detect: implement 'alert' keyword as a companion to 'noalert'

This can be used to implement alert then pass logic. Add support for alert-then-pass to alert handling routines. Ticket: #5466.
1 year ago · d5fb8204b6
parent 92581dbc06
commit d5fb8204b6
3 changed files with 24 additions and 3 deletions
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@ -417,12 +417,18 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
            p->alerts.alerts[p->alerts.cnt] = *pa;
            SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);

-            /* pass "alert" found, we're done */
-            if (pa->action & ACTION_PASS) {
+            /* pass w/o alert found, we're done. Alert is not logged. */
+            if ((pa->action & (ACTION_PASS | ACTION_ALERT)) == ACTION_PASS) {
                SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
                break;
            }
            p->alerts.cnt++;
+
+            /* pass with alert, we're done. Alert is logged. */
+            if (pa->action & ACTION_PASS) {
+                SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
+                break;
+            }
        } else {
            p->alerts.discarded++;
        }
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -87,6 +87,7 @@ enum DetectKeywordId {
    DETECT_FLOWINT,
    DETECT_PKTVAR,
    DETECT_NOALERT,
+    DETECT_ALERT,
    DETECT_FLOWBITS,
    DETECT_HOSTBITS,
    DETECT_IPV4_CSUM,
--- a/src/detect-noalert.c
+++ b/src/detect-noalert.c
@ -20,7 +20,7 @@
 *
 * \author Victor Julien <victor@inliniac.net>
 *
- * Implements the noalert keyword
+ * Implements the noalert and alert keywords.
 */

 #include "suricata-common.h"
@ -38,6 +38,14 @@ static int DetectNoalertSetup(DetectEngineCtx *de_ctx, Signature *s, const char
    return 0;
 }

+static int DetectAlertSetup(DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
+{
+    DEBUG_VALIDATE_BUG_ON(nullstr != NULL);
+
+    s->action |= ACTION_ALERT;
+    return 0;
+}
+
 void DetectNoalertRegister(void)
 {
    sigmatch_table[DETECT_NOALERT].name = "noalert";
@ -45,4 +53,10 @@ void DetectNoalertRegister(void)
    sigmatch_table[DETECT_NOALERT].url = "/rules/flow-keywords.html";
    sigmatch_table[DETECT_NOALERT].Setup = DetectNoalertSetup;
    sigmatch_table[DETECT_NOALERT].flags |= SIGMATCH_NOOPT;
+
+    sigmatch_table[DETECT_ALERT].name = "alert";
+    sigmatch_table[DETECT_ALERT].desc = "alert will be generated by the rule";
+    sigmatch_table[DETECT_ALERT].url = "/rules/flow-keywords.html";
+    sigmatch_table[DETECT_ALERT].Setup = DetectAlertSetup;
+    sigmatch_table[DETECT_ALERT].flags |= SIGMATCH_NOOPT;
 }