aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

exception-policy: add 'reject-both' option

Browse Source 
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).

Ticket: #5974.
pull/14233/head
Victor Julien 3 weeks ago
parent 6b75b937ff
commit acb769291a
6 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File

4
etc/schema.json
Unescape Escape View File

@ -8753,6 +8753,10 @@
"reject": { "reject": {
"type": "integer", "type": "integer",
"minimum": 0 "minimum": 0
},
"reject_both": {
"type": "integer",
"minimum": 0
} }
} }
} }

2
src/app-layer.c
Unescape Escape View File

@ -115,6 +115,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -125,6 +126,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_PACKET */ true,
/* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
}; };
// clang-format on // clang-format on

4
src/decode.c
Unescape Escape View File

@ -93,6 +93,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -103,6 +104,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_PACKET */ true,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
}; };
// clang-format on // clang-format on
@ -119,6 +121,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -129,6 +132,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_PACKET */ true,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
}; };
// clang-format on // clang-format on

8
src/stream-tcp.c
Unescape Escape View File

@ -102,6 +102,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -112,6 +113,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_PACKET */ true,
/* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
}; };
// clang-format on // clang-format on
@ -128,6 +130,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -138,6 +141,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_PACKET */ true,
/* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
}; };
// clang-format on // clang-format on
@ -154,6 +158,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ false, /* EXCEPTION_POLICY_REJECT */ false,
/* EXCEPTION_POLICY_REJECT_BOTH */ false,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -164,6 +169,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ false, /* EXCEPTION_POLICY_REJECT */ false,
/* EXCEPTION_POLICY_REJECT_BOTH */ false,
}, },
}; };
// clang-format on // clang-format on
@ -180,6 +186,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
.valid_settings_ips = { .valid_settings_ips = {
/* EXCEPTION_POLICY_NOT_SET */ false, /* EXCEPTION_POLICY_NOT_SET */ false,
@ -190,6 +197,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = {
/* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_PACKET */ false,
/* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true,
/* EXCEPTION_POLICY_REJECT */ true, /* EXCEPTION_POLICY_REJECT */ true,
/* EXCEPTION_POLICY_REJECT_BOTH */ true,
}, },
}; };
// clang-format on // clang-format on

5
src/util-exception-policy-types.h
Unescape Escape View File

@ -30,10 +30,11 @@ enum ExceptionPolicy {
EXCEPTION_POLICY_BYPASS_FLOW, EXCEPTION_POLICY_BYPASS_FLOW,
EXCEPTION_POLICY_DROP_PACKET, EXCEPTION_POLICY_DROP_PACKET,
EXCEPTION_POLICY_DROP_FLOW, EXCEPTION_POLICY_DROP_FLOW,
EXCEPTION_POLICY_REJECT, EXCEPTION_POLICY_REJECT, /**< reject src */
EXCEPTION_POLICY_REJECT_BOTH /**< reject both src and dest */
}; };
#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT + 1) #define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT_BOTH + 1)
/* Max length = possible exception policy scenarios + counter names /* Max length = possible exception policy scenarios + counter names
* + exception policy type. E.g.: * + exception policy type. E.g.:

11
src/util-exception-policy.c
Unescape Escape View File

@ -47,6 +47,8 @@ const char *ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_jso
return "reject"; return "reject";
case EXCEPTION_POLICY_BYPASS_FLOW: case EXCEPTION_POLICY_BYPASS_FLOW:
return "bypass"; return "bypass";
case EXCEPTION_POLICY_REJECT_BOTH:
return "reject_both";
case EXCEPTION_POLICY_DROP_FLOW: case EXCEPTION_POLICY_DROP_FLOW:
return is_json ? "drop_flow" : "drop-flow"; return is_json ? "drop_flow" : "drop-flow";
case EXCEPTION_POLICY_DROP_PACKET: case EXCEPTION_POLICY_DROP_PACKET:
@ -145,8 +147,14 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
case EXCEPTION_POLICY_NOT_SET: case EXCEPTION_POLICY_NOT_SET:
break; break;
case EXCEPTION_POLICY_REJECT: case EXCEPTION_POLICY_REJECT:
case EXCEPTION_POLICY_REJECT_BOTH:
if (policy == EXCEPTION_POLICY_REJECT) {
SCLogDebug("EXCEPTION_POLICY_REJECT"); SCLogDebug("EXCEPTION_POLICY_REJECT");
PacketDrop(p, ACTION_REJECT, drop_reason); PacketDrop(p, ACTION_REJECT, drop_reason);
} else {
SCLogDebug("EXCEPTION_POLICY_REJECT_BOTH");
PacketDrop(p, ACTION_REJECT_BOTH, drop_reason);
}
if (!EngineModeIsIPS()) { if (!EngineModeIsIPS()) {
break; break;
} }
@ -204,6 +212,7 @@ static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionP
case EXCEPTION_POLICY_PASS_PACKET: case EXCEPTION_POLICY_PASS_PACKET:
break; break;
case EXCEPTION_POLICY_REJECT: case EXCEPTION_POLICY_REJECT:
case EXCEPTION_POLICY_REJECT_BOTH:
break; break;
case EXCEPTION_POLICY_NOT_SET: case EXCEPTION_POLICY_NOT_SET:
break; break;
@ -229,6 +238,8 @@ static enum ExceptionPolicy ExceptionPolicyConfigValueParse(
policy = EXCEPTION_POLICY_PASS_PACKET; policy = EXCEPTION_POLICY_PASS_PACKET;
} else if (strcmp(value_str, "reject") == 0) { } else if (strcmp(value_str, "reject") == 0) {
policy = EXCEPTION_POLICY_REJECT; policy = EXCEPTION_POLICY_REJECT;
} else if (strcmp(value_str, "reject-both") == 0) {
policy = EXCEPTION_POLICY_REJECT_BOTH;
} else if (strcmp(value_str, "ignore") == 0) { // TODO name? } else if (strcmp(value_str, "ignore") == 0) { // TODO name?
policy = EXCEPTION_POLICY_NOT_SET; policy = EXCEPTION_POLICY_NOT_SET;
} else if (strcmp(value_str, "auto") == 0) { } else if (strcmp(value_str, "auto") == 0) {

Write Preview
Loading…
Cancel
Save