diff --git a/src/Makefile.am b/src/Makefile.am index 0c0d2599b9..6817ca8d06 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -42,6 +42,7 @@ detect-metadata.c detect-metadata.h \ detect-msg.c detect-msg.h \ detect-flow.c detect-flow.h \ detect-dsize.c detect-dsize.h \ +detect-noalert.c detect-noalert.h \ detect-address.c detect-address.h \ detect-address-ipv4.c detect-address-ipv4.h \ detect-address-ipv6.c detect-address-ipv6.h \ diff --git a/src/detect-noalert.c b/src/detect-noalert.c new file mode 100644 index 0000000000..a3f6ad4cf7 --- /dev/null +++ b/src/detect-noalert.c @@ -0,0 +1,31 @@ +/* NOALERT part of the detection engine. */ + +#include "decode.h" +#include "detect.h" +#include "flow-var.h" + +#include + +int DetectNoalertSetup (Signature *, SigMatch *, char *); + +void DetectNoalertRegister (void) { + sigmatch_table[DETECT_NOALERT].name = "noalert"; + sigmatch_table[DETECT_NOALERT].Match = NULL; + sigmatch_table[DETECT_NOALERT].Setup = DetectNoalertSetup; + sigmatch_table[DETECT_NOALERT].Free = NULL; + sigmatch_table[DETECT_NOALERT].RegisterTests = NULL; + + sigmatch_table[DETECT_NOALERT].flags |= SIGMATCH_NOOPT; +} + +int DetectNoalertSetup (Signature *s, SigMatch *m, char *nullstr) +{ + if (nullstr != NULL) { + printf("DetectNoalertSetup: nocase has no value\n"); + return -1; + } + + s->flags |= SIG_FLAG_NOALERT; + return 0; +} + diff --git a/src/detect-noalert.h b/src/detect-noalert.h new file mode 100644 index 0000000000..b202ac4382 --- /dev/null +++ b/src/detect-noalert.h @@ -0,0 +1,8 @@ +#ifndef __DETECT_NOALERT_H__ +#define __DETECT_NOALERT_H__ + +/* prototypes */ +void DetectNoalertRegister (void); + +#endif /* __DETECT_NOALERT_H__ */ + diff --git a/src/detect-parse.c b/src/detect-parse.c index 8816801139..7ddb36c89f 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -215,7 +215,8 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) { char *addr = NULL; if (strcmp(addrstr,"$HOME_NET") == 0) { - addr = "192.168.0.0/16"; + addr = "10.8.0.0/24"; + //addr = "192.168.0.0/16"; } else if (strcmp(addrstr,"$EXTERNAL_NET") == 0) { addr = "!192.168.0.0/16"; } else if (strcmp(addrstr,"$HTTP_SERVERS") == 0) { diff --git a/src/detect.c b/src/detect.c index 487a883ff9..390c07d296 100644 --- a/src/detect.c +++ b/src/detect.c @@ -32,6 +32,7 @@ #include "detect-flow.h" #include "detect-dsize.h" #include "detect-flowvar.h" +#include "detect-noalert.h" #include "action-globals.h" #include "detect-mpm.h" @@ -62,7 +63,7 @@ void SigLoadSignatures (void) { Signature *prevsig = NULL, *sig; - sig = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; depth:400; sid:1;)"); + sig = SigInit("alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; depth:400; noalert; sid:1;)"); if (sig) { prevsig = sig; sig_list = sig; @@ -163,7 +164,7 @@ void SigLoadSignatures (void) //FILE *fp = fopen("/home/victor/rules/vips-http.sigs", "r"); //FILE *fp = fopen("/home/victor/rules/vips-all.sigs", "r"); //FILE *fp = fopen("/home/victor/rules/all.rules", "r"); - //FILE *fp = fopen("/home/victor/rules/eml.rules", "r"); + //FILE *fp = fopen("/etc/vips/rules/zango.rules", "r"); //FILE *fp = fopen("/home/victor/rules/vips-vrt-all.sigs", "r"); if (fp == NULL) { printf("ERROR, could not open sigs file\n"); @@ -278,12 +279,14 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) /* only if the last matched as well, we have a hit */ if (sm == NULL) { - /* only add once */ - if (rmatch == 0) { - PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); + if (!(s->flags & SIG_FLAG_NOALERT)) { + /* only add once */ + if (rmatch == 0) { + PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); - /* set verdict on packet */ - p->action = s->action; + /* set verdict on packet */ + p->action = s->action; + } } rmatch = fmatch = 1; pmt->pkt_cnt++; @@ -312,10 +315,12 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) //printf("Signature %u matched: %s\n", s->id, s->msg ? s->msg : ""); fmatch = 1; - PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); + if (!(s->flags & SIG_FLAG_NOALERT)) { + PacketAlertAppend(p, 1, s->id, s->rev, s->prio, s->msg); - /* set verdict on packet */ - p->action = s->action; + /* set verdict on packet */ + p->action = s->action; + } } } else { /* done with this sig */ @@ -1348,6 +1353,7 @@ void SigTableSetup(void) { DetectDsizeRegister(); DetectFlowvarRegister(); DetectAddressRegister(); + DetectNoalertRegister(); u_int8_t i = 0; for (i = 0; i < DETECT_TBLSIZE; i++) { diff --git a/src/detect.h b/src/detect.h index e5990ef3ff..9872b6ebe0 100644 --- a/src/detect.h +++ b/src/detect.h @@ -6,6 +6,7 @@ #define SIG_FLAG_RECURSIVE 0x01 #define SIG_FLAG_SP_ANY 0x02 #define SIG_FLAG_DP_ANY 0x04 +#define SIG_FLAG_NOALERT 0x08 typedef struct _PatternMatcherThread { /* detection engine variables */ @@ -151,6 +152,7 @@ enum { DETECT_DSIZE, DETECT_FLOWVAR, DETECT_ADDRESS, + DETECT_NOALERT, /* make sure this stays last */ DETECT_TBLSIZE,