode. */ @@ -426,7 +424,7 @@ void StreamTcpInitConfig(char quiet) /* checking for "auto" and falling back to boolean to provide * backward compatibility */ if (strcmp(temp_stream_inline_str, "auto") == 0) { - if (IS_ENGINE_MODE_IPS(engine_mode)) { + if (EngineModeIsIPS()) { stream_inline = 1; } else { stream_inline = 0; diff --git a/src/stream-tcp.h b/src/stream-tcp.h index 5124ff0416..ce8c2f0b64 100644 --- a/src/stream-tcp.h +++ b/src/stream-tcp.h @@ -135,12 +135,11 @@ void StreamTcpReassembleConfigEnableOverlapCheck(void); * \retval 0 if the stream still legal */ static inline int StreamTcpCheckFlowDrops(Packet *p) { - extern uint8_t engine_mode; /* If we are on IPS mode, and got a drop action triggered from * the IP only module, or from a reassembled msg and/or from an * applayer detection, then drop the rest of the packets of the * same stream and avoid inspecting it any further */ - if (IS_ENGINE_MODE_IPS(engine_mode) && (p->flow->flags & FLOW_ACTION_DROP)) + if (EngineModeIsIPS() && (p->flow->flags & FLOW_ACTION_DROP)) return 1; return 0; diff --git a/src/suricata.c b/src/suricata.c index 1ef27c6503..69c4b474e2 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -202,7 +202,7 @@ int run_mode = RUNMODE_UNKNOWN; /** Engine mode: inline (ENGINE_MODE_IPS) or just * detection mode (ENGINE_MODE_IDS by default) */ -uint8_t engine_mode = ENGINE_MODE_IDS; +static enum EngineMode g_engine_mode = ENGINE_MODE_IDS; /** Host mode: set if box is sniffing only * or is a router */ @@ -219,6 +219,26 @@ int sc_set_caps; char *conf_filename = NULL; +int EngineModeIsIPS(void) +{ + return (g_engine_mode == ENGINE_MODE_IPS); +} + +int EngineModeIsIDS(void) +{ + return (g_engine_mode == ENGINE_MODE_IDS); +} + +void EngineModeSetIPS(void) +{ + g_engine_mode = ENGINE_MODE_IPS; +} + +void EngineModeSetIDS(void) +{ + g_engine_mode = ENGINE_MODE_IDS; +} + int RunmodeIsUnittests(void) { if (run_mode == RUNMODE_UNITTEST) return 1; @@ -379,7 +399,7 @@ static int SetBpfString(int optind, char *argv[]) { if (bpf_len == 0) return TM_ECODE_OK; - if (IS_ENGINE_MODE_IPS(engine_mode)) { + if (EngineModeIsIPS()) { SCLogError(SC_ERR_NOT_SUPPORTED, "BPF filter not available in IPS mode." " Use firewall filtering if possible."); @@ -424,7 +444,7 @@ static void SetBpfStringFromFile(char *filename) { FILE *fp = NULL; size_t nm = 0; - if (IS_ENGINE_MODE_IPS(engine_mode)) { + if (EngineModeIsIPS()) { SCLogError(SC_ERR_NOT_SUPPORTED, "BPF filter not available in IPS mode." " Use firewall filtering if possible."); @@ -1451,7 +1471,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri) #ifdef NFQ if (suri->run_mode == RUNMODE_UNKNOWN) { suri->run_mode = RUNMODE_NFQ; - SET_ENGINE_MODE_IPS(engine_mode); + EngineModeSetIPS(); if (NFQRegisterQueue(optarg) == -1) return TM_ECODE_FAILED; } else if (suri->run_mode == RUNMODE_NFQ) { @@ -1472,7 +1492,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri) #ifdef IPFW if (suri->run_mode == RUNMODE_UNKNOWN) { suri->run_mode = RUNMODE_IPFW; - SET_ENGINE_MODE_IPS(engine_mode); + EngineModeSetIPS(); if (IPFWRegisterQueue(optarg) == -1) return TM_ECODE_FAILED; } else if (suri->run_mode == RUNMODE_IPFW) { @@ -1931,14 +1951,14 @@ static int PostConfLoadedSetup(SCInstance *suri) if (strcmp(hostmode, "auto") != 0) { WarnInvalidConfEntry("host-mode", "%s", "auto"); } - if (IS_ENGINE_MODE_IPS(engine_mode)) { + if (EngineModeIsIPS()) { host_mode = SURI_HOST_IS_ROUTER; } else { host_mode = SURI_HOST_IS_SNIFFER_ONLY; } } } else { - if (IS_ENGINE_MODE_IPS(engine_mode)) { + if (EngineModeIsIPS()) { host_mode = SURI_HOST_IS_ROUTER; SCLogInfo("No 'host-mode': suricata is in IPS mode, using " "default setting 'router'"); @@ -2049,7 +2069,7 @@ int main(int argc, char **argv) /* By default use IDS mode, but if nfq or ipfw * are specified, IPS mode will overwrite this */ - SET_ENGINE_MODE_IDS(engine_mode); + EngineModeSetIDS(); #ifdef OS_WIN32 diff --git a/src/suricata.h b/src/suricata.h index c182aedc61..4731bb766a 100644 --- a/src/suricata.h +++ b/src/suricata.h @@ -100,20 +100,15 @@ enum { }; /* Engine is acting as */ -enum { +enum EngineMode { ENGINE_MODE_IDS, ENGINE_MODE_IPS, }; -/** You can use this macros to set/check if we have real drop capabilities */ -#define SET_ENGINE_MODE_IPS(engine_mode) do { \ - (engine_mode) = ENGINE_MODE_IPS; \ - } while (0) -#define SET_ENGINE_MODE_IDS(engine_mode) do { \ - (engine_mode) = ENGINE_MODE_IDS; \ - } while (0) -#define IS_ENGINE_MODE_IPS(engine_mode) ((engine_mode) == ENGINE_MODE_IPS) -#define IS_ENGINE_MODE_IDS(engine_mode) ((engine_mode) == ENGINE_MODE_IDS) +void EngineModeSetIPS(void); +void EngineModeSetIDS(void); +int EngineModeIsIPS(void); +int EngineModeIsIDS(void); /* Box is acting as router */ enum {