flow/pkts: allow matching on either direction

For flow.bytes and flow.pkts keywords, allow matching in either direction. Feature 5646
1 year ago · ad7ff1c91b
parent 52fd695e5a
commit ad7ff1c91b
2 changed files with 21 additions and 0 deletions
--- a/doc/userguide/rules/flow-keywords.rst
+++ b/doc/userguide/rules/flow-keywords.rst
@ -331,6 +331,8 @@ following directions:

 * toserver

+* either
+
 Syntax::

 flow.pkts:<direction>,[op]<number>
@ -339,6 +341,7 @@ The number of packets can be matched exactly, or compared using the _op_ setting

 flow.pkts:toclient,3    # exactly 3
 flow.pkts:toserver,<3   # smaller than 3
+ flow.pkts:either,>=2  # greater than or equal to 2

 Signature example::

@ -361,6 +364,8 @@ following directions:

 * toserver

+* either
+
 Syntax::

 flow.bytes:<direction>,[op]<number>
@ -369,6 +374,7 @@ The number of bytes can be matched exactly, or compared using the _op_ setting::

 flow.bytes:toclient,3    # exactly 3
 flow.bytes:toserver,<3   # smaller than 3
+ flow.bytes:either,>=2  # greater than or equal to 2

 Signature example::

--- a/src/detect-flow-pkts.c
+++ b/src/detect-flow-pkts.c
@ -26,6 +26,7 @@
 enum FlowDirection {
    DETECT_FLOW_TOSERVER = 1,
    DETECT_FLOW_TOCLIENT,
+    DETECT_FLOW_TOEITHER,
 };

 typedef struct DetectFlowPkts_ {
@ -50,6 +51,11 @@ static int DetectFlowPktsMatch(
        return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
    } else if (df->dir == DETECT_FLOW_TOCLIENT) {
        return DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data);
+    } else if (df->dir == DETECT_FLOW_TOEITHER) {
+        if (DetectU32Match(p->flow->tosrcpktcnt, df->pkt_data)) {
+            return 1;
+        }
+        return DetectU32Match(p->flow->todstpktcnt, df->pkt_data);
    }
    return 0;
 }
@ -141,6 +147,8 @@ static int DetectFlowPktsSetup(DetectEngineCtx *de_ctx, Signature *s, const char
                dir = DETECT_FLOW_TOSERVER;
            } else if (strcmp(token, "toclient") == 0) {
                dir = DETECT_FLOW_TOCLIENT;
+            } else if (strcmp(token, "either") == 0) {
+                dir = DETECT_FLOW_TOEITHER;
            } else {
                SCLogError("Invalid direction given: %s", token);
                return -1;
@ -277,6 +285,11 @@ static int DetectFlowBytesMatch(
        return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
    } else if (df->dir == DETECT_FLOW_TOCLIENT) {
        return DetectU64Match(p->flow->tosrcbytecnt, df->byte_data);
+    } else if (df->dir == DETECT_FLOW_TOEITHER) {
+        if (DetectU64Match(p->flow->tosrcbytecnt, df->byte_data)) {
+            return 1;
+        }
+        return DetectU64Match(p->flow->todstbytecnt, df->byte_data);
    }
    return 0;
 }
@ -368,6 +381,8 @@ static int DetectFlowBytesSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
                dir = DETECT_FLOW_TOSERVER;
            } else if (strcmp(token, "toclient") == 0) {
                dir = DETECT_FLOW_TOCLIENT;
+            } else if (strcmp(token, "either") == 0) {
+                dir = DETECT_FLOW_TOEITHER;
            } else {
                SCLogError("Invalid direction given: %s", token);
                return -1;